AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management



Similar documents
Lumension Endpoint Management and Security Suite

Streamlining Patch Testing and Deployment

How To Test For Security On A Network Without Being Hacked

Closing the Vulnerability Gap of Third- Party Patching

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Vulnerability management lifecycle: defining vulnerability management

Patch Management Policy

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

Patch Management. Module VMware Inc. All rights reserved

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

solution white paper Patch Management The set-it-and-forget-it strategy

Vulnerability Management

Managing non-microsoft updates

Best Practices for Vulnerability Management

Complete Patch Management

Simplify Your Windows Server Migration

Northwestern University Dell Kace Patch Management

IT HEALTHCHECK TOP TIPS WHITEPAPER

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Lumension Guide to Patch Management Best Practices

Altiris Server Management Suite 7.1 from Symantec

Complete Patch Management

Devising a Server Protection Strategy with Trend Micro

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

BEST PRACTICES. Systems Management.

Devising a Server Protection Strategy with Trend Micro

About Us. 2 Managed Services E: sales@ironcovesolutions.com T: W: Our Mission. What We Do

Continuous Network Monitoring

AHS Flaw Remediation Standard

Taking a Proactive Approach to Linux Server Patch Management Linux server patching

How To Manage A Patch Management Program

Patch and Vulnerability Management Program

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

TECHNICAL WHITE PAPER. Accelerate UNIX-to-Linux Migration Programs with BMC Atrium Discovery and Dependency Mapping

Integrated Threat & Security Management.

Avoiding the Top 5 Vulnerability Management Mistakes

Complete Patch Management

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

How To Monitor Your Entire It Environment

Secunia Vulnerability Intelligence Manager

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

IT Asset Inventory and Outsourcing: The Value of Visibility

The problem with privileged users: What you don t know can hurt you

How to Make Microsoft Security Patch Testing More Efficient

Secunia Corporate Software Inspector (Secunia CSI) ver.5.0

Software Vulnerability Assessment

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

BIG SHIFT TO CLOUD-BASED SECURITY

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

1 Introduction Product Description Strengths and Challenges Copyright... 5

Leveraging a Maturity Model to Achieve Proactive Compliance

Management (CSM) Capability

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

Cloud and Data Center Security

WHITE PAPER. Avoiding the Pitfalls when Transitioning into Managed Services. By Nick Cavalancia

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS. Disasters happen. Don t wait until it s too late.

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

What Do You Mean My Cloud Data Isn t Secure?

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

MONTHLY WEBSITE MAINTENANCE PACKAGES

THE TOP 4 CONTROLS.

Sample Vulnerability Management Policy

Align IT Operations with Business Priorities SOLUTION WHITE PAPER

FIREWALL CLEANUP WHITE PAPER

Simplifying the Challenges of Mobile Device Security

The Fundamental Failures of End-Point Security. Stefan Frei Research Analyst Director

Three Ways to Secure Virtual Applications

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

BUSINESS IMPACT OF POOR WEB PERFORMANCE

ARE YOU RUNING LINUX RIGHT?

Data Center Discovery Best Practices

Transcription:

AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management The Patch Management Imperative Nearly every business in the world today depends on IT to support day-to-day operations and deliver products and services to customers. Core busines processes within accounting, manufacturing, sales and other functions rely on the performance, availability and security of IT systems. Similarly, employee productivity depends on basic IT services such as email, Internet connectivity, and website access. It should be no surprise that IT problems of any kind whether system outages, slow downs or security breaches can have a negative impact on business success. At the same time, it can be shocking to learn that unpatched operating systems and application software are often responsible for the most IT problems. To be clear, patches that resolve these problems are available; they are simply not being applied. In April 2015, the United States Computer Emergency Readiness Team published an alert regarding unpatched software. It stated that cyber-threat actors continue to exploit unpatched software to conduct attacks against critical infrastructure organizations, and that as many as 85 percent of targeted attacks are preventable through patching. Many of the specific patches called out in the alert relate to not just the Windows operating systems but third-party applications and tools that run on the OS. cloudmanagementsuite.com // Page: 1

