Скачать презентацию SP i RE security Expert s guide for effective Скачать презентацию SP i RE security Expert s guide for effective

66c3625ab2929aae1ec3c1322ac1ff9a.ppt

  • Количество слайдов: 28

SP i RE security Expert’s guide for effective patch management Pete Lindstrom, CISSP Research SP i RE security Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire Security, LLC www. spiresecurity. com petelind@spiresecurity. com © 2003 Spire Security. All rights reserved.

Agenda ª Vulnerability Lifecycle ª When to Patch Decision ª Patch Management Process ª Agenda ª Vulnerability Lifecycle ª When to Patch Decision ª Patch Management Process ª Example + ROI ª Key Criteria for Automated Patch Management © 2004 Spire Security. All rights reserved. 2

Vulnerability Lifecycle 1. Vulnerability Created (latent) 2. Vulnerability Discovered 3. Vulnerability Disclosed 4. Patch Vulnerability Lifecycle 1. Vulnerability Created (latent) 2. Vulnerability Discovered 3. Vulnerability Disclosed 4. Patch Released 5. Exploit & Intrusions 6. Patches Applied © 2004 Spire Security. All rights reserved. 3

Vulnerability Lifecycle safe zone bigger is better Can I mitigate? exploit zone patch zone Vulnerability Lifecycle safe zone bigger is better Can I mitigate? exploit zone patch zone FOCUS HERE smaller is better Time vulnerability created vulnerability disclosed patches applied vulnerability discovered less © 2004 Spire Security. All rights reserved. patch released “responsible” disclosure more 4

Decision: When to Patch ª Too soon may lead to failures caused by the Decision: When to Patch ª Too soon may lead to failures caused by the cure. ª Too late may lead to compromised systems. ª The answer: Compare the costs of patching/not patching and patch when it is cheaper. ª “Timing the Application of Security Patches for Optimal Uptime” – Beattie et. al. http: //nxnw. org/~steve/papers/lisa 2002 -time-to-patch. pdf © 2004 Spire Security. All rights reserved. 5

Decision Options Am I at risk? eliminate mitigate remediate Can I turn it off? Decision Options Am I at risk? eliminate mitigate remediate Can I turn it off? Can I block it? Can I patch it? © 2004 Spire Security. All rights reserved. 6

Timing Virus/Worm Exploit Date Vuln Date Days My. Doom 1/26/04 none n/a Blaster 8/11/03 Timing Virus/Worm Exploit Date Vuln Date Days My. Doom 1/26/04 none n/a Blaster 8/11/03 7/16/03 26 days Sobig 8/18/03 none n/a Web. DAV 3/10/03 3/17/03* -7 days Slammer 1/25/03 7/24/02 170 days Slapper 9/13/02 7/30/02 45 days Nimda 9/18/01 3/29/01 & 5/16/01 125 days Code Red 7/16/01 6/18/01 28 days © 2004 Spire Security. All rights reserved. 7

Cost Elements ª Cost to apply patches ª Cost to recover from failed patches Cost Elements ª Cost to apply patches ª Cost to recover from failed patches ª Cost to recover from incidents and breaches © 2004 Spire Security. All rights reserved. 8

Cost to Patch ª IT time to identify, assess, test, apply, validate patches. ª Cost to Patch ª IT time to identify, assess, test, apply, validate patches. ª End user lost productivity. ª Risk-adjusted cost of patch failure. ª Patch + r(Recover) © 2004 Spire Security. All rights reserved. 9

Cost to Not Patch ª Lost productivity for the end user ª Lost productivity Cost to Not Patch ª Lost productivity for the end user ª Lost productivity for IT support personnel ª Loss of revenue (direct) ª Legal/regulatory costs ª Intellectual property losses ª Loss of stored assets (financial) …all risk adjusted © 2004 Spire Security. All rights reserved. 10

Adjusting for Risk ª Look at past history: o What % of systems hit Adjusting for Risk ª Look at past history: o What % of systems hit in past? o What % of patches fail on what % of systems? ª Guesstimate using reasonable numbers. ª Use industry averages… oh, none exist. © 2004 Spire Security. All rights reserved. 11

An Example ª 2, 000 Systems ª $70/hr IT support ª 1 hour to An Example ª 2, 000 Systems ª $70/hr IT support ª 1 hour to patch / 2 hours to recover ª 10% likelihood of patch failure ª 20% likelihood of compromise (pre-exploit) © 2004 Spire Security. All rights reserved. 12

A Simple Example ª Pre-exploit, manual patching ª Cost to Patch: o 2, 000 A Simple Example ª Pre-exploit, manual patching ª Cost to Patch: o 2, 000 x 70 = $140, 000 o Fail: 10% x 2, 000 x 70 = $14, 000 o Total cost: $154, 000 ª Cost not to Patch: o 2, 000 x 140 x 20% = $56, 000 ª Decision: Don’t Patch © 2004 Spire Security. All rights reserved. 13

