Patch Management. Picking the Low-Hanging Fruit. Why fixing third-party application vulnerabilities is at

Transcription

1 Patch Management Picking the Low-Hanging Fruit Why fixing third-party application vulnerabilities is at the core of sound information security and how to make sure patch management is optimizing your security posture. May 2011 WP-EN

2 Overview Set it and forget it might work for rotisserie ovens, your DVR and maybe even data backups. But it s a bad strategy when it comes to patch management. Trouble is, too many security pros think they can switch on Windows Server Update Services (WSUS) and assume their patch management is taken care of. If only it were that easy. But the truth is that non- Microsoft apps make up an ever-growing portion of your application landscape. And every one of them can contain vulnerabilities that remain unpatched and therefore can be exploited in a cyber-attack. Consider: Why do hackers use old vulnerabilities to exploit systems? Simply put, because it works. What s needed is a more reasoned approach to patch management. One that understands the issues, recognizes the risks and applies a centralized, comprehensive patch-management solution as the core of a complete defense-in-depth strategy. Patching is the low-hanging fruit, Henry says. There is no better return on your network-security dollar than patching. 95 percent of organizations have socialnetworking apps installed. 66 percent of apps have known vulnerabilities. 78 percent of Web 2.0 apps support file transfer. 28 percent of apps propagate malware. 1 The problem isn t that patches aren t available though zero-day attacks are clearly a concern. The issue is that in many organizations, the applications haven t been identified, and the patches haven t been applied. And that leaves the door wide open to cyber-criminals. Unpatched vulnerabilities remain a prime exploit vector. If you look at the malware toolkits available, the vast majority rely on exploits that are more than a year old, says Paul Henry, security and forensics analyst for Lumension. The Apps Accumulate Our increasingly connected, mobile workforce relies on software to get the job done. And increasingly, that software comprises third-party, non- Microsoft apps. Apps that lack a unified patch mechanism. A few relevant facts: Of the top 50 most common apps, 26 are from Microsoft and 24 are from third-party vendors. Non-Microsoft apps have four times more vulnerabilities. There was a 71 percent increase in vulnerabilities in software typically found on endpoint PCs in In North America, Europe and Asia, the average PC contains at least three vulnerable apps at any given time Palo Alto Networks Application Survey 2009, Secunia Yearly Report,

3 Report: Patched Vulnerabilities Remain Prime Exploitation VULNERABILITY DISCLOSED PATCHED 1. Microsoft Internet Explorer RDS ActiveX Office Web Components Active Script Execution Microsoft Video Streaming (DirectShow) ActiveX Vulnerability Real Player [ERPCt] Remote Code Execution Adobe Acrobat and Adobe Reader Collect Info Adobe Reader GetIcon JavaScript Method Buffer Overflow Adobe Reader util.printf() JavaScript Func() Stack Overflow Microsoft Internet Explorer Deleted Object Event Handling Microsoft Access Snapshot Viewer ActiveX Control Adobe Reader media.newplayer Microsoft Internet Explorer (IE) iepeers.dll BaoFeng StormPlayer Buffer Overflow JVM Buffer Overflow Vulnerabilities Microsoft IE STYLE Object Invalid Pointer Reference Java WebStart Arbitrary Command Line Injection Source: M86 Security Labs The top 15 most-observed vulnerabilities involve software for which patches have long been available. The problem isn t that patches aren t available for these apps. It s that the patches aren t applied. For example, Secunia reports an average 4,364 common vulnerabilities and exposures (CVE) per year. For about half these advisories, a patch becomes available on the day of disclosure. For the remaining half, a patch becomes available within 30 days. But on average, large organizations take at least twice as long to patch client-side application vulnerabilities as they do to patch operating system vulnerabilities. 3 As a result, 90 percent of attacks are exploiting vulnerabilities we already knew about, by missing patches, deciding not to patch. Ninety-nine percent are exploited configurations and unpatched machines that the simplest vulnerability scan would have found, says Gartner security expert John Pescatore. 4 Apps are often the gateway to organizational databases, which house personally identifiable information and intellectual property. Cyber-criminals know that if they can get to the app, they can get to data that has value. And security measures typically focus on the periphery and the network, leaving apps and databases at risk. 3. SANS Institute Report, September Gartner Security and Risk Management Summit, June

