Patch Management Patch Management StrategyStrategy

Ken DeJarnette, Ken DeJarnette, Deloitte PrincipalDeloitte Principal

Mike Simpson, Mike Simpson, Deloitte Senior ManagerDeloitte Senior Manager

Challenges in the IT Challenges in the IT EnvironmentEnvironmentMulti-platform environmentsMulti-platform environmentsSegmented networksSegmented networksGlobal distributed networksGlobal distributed networksCustom applicationsCustom applicationsOperations and managementOperations and managementLocalization problemsLocalization problemsStandardization Standardization ToolsToolsAudit and trackingAudit and trackingVolume of patchesVolume of patches

Legal and Regulatory Legal and Regulatory FactorsFactorsGramm-Leach-Bliley Act (GLB)Gramm-Leach-Bliley Act (GLB)

HIPAA HIPAA

California - SB1386California - SB1386

Sarbanes Oxley ActSarbanes Oxley Act

Future trends for security & privacyFuture trends for security & privacy

Patch Management Patch Management ChallengeChallengeHow do you know if you have an How do you know if you have an effective patch management strategy?effective patch management strategy?

Are the correct servers patched?Are the correct servers patched?

Is the patch correctly applied?Is the patch correctly applied?

Does it conflict with other patches?Does it conflict with other patches?

Will it impact other server components Will it impact other server components and reliability?and reliability?

Patch Developme

nt

Deployment Auditing & Compliance

Patch Deploye

d

Patch Monitoring

Patch Management Process

Process Improvement

Patch Management Patch Management OverviewOverview

Vulnerability Discovered

Microsoft Patches

•Correction•Packaging

ROI

• Evaluate environment, risk, and needs

• Assign Teams responsibility• Plan release• Release development• Acceptance testing• Rollback planning• Integrating with other

processes

•Subscribe•Monitor

• Rollout planning / preparation

• Deployment mechanism

• Release deployment

• Review• Document• Optimize

Vulnerability lifecycle

People, Process, TechnologyPeople, Process, TechnologyEffective Attributes of Effective Patch Management

Reduce operating Reduce operating costscostsIncrease productivityIncrease productivityIncrease securityIncrease securityIncrease qualityIncrease quality

Well documentedWell documentedClear guidanceClear guidanceRepeatableRepeatableProactiveProactiveIntegratedIntegratedReduce riskReduce risk

Security AwarenessSecurity AwarenessEnablers / ContributorsEnablers / ContributorsComplianceCompliance

PeoplePeople

Technology

TechnologyProc

ess

Proc

ess

People in Patch People in Patch ManagementManagement

Policies & Guidelines

Evaluate & Test

Change History & Asset Tracking

Patch Management Processes

Set Standards Provision Apps Patch Systems Manage Change Report & PlanProvision Systems

Architects Server Admins App Admins Security Teams Dev,Release,NOC IT Managers

Seattle Datacenter Tampa Datacenter

Deployment

Technology in Patch Technology in Patch ManagementManagement

Microsoft ToolsMicrosoft Tools SMSSMS

SUSSUS

MBSAMBSA

Windows UpdateWindows Update

Microsoft Product EnhancementsMicrosoft Product Enhancements VPN Network QuarantineVPN Network Quarantine

Microsoft GuidanceMicrosoft Guidance MOFMOF

Microsoft Guide to Security Patch Microsoft Guide to Security Patch ManagementManagement

Process in Patch Process in Patch ManagementManagementPatch management is a subset of: Patch management is a subset of:

Change ManagementChange ManagementRelease ManagementRelease Management

Additional process considerations:Additional process considerations:Configuration ManagementConfiguration ManagementSecurity AdministrationSecurity AdministrationSystem AdministrationSystem AdministrationNetwork AdministrationNetwork AdministrationService Monitoring and ControlService Monitoring and ControlJob SchedulingJob SchedulingProblem ManagementProblem Management

Patch Management Patch Management StrategiesStrategiesPatch management strategies should include:Patch management strategies should include:

Policies and StandardsPolicies and Standards

Risk management methodologyRisk management methodology Change and release management strategiesChange and release management strategies

Patch evaluation & prioritization strategyPatch evaluation & prioritization strategy

Exception management strategyException management strategy

Asset trackingAsset tracking Know the current state of the environment Know the current state of the environment

Software, configurations, and patch levelsSoftware, configurations, and patch levels

Enable cost analysisEnable cost analysis

Reporting strategy Reporting strategy

Testing and validation strategy (Monitoring / Testing and validation strategy (Monitoring / Auditing)Auditing)

Risk Management ProcessRisk Management Process

Retired Risks

List

Identify Analyze

Plan

Track

Control

Risk Assessment

Documentation

(Top n Risks)

Example – Policies & Example – Policies & StandardsStandardsSample patch management standard – patch Sample patch management standard – patch

filtering and analysis processfiltering and analysis processAn exploit must be ‘remote’ rather than ‘local’ An exploit must be ‘remote’ rather than ‘local’ (i.e. you do not need console access or an (i.e. you do not need console access or an account on the server to exploit it).account on the server to exploit it).

The patch must address an exploit that is ‘in the The patch must address an exploit that is ‘in the wild’ and not merely theoretical.wild’ and not merely theoretical.

A respected authority (e.g. the FBI/NPIC or A respected authority (e.g. the FBI/NPIC or Microsoft) has released a warning about the Microsoft) has released a warning about the security problem and customers will likely be security problem and customers will likely be concerned about it.concerned about it.

The patch must have a non-trivial impact on the The patch must have a non-trivial impact on the overall security of the computer. (e.g. a DoS overall security of the computer. (e.g. a DoS patch might not be needed if a load balancer patch might not be needed if a load balancer could mitigate the problem)could mitigate the problem)

Prioritizing and Scheduling Prioritizing and Scheduling the Releasethe Release

* Available in the Microsoft Guide to Security Patch Management

How Mature is Your How Mature is Your Process?Process?

Matu

rity

of

op

era

tion

al p

rocesses

Matu

rity

of

op

era

tion

al p

rocesses

Maturity ScaleMaturity Scale

StartupStartup

Repeatability Repeatability

Maturity Maturity

InitiationInitiation

AwarenessAwareness

ControlControl

IntegrationIntegration

OptimizationOptimization

ProgressProgress

MINIMUMDESIREDMATURITY

LEVEL

Over time IT operations should scale to ensure Availability, Reliability, & TrustOver time IT operations should scale to ensure Availability, Reliability, & Trust

Time Time

Strategy SummaryStrategy Summary

No matter the size or complexity your No matter the size or complexity your organization in order to:organization in order to:

Reduce RiskReduce Risk

Reduce operating costsReduce operating costs

Increase productivityIncrease productivity

Increase securityIncrease security

Increase qualityIncrease quality

……You must begin with processYou must begin with process

Automation of processes becomes Automation of processes becomes necessary with complexitynecessary with complexity

©2003 Deloitte & Touche USA LLP. All rights reserved.A member firm ofDeloitte Touche Tohmatsu