patch management strategy ken dejarnette, deloitte principal mike simpson, deloitte senior manager
TRANSCRIPT
![Page 1: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/1.jpg)
Patch Management Patch Management StrategyStrategy
Ken DeJarnette, Ken DeJarnette, Deloitte PrincipalDeloitte Principal
Mike Simpson, Mike Simpson, Deloitte Senior ManagerDeloitte Senior Manager
![Page 2: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/2.jpg)
Challenges in the IT Challenges in the IT EnvironmentEnvironmentMulti-platform environmentsMulti-platform environmentsSegmented networksSegmented networksGlobal distributed networksGlobal distributed networksCustom applicationsCustom applicationsOperations and managementOperations and managementLocalization problemsLocalization problemsStandardization Standardization ToolsToolsAudit and trackingAudit and trackingVolume of patchesVolume of patches
![Page 3: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/3.jpg)
Legal and Regulatory Legal and Regulatory FactorsFactorsGramm-Leach-Bliley Act (GLB)Gramm-Leach-Bliley Act (GLB)
HIPAA HIPAA
California - SB1386California - SB1386
Sarbanes Oxley ActSarbanes Oxley Act
Future trends for security & privacyFuture trends for security & privacy
![Page 4: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/4.jpg)
Patch Management Patch Management ChallengeChallengeHow do you know if you have an How do you know if you have an effective patch management strategy?effective patch management strategy?
Are the correct servers patched?Are the correct servers patched?
Is the patch correctly applied?Is the patch correctly applied?
Does it conflict with other patches?Does it conflict with other patches?
Will it impact other server components Will it impact other server components and reliability?and reliability?
![Page 5: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/5.jpg)
Patch Developme
nt
Deployment Auditing & Compliance
Patch Deploye
d
Patch Monitoring
Patch Management Process
Process Improvement
Patch Management Patch Management OverviewOverview
Vulnerability Discovered
Microsoft Patches
•Correction•Packaging
ROI
• Evaluate environment, risk, and needs
• Assign Teams responsibility• Plan release• Release development• Acceptance testing• Rollback planning• Integrating with other
processes
•Subscribe•Monitor
• Rollout planning / preparation
• Deployment mechanism
• Release deployment
• Review• Document• Optimize
Vulnerability lifecycle
![Page 6: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/6.jpg)
People, Process, TechnologyPeople, Process, TechnologyEffective Attributes of Effective Patch Management
Reduce operating Reduce operating costscostsIncrease productivityIncrease productivityIncrease securityIncrease securityIncrease qualityIncrease quality
Well documentedWell documentedClear guidanceClear guidanceRepeatableRepeatableProactiveProactiveIntegratedIntegratedReduce riskReduce risk
Security AwarenessSecurity AwarenessEnablers / ContributorsEnablers / ContributorsComplianceCompliance
PeoplePeople
Technology
TechnologyProc
ess
Proc
ess
![Page 7: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/7.jpg)
People in Patch People in Patch ManagementManagement
Policies & Guidelines
Evaluate & Test
Change History & Asset Tracking
Patch Management Processes
Set Standards Provision Apps Patch Systems Manage Change Report & PlanProvision Systems
Architects Server Admins App Admins Security Teams Dev,Release,NOC IT Managers
Seattle Datacenter Tampa Datacenter
Deployment
![Page 8: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/8.jpg)
Technology in Patch Technology in Patch ManagementManagement
Microsoft ToolsMicrosoft Tools SMSSMS
SUSSUS
MBSAMBSA
Windows UpdateWindows Update
Microsoft Product EnhancementsMicrosoft Product Enhancements VPN Network QuarantineVPN Network Quarantine
Microsoft GuidanceMicrosoft Guidance MOFMOF
Microsoft Guide to Security Patch Microsoft Guide to Security Patch ManagementManagement
![Page 9: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/9.jpg)
Process in Patch Process in Patch ManagementManagementPatch management is a subset of: Patch management is a subset of:
Change ManagementChange ManagementRelease ManagementRelease Management
