Accelerate Patching. the Enterprise. Wolfgang Kandek Qualys, Inc. Session ID: STAR-301 Session Classification: Intermediate

Transcription

1 Accelerate Patching Progress Title of in Presentation the Enterprise the Enterprise Wolfgang Kandek Qualys, Inc. Session ID: STAR-301 Session Classification: Intermediate Insert presenter logo here on slide master

2 Introduction Patch Management Patch Progress Data Common Steps Case Studies Actions Summary References Q&A 2

3 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS) Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack, Blackhole 3

4 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS) Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack, Blackhole 4

5 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits feature between 5-15 vulnerabilities Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack 5

6 Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits feature between 5-15 vulnerabilities Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack 6

7 Patch Management Average desktop machine requires monthly patches to be current and robust Sample numbers of security patches in 2009: Adobe: 19 bulletins Apple: 34 security updates Microsoft: 74 bulletins RedHat: 124 advisories Numbers are growing: Microsoft already has had 84 advisories in 2010 ZDI reported increasing number of collisions on vulnerability submissions (see Top 20 Cyber Security Risks Report) 7

8 Patch Management Average desktop machine requires monthly patches to be current and robust Sample numbers of security patches in 2009: Adobe: 19 bulletins Apple: 34 security updates Microsoft: 74 bulletins RedHat: 124 advisories Numbers are growing: Microsoft already has had 84 advisories in 2010 ZDI reported increasing number of collisions on vulnerability submissions (see Top 20 Cyber Security Risks Report) 8

9 Patch Progress - Laws of Vulnerabilities Worldwide coverage M IPs scanned, 680M vulnerabilities 72M+ vulnerabilities of critical severity External (Internet) and Internal (Intranet) 200 external scanners and internal scanners Data is anonymous and non traceable Simple counters are kept during scanning Summarized and logged daily Trends by Industry Area and Application Type 5 major industries Operating System and Applications 9

10 Laws of Vulnerabilities 2.0 Half-Life 140 Overall Critical Vulnerabilities 72M data points Half-Life = 29.5 days

11 Laws 2.0 Half-Life by Industry Finance Sector Service Sector Half-Life: 23 days Half-Life: 21 days Wholesale/Retail Sector Half-Life: 24 days Manufacturing Sector Half-Life: 51 days 11

12 Laws 2.0 Half-Life P e r c e n t P P e e r c r c e n e n t t P e r c e n t 2009 mixed half-life Adobe Acrobat APSA09-1 & APSA09-02 MS Microsoft - Powerpoint OS vulnerabilities - 5/12/ Days Days Days Days 12

13 Laws 2.0 Half-Life P e r c e n t Microsoft OS vulnerabilities P e r c e n t Adobe Acrobat APSA09-1 & APSA Days Days P e r c e n t MS Powerpoint - 5/12/ Days 13

14 Patch Progress Data Patch Progress uneven Industries Applications Source: Project Quant - Securosis 14

15 Patch Management Common Steps Intelligence Monitoring NVD, Secunia, Symantec, US CERT, Verisign Vendors: Adobe, Apple, Microsoft, Oracle, RedHat Testing Internal Lab First and Second Adopters Group Deployment Automation Agent based: BigFix, Lumension, Microsoft WSUS (Eminent, Secunia for non Microsoft) Remote: Shavlik Verification 15

16 Case Study 1 Media company - 10,000+ IPs under Management Windows and Macintosh Workstations 10 days for critical OS and Application patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 volunteers < 1 % - day 2 Phase 2 10 % day 3 and 4 Phase % starts day 5 16

17 Case Study 2 High-tech company IPs under Management Windows Workstations - thin clients and laptops 4 days for critical OS and Application patches Backend Infrastructure - Windows 10 days (database, applications) Quality Assurance One Phase internal testing 17

