eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

Transcription

1 : Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

2 FAST FACTS Over 10 Million Windows Server 2003 Devices Still In Use Less Than 250 Days To Windows Server 2003 End-Of-Life 62% 62% Either Unable Or Unprepared To Upgrade EOL Devices. Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows XP, Windows Server 2003 continues to be used and relied upon by organizations worldwide with as many 10 million Windows Server 2003 systems still in production. Once Windows Server 2003 has reached end-of-life, Microsoft will no longer deliver or develop security updates and critical patches. While many organizations are prepared and will be able to upgrade all impacted systems to Windows Server 2012 R2 by the deadline, as many as 62% of organizations will either be unable to or unprepared to upgrade all of these devices before this date, leaving as many as several million systems vulnerable to attack. Are you prepared? If you answered anything but a resounding YES, this eguide will provide you with 5 tips critical to a successful and affordable Windows Server 2003 EOL transition. The following five steps outline a path to meet these goals. 1. Don t Panic 2. Understand Your Risk 3. Develop an 2003 EOL Plan 4. Set a Realistic Timeline 5. Be Proactive Average EOL Migration Takes 200 Days 2

3 1 Don t Panic If you do not yet have a 2003 End of Life Plan, don t panic. First, you re not alone. Second, rushing directly into action without having first thoroughly assessed your risk and difficulty associated with migration is a recipe for disaster. Instead, take a deep breath and know that regardless or your end-of-life risk or application migration difficulty there are solutions, services, and options available to ensure your organization remains protected. This eguide will help you understand your risk and determine what solution or combination of solutions make the most sense for your organization. 3

4 2 To properly understand the potential impact Window Server 2003 EOL, you first need to understand your risk and exposure. Understand Your Risk To do this you need to understand: + + How many Windows Server 2003 devices do I have? + + How many contain or connect to critical, sensitive, or regulated data? + + How many are running Windows Server 2003 dependent software and can not be easily migrated? + + How many are aging devices and would need to be upgraded to run a different OS? + + How much time is needed to recompile and reconfigure any custom applications to run on Windows Server 2012? + + How much would it cost to purchase extended support on all of these devices? Is there budget? While every organization would like to be running the latest supported operating system releases and have a rapid and trusted patch management system in place to ensure continuous OS security, that simply is not possible for most organizations. Application specific requirements, aging hardware, budget constraints, limited human resources, and the rapid rate of patch releases makes this impossible for even the smallest of organizations. Whether you are running 10 servers or 10,000 servers, chances are you oversee a heterogeneous environment with multiple operating system releases, different hardware profiles, and a combination of legacy and modern software. With 10 million devices still running Windows Server 2003, chances are pretty good that more than a few of the machines in your environment are still running Windows Server Only after you have this information, can you begin to understand the risk, difficulty and cost associated with upgrading or extending the life of your Windows Server 2003 machines. Unpatched 2003 systems will lead to zero-day forever scenarios that is, there will be no patches for zero-day attacks so new vulnerabilities will never be remediated. Without updates and patches, you may be cited for noncompliance and/or failure to pass assessment and regulatory audits. Here is Microsoft s official position on this topic: Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization s inability to maintain its systems and customer information. This statement is absolutely true but with proper planning ahead of time there are compensating controls that can be put in place to ensure the security and continued compliance of these systems. With Microsoft custom support estimated to cost $200,000/year on average, IT managers would be wise to look into other compensating control options, such as application whitelisting, to ensure continued security and compliance of these systems. Understanding the scope of your migration and identifying which devices will not be able to be upgraded early and what compensating control options are available is key to help you develop an comprehensive and achievable plan to Windows Server 2003 EOL success. 4