Additional process considerations:Additional process considerations:Configuration ManagementConfiguration ManagementSecurity AdministrationSecurity AdministrationSystem AdministrationSystem AdministrationNetwork AdministrationNetwork AdministrationService Monitoring and ControlService Monitoring and ControlJob SchedulingJob SchedulingProblem ManagementProblem Management
![Page 10: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/10.jpg)
Patch Management Patch Management StrategiesStrategiesPatch management strategies should include:Patch management strategies should include:
Policies and StandardsPolicies and Standards
Risk management methodologyRisk management methodology Change and release management strategiesChange and release management strategies
Patch evaluation & prioritization strategyPatch evaluation & prioritization strategy
Exception management strategyException management strategy
Asset trackingAsset tracking Know the current state of the environment Know the current state of the environment
Software, configurations, and patch levelsSoftware, configurations, and patch levels
Enable cost analysisEnable cost analysis
Reporting strategy Reporting strategy
Testing and validation strategy (Monitoring / Testing and validation strategy (Monitoring / Auditing)Auditing)
![Page 11: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/11.jpg)
Risk Management ProcessRisk Management Process
Retired Risks
List
Identify Analyze
Plan
Track
Control
Risk Assessment
Documentation
(Top n Risks)
![Page 12: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/12.jpg)
Example – Policies & Example – Policies & StandardsStandardsSample patch management standard – patch Sample patch management standard – patch
filtering and analysis processfiltering and analysis processAn exploit must be ‘remote’ rather than ‘local’ An exploit must be ‘remote’ rather than ‘local’ (i.e. you do not need console access or an (i.e. you do not need console access or an account on the server to exploit it).account on the server to exploit it).
The patch must address an exploit that is ‘in the The patch must address an exploit that is ‘in the wild’ and not merely theoretical.wild’ and not merely theoretical.
A respected authority (e.g. the FBI/NPIC or A respected authority (e.g. the FBI/NPIC or Microsoft) has released a warning about the Microsoft) has released a warning about the security problem and customers will likely be security problem and customers will likely be concerned about it.concerned about it.
The patch must have a non-trivial impact on the The patch must have a non-trivial impact on the overall security of the computer. (e.g. a DoS overall security of the computer. (e.g. a DoS patch might not be needed if a load balancer patch might not be needed if a load balancer could mitigate the problem)could mitigate the problem)
![Page 13: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/13.jpg)
Prioritizing and Scheduling Prioritizing and Scheduling the Releasethe Release
* Available in the Microsoft Guide to Security Patch Management
![Page 14: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/14.jpg)
How Mature is Your How Mature is Your Process?Process?
Matu
rity
of
op
era
tion
al p
rocesses
Matu
rity
of
op
era
tion
al p
rocesses
Maturity ScaleMaturity Scale
StartupStartup
Repeatability Repeatability
Maturity Maturity
InitiationInitiation
AwarenessAwareness
ControlControl
IntegrationIntegration
OptimizationOptimization
ProgressProgress
MINIMUMDESIREDMATURITY
LEVEL
Over time IT operations should scale to ensure Availability, Reliability, & TrustOver time IT operations should scale to ensure Availability, Reliability, & Trust
Time Time
![Page 15: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/15.jpg)
Strategy SummaryStrategy Summary
No matter the size or complexity your No matter the size or complexity your organization in order to:organization in order to:
Reduce RiskReduce Risk
Reduce operating costsReduce operating costs
Increase productivityIncrease productivity
Increase securityIncrease security
Increase qualityIncrease quality
……You must begin with processYou must begin with process
Automation of processes becomes Automation of processes becomes necessary with complexitynecessary with complexity
![Page 16: Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager](https://reader036.vdocument.in/reader036/viewer/2022082505/56649dba5503460f94aaa655/html5/thumbnails/16.jpg)
©2003 Deloitte & Touche USA LLP. All rights reserved.A member firm ofDeloitte Touche Tohmatsu