1 / 18

Microsoft Patch Management

Microsoft Patch Management . Eamon Breen Partner Technical Specialist Microsoft Ireland . Agenda. Situation Commitments Progress Challenges ahead. Situation Process, Guidance, Tools Critical. Most attacks occur here. Why does this gap exist?. Product ship. Vulnerability discovered.

teva
Download Presentation

Microsoft Patch Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft Patch Management Eamon Breen Partner Technical Specialist Microsoft Ireland

  2. Agenda • Situation • Commitments • Progress • Challenges ahead

  3. SituationProcess, Guidance, Tools Critical Most attacks occur here Why does this gap exist? Product ship Vulnerability discovered Component modified Patch released Patch deployed at customer site

  4. exploitcode patch 331 180 151 25 Nimda SQL Slammer Welchia/ Nachi Blaster Exploit Timeline • Days From Patch to Exploit • The average is now nine days for a patch to be reverse-engineered • As this cycle keeps getting shorter, patching is a less effective defense in large organizations Why does this gap exist? Days between patch and exploit

  5. Secure by Design Secure by Design Secure by Default • Code reviews • IIS re-architecture • Threat models • $200M investment • 60% less attack surface area by default compared to Windows NT 4.0 SP3 • Services off by default • Services run at lower privilege • Code reviews • IIS re-architecture • Threat models • $200M investment Trustworthy Computing Initiative Secure by Design Secure in Deployment Communications • Code reviews • IIS re-architecture • Threat models • $200M investment • Configuration automation • Identity management • Monitoring infrastructure • Prescriptive guidance • Community investment • Architecture webcasts • Writing Secure Code 2.0

  6. Service Pack 3 6 1 Service Pack 3 Bulletins sinceTwC release Bulletins in 19 months period prior to TwC release Shipped July 2002, 19 months ago Critical or important vulnerabilities after launch… TwC release? …180 days 270 days 21 36 No 5 6 Yes Improving Quality: TwC Scorecard For some widely-deployed, existing products: 13 3 Bulletins in13 months period prior to TwC release Bulletins sinceTwC release Shipped Jan. 2003, 13 months ago

  7. Microsoft Commitment Build software and services that will help better protect our customers and the industry. • People • Guidance and training for our customers • http://www.microsoft.com/ireland/security • Process • Better processes and tools • Technology • Technology innovation • Trustworthy Computing quality improvements

  8. Training & Guidance: IT Pros Global training with more guidance and best practices for securing systems and infrastructure • IT Pros: 500K customers to be trained by the end of 2004 • Monthly Webcasts and Seminars • http://www.microsoft.com/seminar/events/security.mspx • New guidance on Microsoft.com • http://www.microsoft.com/guidance • Security Guidance Kit CD • New monthly newsletter • http://www.microsoft.com/technet/security/secnews/newsletter.htm • Proactive communications • Using Virus Information Alliancecollective data for better threat response • KB articles outline application security enhancements

  9. Training & Guidance: Consumers Build awareness to help develop a “maintenance mindset” and encourage best practices and make protections easier to enable • Consumers • Protect Your PC education • Syndicating content on retailer, OEM sites • New bimonthly newsletter • Ongoing outreach via consumer advocacy groups • Blaster removal tool

  10. Local Security Training Sessions for IT Professionals • 30 Free Security Training Sessions & Webcasts • Dublin, Galway, Cork, Limerick & Belfast • 8 Security Modules: • Essentials of Security • Implementing Security Patch Management • Implementing Server Security • Implementing Client Security • Implementing Network Security • Implementing Application and Data Security • Advanced Server and Client Security • Applied Security Strategies • Register at www.microsoft.com/ireland/security

  11. Processes & Tools Improve our processes & quality, and provide better infrastructure management tools Patch Quality & Process • Monthly patch releases since Oct, 2003, 2nd Tues of Month • Operation guidance for SUS SP1, SMS 2.0, SMS 2003 released Nov, 2003 • Patch size reduced by 35% or more from 2002 vs. 2003 • Reduce patch size by 80% - Mid 2004 • Downtime reduced through 10% fewer reboots Tools • MBSA 1.2 released Jan 19, 2004 • Streamlined tool for identifying common security misconfigurations • SMS 2003 launched in November 2003 • Comprehensive patch and software management/distribution solution • SUS 2.0 technical beta Q104 • Expanded support for Office, SQL Server, Exchange, and hardware drivers • Improved administrative and reporting capabilities http://www.microsoft.com/technet/security/topics/patch

  12. Technology New security technologies for Windows XP to make systems more resilient against attack • Windows XP SP2 • Easier, effective management of PC security that puts the customer in control • Network protection, safer e-mail and Web browsing, memory protection • Beta 1 released on December 19, 2003 • Availability: target RTM H1 CY04

  13. Technology Commitment: Update Windows Server 2003 and improve edge protection with technologies that enable a more secure infrastructure • Windows Server 2003 SP1 • Role-based security configuration • Network client and remote VPN inspection • Network quarantine • Availability: RTM H2 CY04

  14. SummaryGet Secure – Stay Secure • People • Engage a Microsoft Certified Partner • Get Technical Staff Trained • Process • Create an Incident Response Process • Microsoft Operations Framework based on ITIL • Security best practices from TechNet • Technology • Microsoft Baseline Security Analyser • Software Update Services • Updated Anti Virus Software • Updated Firewall • Updated Anti Spam Solution

  15. Resources • Patch Management http://www.microsoft.com/technet/security/topics/patch • Best Practices for Defense in Depth http://www.microsoft.com/security/guidance • How Microsoft Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit/ security/mssecbp.asp • MSDN Security Development Tools http://msdn.microsoft.com/security/downloads/tools/ default.aspx

  16. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

  17. “many eyes make all bugs shallow”Eric Raymond – Free Software Foundation“only if you know what to look for”Mike Howard – Author of Writing Secure Code Source – Mitre cve.mitre.org and vendor security websites

  18. Slight update to last slide Source – Mitre cve.mitre.org and vendor security websites

More Related