5 3Develop a 2003 EOL Plan Having a firm understanding of your organizational risks and having identified which devices will be upgraded and which will require extended compensating controls, you are now in a position to develop a plan to Windows Server 2003 EOL success. As you begin to develop a plan for your Windows 2003 server migration, there are a couple tips you will want to keep in mind. DON T DO IT ALONE Ensuring a smooth EOL transition will require full buy-in and agreement from any and all impacted stakeholders. This means taking time to not only pull together the technical and project management resources required to execute the project, but also stakeholders from impacted business units and the budgeting finance team. DEDICATE TIME FOR PROJECT SCOPING The average migration project will take over 200 days to implement. The better you understand the project and potential pitfalls early on, the more likely you will be able to meet critical deadlines and avoid budget overruns. WORK WITHIN YOUR BUDGET No matter how good a plan you have developed, without the necessary budget and resources the project will never get off the ground. Ensuring you have a realistic and sufficient budget allocation must be a top priority. Properly scoping potential project risks, identifying compensating controls and hardware upgrades, and building buy-in for human resource requirements necessary will help you work within your budget and if needed, assemble executive support for additional funding. 5

6 4Set a Realistic Timeline With July 14, 2015 fast approaching, it can be tempting to set overly aggressive timelines built around the EOL date, rather than realistic capabilities of your organization. When not aligned with reality, aggressive timelines can lead to sloppy mistakes, budget overruns, and unnecessary frustration. If you team is not realistically capable of completing a migration project prior to July 14, 2015, don t try and meet this deadline. While Microsoft will end support for Windows Server 2003 on July 14, 2015, there are affordable compensating controls, such as Bit9 + Carbon Black, that you can leverages as a permanent or temporary measure to extend the life of these systems beyond July 14,

7 5Be Proactive While the goal of any Windows Server 2003 EOL plan should be to upgrade as many 2003 devices as possible, this will not be possible for all devices. Recognizing this fact early and building in budget and an implementation plan for proactively deploying compensating controls into your EOL plan is highly recommended. This will ensure sufficient time to deploy new controls and ensure 100% coverage for impacted systems, avoiding the need for a costly lastminute custom Microsoft support agreement. The Bit9 Security Platform is an example of an industry leading advanced security solution that your organization can deploy as a compensating security control in lieu of regular patching and updates that are no longer available from Microsoft. Bit9 extends the security posture and protects your Windows Server 2003 devices from breach and data compromise past the end-of-life date by ensuring only trusted software is allowed to run. With Bit9, your Windows Server 2003 systems will remain compliant because the solution provides: + + Complete visibility into everything that is happening on every in-scope server and endpoint so you can measure compliance and risk. + + Automated, real-time detection of zero-day and advanced threats. + + A change history and full audit trail of all server and endpoint activity including real-time compliance risk measurement and reporting of your in-scope systems, including those which are no longer supported. This reporting provides the actionable intelligence to monitor compliance, identify any unexpected activity or event, and proactively improve the security posture. + + Prevention to stop advanced threats and other forms of malware from executing, including targeted, customized attacks that are unique to your organization. + + Integration across the existing security infrastructure to understand enterprise-wide compliance risk and exposure. Trusted by more than 1,000 organizations, including 25 of the Fortune 100, to protect their corporate endpoints and servers, Bit9 is a proven solution that can be affordably implemented to ensure the continued security of your Windows Server 2003 devices beyond end of life. 7

8 : Designing a Continuous Response Architecture ABOUT BIT9 + CARBON BLACK The combination of Bit9 + Carbon Black offers the most complete answer to the newer, more advanced threats and targeted attacks intent on breaching an organization s endpoints. This comprehensive approach makes it easier for organizations to see and immediately stop advanced threats. Our solution combines Carbon Black s lightweight endpoint sensor, which can be rapidly deployed with no configuration to deliver incident response in seconds, and Bit9 s industry-leading prevention technologies. Benefits include: + Continuous, real-time visibility into what s happening on every computer + Real-time threat detection, without relying on signatures + Instant response by seeing the full kill chain of any attack + Protection that is proactive and customizable Bit9 + Carbon Black delivers a comprehensive solution for continuous endpoint threat security. This is why thousands of organizations worldwide from 25 Fortune 100 companies to small businesses use our proven solution. The result is increased security, reduced operational costs and improved compliance Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners Second Avenue Waltham, MA USA P F