4 Security advisories corroborate this view. Web applications now reign supreme in both the number of breaches and the amount of data compromised through this vector, says the Verizon 2010 Data Breach Investigations Report. In January 2011, 60 percent of known vulnerabilities were converted by cyber-criminals into attacks, according to Dark Reading. Surgical Strikes While third-party apps proliferate, attackers are getting better at exploiting them. Some more worrisome statistics: 98 percent of organizations experienced at least one malware or virus intrusion in percent experienced at least 50 malware attempts per month. 43 percent said they had seen a major increase in malware attacks 5 Security professionals are increasingly aware of these realities. What concerns them most about reducing the endpoint risk are preventing applications from being installed or executing on their endpoints, discovering what applications are residing on the network and ensuring that vulnerable applications are patched, according to a survey of security pros by Ponemon Institute, an independent research organization. On average, 15 new vulnerabilities are discovered every day, and that s a very conservative number, Henry points out. Software vulnerabilities are a fact of life, and they re growing daily. Understanding these risks is crucial in defining your ability to address them effectively. As the number of vulnerabilities increases, we re seeing the bad guys increasingly being able to take them and convert them into reliable exploits, Henry notes. Security pros agree. The three most challenging issues they face are zero-day attacks, SQL injections and the exploitation of software vulnerabilities more than three months old, according to the Ponemon survey. As a result of these threats, more than onethird of respondents said their networks are not more secure today than they were a year ago. They also said the risks are shifting. Today, they re not primarily concerned about their data centers, operating systems or network infrastructures. Instead, they re most worried about mobile employees working from remote locations, downloading unfamiliar third-party apps, and increasing the threat of destructive, hard-to-detect malware attacks. It s no surprise, then, that 61 percent predict the top security risk over the next 12 months will be the mushrooming volume of malware incidents. 5. Ponemon Institute, State of Endpoint Risk, December

5 What s troubling, though, is that the vast majority of organizations are using a broad range of security tools. For example, 98 percent have AV in place. Sixty percent have endpoint firewalls. And 57 percent use intrusion detection. Yet they re still falling victim to attacks in large part because they haven t patched their vulnerable applications. Defense-in-Depth In the face of increasing vulnerabilities and more sophisticated and persistent threats, smart organizations are moving toward a holistic, defense-in-depth approach to security. Defense-in-depth leverages layers of configuration management, application control, device control and AV. But at the very core lies patch management your first line of defense. Patch management isn t about simply switching on WSUS. WSUS is a fine tool for patching Windows, and Microsoft is very good about communicating vulnerabilities in its operating system. WSUS is useless in patching third-party and Web apps though. And those apps need to become a sharper focus of security efforts. Aberdeen Group recommends a four-step approach to patch management: Assess First, identify all assets, including platforms, operating systems, applications and network services. Then, monitor external sources for vulnerabilities, threats and remediation information. Finally, scan all assets on a regular basis for vulnerabilities, patches and configurations. Prioritize Maintain an inventory of assets and a database of remediation information. Prioritize the order of remediation in terms of risk, compliance, audit and business value. Remediate Start by modeling, staging and testing remediation before deployment. Next, deploy either manual or automated remediation. Last, train administrators and users on vulnerability-management best practices. Repeat Scan to verify the success of your last remediation. Report on it for audit and compliance. And continue to assess, prioritize and remediate on an ongoing basis. Achieving such effective patch management calls for a centralized, comprehensive solution. Yet many organizations have relied on a fragmented approach. They ve deployed tools that don t centralize or consolidate the management of heterogeneous environments. As a result, they lack visibility into their security posture. They miss devices and blind spots, and they suffer from inconsistent reporting. They also wind up with high management overhead and costs. Instead, patch and configuration analysis and delivery must extend across all platforms, operating systems and applications. Application and operating-system patching have to be benchmarked and consistently enforced. Standard configurations should be assessed and enforced. And network 4