18 Case Study 3 Finance company - 50,000+ IPs under Management Windows Workstations 5 days for critical OS and Office patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 1 % - day 1 Phase 2 10 % day 2 and 3 Phase % starts day 4 18

19 Case Study 4 Technology - 300,000+ IPs under Management Windows Workstations 8 days for critical OS and Office patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 1 % - day 1 Phase 2 10 % day 2 and 3 Phase % starts day 4 19

20 Common Characteristics Accurate Inventory challenging Traditional defenses taxed Firewall, IPS increasingly mobile systems AV Anti Malware signature quantity and freshness Attacker competence rising Professionally driven, profit oriented Division of labor with specialization Exploit availability now measured in days, 0-day has become a common term Targeted Attacks Multiple OS and Application platforms 20

21 Common Characteristics Divide and Conquer Vertical Partitioning Workstations = streamlined testing, fast patching Servers = longer test cycles, normal patching Slow patching on request -> additional security techniques Stringent Firewalling Bastion Hosts IPS systems 21

22 Common Characteristics Horizontal Partitioning Internet Explorer = streamlined testing, fast patching Adobe Reader = streamlined testing, fast patching Office Applications = streamlined testing, fast patching Servers = longer test cycles, normal patching Slow patching on request -> additional security techniques Stringent Firewalling Bastion Hosts IPS systems Patch prioritization tools - Superceded patches, IPS integration 22

23 Sample Patch Prioritization Patch Priority: 1. Apply Microsoft Windows XP Service Pack 3 which will fix MS06-025, MS05-039, MS07-056, MS07-034, MS07-011, MS and 35 other vulnerabilities. 2. Apply MS Fix for: Microsoft Active Template Library (ATL) Remote which will fix MS07-056, MS06-076, MS06-016, MS06-005, MS06-024, MS06-043, MS Apply MS Fix for: Microsoft DirectShow Remote Code Execution Vulnerability which will fix MS08-033, MS09-011, MS Apply MS Fix for: Microsoft Internet Explorer Cumulative Security Update which will fix MS09-019, MS Apply Microsoft Office 2003 Service Pack 3 which will fix MS07-042, MS

24 Sample Patch Prioritization Tools IDS/IPS Patch Priority: 1. Apply Microsoft Windows XP Service Pack 3 which will fix MS06-025, MS05-039, MS07-056, MS07-034, MS07-011, MS and 35 other vulnerabilities. 2. Apply MS Fix for: Microsoft Active Template Library (ATL) Remote which will fix MS07-056, MS06-076, MS06-016, MS06-005, MS06-024, MS06-043, MS Apply MS Fix for: Microsoft DirectShow Remote Code Execution Vulnerability which will fix MS08-033, MS09-011, MS Apply MS Fix for: Microsoft Internet Explorer Cumulative Security Update which will fix MS09-019, MS Apply Microsoft Office 2003 Service Pack 3 which will fix MS07-042, MS

25 Actions Local: Get an Accurate Inventory with Network Mapping Tools Use an Automated Patch System Minimize installed software, alternate versions Investigate autonomous patching Verify successful application of patches Develop a strategy for mobile systems Global: Contact Microsoft, request Distribution of 3 rd party patches start with Adobe, then Oracle (Java) and Apple 25

26 Up and Coming Virtualization Additional vulnerabilities, Dormant VM patching VDI, application streaming Autonomous Applications Firefox autonomous patching Chrome with silent patching Adobe Reader, automatic patching Smartphones Enduser owned systems 26

27 Summary Diversity and Mobility of IT devices increasing Vulnerability/Exploit cycle accelerating Standard defenses stressed Patching, a fundamental protection Fast patching a challenge to many companies Accurate Inventory, an automated Patch system and a trustworthy verification system are key to a successful patching program 27

28 References Exploits kits and speedup Project Quant Patch Management Community Qualys Laws of Vulnerabilities Secunia Security Exposure of Software Portfolios e.pdf Top 20 Cyber Security Risks 28

29 Q&A Thank You