A Simple Example (2) ª Post-exploit, manual patching o Increases risk of compromise to A Simple Example (2) ª Post-exploit, manual patching o Increases risk of compromise to 80% ª Cost to Patch: o 2, 000 x 70 = $140, 000 o Fail: 10% x 2, 000 x 70 = $14, 000 o Total cost: $154, 000 ª Cost not to Patch: o 2, 000 x 140 x 80% = $224, 000 ª Decision: Patch © 2004 Spire Security. All rights reserved. 14

A Simple Example (3) ª Pre-exploit, automated patching ª Assume 1 patch per month A Simple Example (3) ª Pre-exploit, automated patching ª Assume 1 patch per month ª Cost to Patch: o o Software Costs = $48, 000 1/12 of $48 k = $4, 000 Fail: 10% x 2, 000 x 70 = $14, 000 Total cost: $18, 000 ª Cost not to Patch: o 2, 000 x 140 x 20% = $56, 000 ª Decision: Patch © 2004 Spire Security. All rights reserved. 15

A Simple Example - ROI ª Compare two patch scenarios: ª Manual process: $154, A Simple Example - ROI ª Compare two patch scenarios: ª Manual process: $154, 000 ª Automated process: $18, 000 ª ROI: $136, 000 © 2004 Spire Security. All rights reserved. 16

Patch Management Process ª Identify – new patches. ª Assess – applicability to environment. Patch Management Process ª Identify – new patches. ª Assess – applicability to environment. ª Test – patches for need and interoperability. ª Apply – patches to all appropriate systems. ª Review – patch progress and history. © 2004 Spire Security. All rights reserved. 17

Key Features – Automated Patch Mgt ª Platform Coverage ª Research Depth ª Workflow Key Features – Automated Patch Mgt ª Platform Coverage ª Research Depth ª Workflow ª Controlled Rollout ª Validation ª Rollback © 2004 Spire Security. All rights reserved. 18

Platform Coverage / Research ª Operating Systems ª Packaged Applications ª Custom Applications ª Platform Coverage / Research ª Operating Systems ª Packaged Applications ª Custom Applications ª Vendor Information Pass-thru ª Independent Analysis ª Independent Testing © 2004 Spire Security. All rights reserved. 19

Workflow ª Task Assignments ª Scheduling ª Approval System ª Connect to CRM © Workflow ª Task Assignments ª Scheduling ª Approval System ª Connect to CRM © 2004 Spire Security. All rights reserved. 20

Controlled Rollout ª Group by system type or function ª Queuing of patches ª Controlled Rollout ª Group by system type or function ª Queuing of patches ª Bandwidth throttling ª Store and forward © 2004 Spire Security. All rights reserved. 21

Validation/Rollback ª Progress report ª Verify patch application ª Rollback for patch failures ª Validation/Rollback ª Progress report ª Verify patch application ª Rollback for patch failures ª Final report and review © 2004 Spire Security. All rights reserved. 22

Architecture ª Communications ª Agent/Agentless ª Push/Pull ª Hierarchies/Peers o Servers o administration © Architecture ª Communications ª Agent/Agentless ª Push/Pull ª Hierarchies/Peers o Servers o administration © 2004 Spire Security. All rights reserved. 23

Deployment Options ª Scripts ª Remote control solutions (Auto Update or internal) ª Asset/Inventory Deployment Options ª Scripts ª Remote control solutions (Auto Update or internal) ª Asset/Inventory solutions ª Patch Management solutions © 2004 Spire Security. All rights reserved. 24

Patch Management Solutions ª Shavlik ª Ecora ª Patchlink ª Bigfix ª Altiris ª Patch Management Solutions ª Shavlik ª Ecora ª Patchlink ª Bigfix ª Altiris ª GFILanguard http: //www. ntbugtraq. com/patchresults. asp © 2004 Spire Security. All rights reserved. 25

Microsoft Options ª Windows Update ª Microsoft Baseline Security Advisor (MBSA) ª Software Update Microsoft Options ª Windows Update ª Microsoft Baseline Security Advisor (MBSA) ª Software Update Services (SUS) ª Systems Management Server (SMS) ª Office Update ª Microsoft Update/SUS 2. 0 © 2004 Spire Security. All rights reserved. 26

SP i RE security Agree? Disagree? Pete Lindstrom petelind@spiresecurity. com www. spiresecurity. com © SP i RE security Agree? Disagree? Pete Lindstrom petelind@spiresecurity. com www. spiresecurity. com © 2003 Spire Security. All rights reserved.

For more information Thank you for joining us today. For more info on patch For more information Thank you for joining us today. For more info on patch management, including an archive of this webcast and Pete’s presentation without audio, visit our Featured Topic: searchsecurity. com/featuredtopic/patchmanagement © 2004 Spire Security. All rights reserved. 28