Accelerate Patching Progress in the Enterprise. Wolfgang Kandek CTO Qualys, Inc.

Transcription

1 Accelerate Patching Progress in the Enterprise Wolfgang Kandek CTO Qualys, Inc.

2 Introduction Patch Management Patch Progress Data Common Steps Case Studies Actions Summary References Q&A 2

3 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS) Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack, Blackhole 3

4 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS) Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack, Blackhole 4

5 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits feature between 5-15 vulnerabilities Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack 5

6 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits feature between 5-15 vulnerabilities Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack 6

7 Patch Management Average desktop machine requires monthly patches to be current and robust Sample numbers of security patches in 2009: Adobe: 19 bulletins Apple: 34 security updates Microsoft: 74 bulletins RedHat: 124 advisories Numbers are growing: Microsoft already has had 84 advisories in 2010 ZDI reported increasing number of collisions on vulnerability submissions (see Top 20 Cyber Security Risks Report) 7

8 Patch Progress - Laws of Vulnerabilities Worldwide coverage M IPs scanned, 680M vulnerabilities 72M+ vulnerabilities of critical severity External (Internet) and Internal (Intranet) 200 external scanners and internal scanners Data is anonymous and non traceable Simple counters are kept during scanning Summarized and logged daily Trends by Industry Area and Application Type 5 major industries Operating System and Applications 8

9 Laws of Vulnerabilities 2.0 Half-Life 140 Overall Critical Vulnerabilities 72M data points Half-Life = 29.5 days

10 Laws 2.0 Half-Life P e r c e n t Microsoft OS vulnerabilities P e r c e n t Adobe Acrobat APSA09-1 & APSA Days Days P e r c e n t MS Powerpoint - 5/12/ Days 10

11 1 1 Patch Progress Data Patch Progress uneven Industries Applications Source: Project Quant - Securosis

12 1 2 Patch Management Common Steps Intelligence Monitoring NVD, Secunia, Symantec, US CERT, Verisign Vendors: Adobe, Apple, Microsoft, Oracle, RedHat Testing Internal Lab First and Second Adopters Group Deployment Automation Agent based: BigFix, Lumension, Microsoft WSUS (Eminent, Secunia for non Microsoft) Remote: Shavlik Verification

13 1 3 Case Study 1 Media company - 10,000+ IPs under Management Windows and Macintosh Workstations 10 days for critical OS and Application patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 volunteers < 1 % - day 2 Phase 2 10 % day 3 and 4 Phase % starts day 5

14 1 4 Case Study 2 High-tech company IPs under Management Windows Workstations - thin clients and laptops 4 days for critical OS and Application patches Backend Infrastructure - Windows 10 days (database, applications) Quality Assurance One Phase internal testing

15 1 5 Case Study 3 Technology - 300,000+ IPs under Management Windows Workstations 8 days for critical OS and Office patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 1 % - day 1 Phase 2 10 % day 2 and 3 Phase % starts day 4

16 1 6 Common Characteristics Accurate Inventory challenging Traditional defenses taxed Firewall, IPS increasingly mobile systems AV Anti Malware signature quantity and freshness Attacker competence rising Professionally driven, profit oriented Division of labor with specialization Exploit availability now measured in days, 0-day has become a common term Targeted Attacks Multiple OS and Application platforms

17 1 7 Common Characteristics Divide and Conquer Vertical Partitioning Workstations = streamlined testing, fast patching Servers = longer test cycles, normal patching Slow patching on request -> additional security techniques Stringent Firewalling Bastion Hosts IPS systems

18 1 8 Common Characteristics Horizontal Partitioning Internet Explorer = streamlined testing, fast patching Adobe Reader = streamlined testing, fast patching Office Applications = streamlined testing, fast patching Servers = longer test cycles, normal patching Slow patching on request -> additional security techniques Stringent Firewalling Bastion Hosts IPS systems Patch prioritization tools - Superseded patches, IPS integration

19 1 9 Actions Local: Get an Accurate Inventory with Network Mapping Tools Use an Automated Patch System Minimize installed software, alternate versions Investigate autonomous patching Verify successful application of patches Develop a strategy for mobile systems Global: Contact Microsoft, request Distribution of 3 rd party patches start with Adobe, then Oracle (Java) and Apple

20 2 0 Up and Coming Virtualization Additional vulnerabilities, Dormant VM patching VDI, application streaming Autonomous Applications Firefox autonomous patching Chrome with silent patching Adobe Reader, automatic patching Smartphones, Tablets Enduser owned systems

21 2 1 Summary Diversity and Mobility of IT devices increasing Vulnerability/Exploit cycle accelerating Standard defenses stressed Patching, a fundamental protection Fast patching a challenge to many companies Accurate Inventory, an automated Patch system and a trustworthy verification system are key to a successful patching program

22 2 2 References Exploits kits and speedup Project Quant Patch Management Community Qualys Laws of Vulnerabilities Secunia Security Exposure of Software Portfolios Top 20 Cyber Security Risks

23 2 3 Q&A Thank You [email protected]

24 Thank you! Wolfgang Kandek CTO Qualys, Inc.