6 endpoints have to be managed, because unmanaged endpoints are unknown and unprotected. The old approaches clearly haven t worked, Henry explains. We have disparate products, and we have processes that are expensive and require high management overhead. Without centralized management and reporting across your platforms, systems and applications, you can t achieve costeffective security.» Top Perks of Patching An effective patch-management solution delivers business benefits across a broad range of areas: Security Patch management is at the core of a complete defense-in-depth approach to security. Patching known vulnerabilities is the most cost-effective, straightforward way to improve your security posture. Visibility Discovery and agent deployment for both physical and virtual environments means you always know what s connected to your network. Reporting delivers critical feedback regarding performance, endpoint events, return on investment and security overall. Performance By eliminating blind spots in network maintenance and ensuring that offline machines receive crucial updates and patches during maintenance windows, you can improve system performance. Productivity A centralized solution reduces setup and maintenance of users and user groups. It also eases administration through workflow-based navigation and an intuitive management console. And it ensures a more efficient, consistent and secure process for applying agent policies. Risk Security breaches can expose your organization to civil lawsuits and monetary damages. It can also involve penalties related to service-level agreements and disrupted partner relationships. Effective patch management can go a long way toward mitigation such risks. Cost Effective patch management reduces the time and effort IT staff need for installations, upgrades, uninstalls and patches across your environment. An extensible platform with a single infrastructure ultimately reduces your total cost of ownership. Most important, it reduces time and» resources spent on remediating security breaches. 5

7 Solid Solution What s needed, then, is a centralized, comprehensive approach to application patching. To that end, Lumension Endpoint Management and Security Suite: Patch and Remediation provides automated vulnerability assessment and patch management. The software enables you to automatically detect risks, deploy patches and protect your business information across a complex, highly distributed physical and virtual environment. These activities are seamlessly integrated into a single management console for complete visibility into your network. Lumension Patch and Remediation enables patching of Microsoft, third-party and custom apps, as well as patching based on CVEs. It also offers a full range of additional features, including granular patch control, flexible management control, discovery of new and unauthorized clients, up-to-date data assessments, network visibility, software uninstall and built-in reporting. The solution even delivers a lower total cost of ownership than WSUS, according to Tolly Enterprises, an independent test lab. Tolly found that Lumension can provide at least 60 percent savings compared with WSUS over one year and over five years. On average, it can save an enterprise with 500 workstations nearly Traditional Endpoint Security Emerging Endpoint Security Stack Blacklisting As The Core Defense-N- Depth AntiVirus Device Control Zero Day Consumerization of IT Application Control Patch & Configuration Mgmt. Application Control 3rd Party Application Risk Malware As a Service Device Control An effective defense-in-depth approach places patch and configuration management at the center and then surrounds it with layers of application control, device control and AV software. 6

8 $75,000 over one year and nearly $400,000 over five years. That cost advantage comes from the solution s diverse application support, powerful operations tools, software removal and extensive reporting capabilities, Tolly reports. Lumension Patch and Remediation is a key enabler of a comprehensive defense-in-depth strategy in which patch and configuration management are at the core, surrounded by effective layers of application control, device control and antivirus measures. Ultimately, effective patch management promises to strengthen your security posture, boost your system performance, improve IT and user productivity, and reduce your IT risk all in a cost-efficient manner. Patch management is not the Holy Grail. But it is an absolute core component of defense-in-depth for securing any environment, Henry concludes. The best way to mitigate the risk of a vulnerability is to patch it. End of story. 7

9 About Lumension Security, Inc. Lumension Security, Inc., a global leader in operational endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Compliance and Risk Management offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Florida, Texas, Luxembourg, the United Kingdom, Germany, Ireland, Spain, France, Australia, and Singapore. Lumension: IT Secured. Success Optimized. More information can be found at Lumension, Lumension Patch and Remediation, Lumension Vulnerability Management Solution, IT Secured. Success Optimized., and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners. Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ USA phone: fax: Vulnerability Management Endpoint Protection Data Protection Compliance and IT Risk Management 8