Unpatched applications and systems not only expose security risks, they also open the door to data loss and corruption, as well as performance and availability issues. Unfortunately, it is all too easy for software to become sufficiently out of date with patches that businesses face Patch Doomsday. When this crisis occurs, IT problem rates dramatically spike and remain high while IT struggles to return systems to compliance. To greatly reduce all of these issues and avoid Patch Doomsday, it is important for every organization to implement a strong patch management process. Patch Management Challenges Patch management is a comprehensive process that involves identifying, prioritizing, acquiring, installing, and verifying patches and updates. However, the implementation of a robust patch management process presents a number of its own challenges, particularly when performed manually. Identification and Prioritization IT professionals need reliable methods to identify and prioritize patches. Without this, it is easy to miss or delay the installation of important updates designed to prevent performance, availability or security problems. Time and Resources When a patch management process is implemented improperly, IT professionals lose precious time, preventing them from working on activities that add significant business value. cloudmanagementsuite.com // Page: 2

Speed and Scale The moment patches are published, hackers begin seeking ways to exploit any related vulnerabilities in unpatched systems. This makes it crucial to apply all high-priority security patches as quickly as possible. Scope Vendor-specific tools such as Microsoft Windows Update do not address the full breadth of software that must be patched. Applications, plugins and tools from other vendors must also be patched regularly. For example, relying only on Windows Update will not keep users safe from Adobe security vulnerabilities. Validation The right patches must be chosen carefully and tested for compatibility. If patch installations fail, systems may be left in an even less-desirable state than prior to patching. Five things are needed in order to overcome these challenges: Timely notification about the availability of new vendor patch releases Accurate and detailed information on the configuration of all your endpoints A mechanism for determining which patches are required for your environment Best practices for performing patch management A tool or set of tools for automating patch management cloudmanagementsuite.com // Page: 3

It is absolutely critical to have powerful, automated tools for patching all software used in your environment, not just the operating systems. It is also helpful to first consider best practices since those drive the requirements of patch management tools. Best Practices for Patch Management Patch management is an ongoing process. New patches must be applied on an ongoing basis in order to keep operating systems and applications up to date. Getting Started Keep in mind that you can t manage systems that you don t know exist. So, you will need a complete and up-to-date inventory of devices that are part of your environment or that can connect to your environment. Since endpoint devices are often added, removed or reimaged, the only reliable way to maintain an accurate inventory is by using automated device discovery. Along with device detection, it is also helpful to group devices based on relationships such as site location or business function. For each system in inventory, you will need a detailed patch assessment. For a Windows environment, existing patch levels must be determined for all relevant versions of Windows OS, plus relevant versions of Microsoft and third-party applications. This involves scanning and auditing each device to determine which patches are already installed. For speed and accuracy, patch levels should be determined using an automated tool. cloudmanagementsuite.com // Page: 4

To complete the patch assessment process, a patch management tool must also maintain an up-to-date feed of current patches from Microsoft and third-party software vendors. With this feed, a patch management tool can find the differences between existing patch levels and currently available patches from Microsoft and other software vendors. With this thorough understanding of current patch levels and available patches, a viable patch management tool can now help determine what additional patches should be installed on each system by considering the risk level associated with each missing patch. This way, missing patches can be ranked by importance. Over the past 10 years, the industry has been using an open standard for vulnerability assessment called the Common Vulnerability Scoring System (CVSS). It is an expertly assessed score based on the true nature of each patch or update. CVSS scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are considered high, while those in the range 4.0-6.9 are medium and those in the range 0-3.9 are low. cloudmanagementsuite.com // Page: 5

Understanding CVSS Scores The following table lists five updates and compares the vendor severity with the CVSS score. Notice that there are some discrepancies between the scores, as can be seen for MS15-010 and MS14-026_MSU. Each of these scores was given different ends of the severity spectrum. CVSS scores are considered more reliable. Update Name Vendor Severity CVSS Score Critical Critical High, 10.0 MS15-010 Critical Critical Low, 1.8 MS14-026_MSU High/Important Critical High, 10.0 MS15-014_MSU High/Important Critical Low, 3.3 MS14-033_MSU High/Important Critical Medium, 4.3 Table 1. Vendor Severity versus CVSS Score Creating a Baseline With an accurate report of missing updates ranked by the most important, the next step is to create a baseline. A baseline is a group of updates that you intend to deploy to each of your systems every month. The number of updates added to this baseline will vary from month to month and should include the most recent patches with the highest CVSS rankings. cloudmanagementsuite.com // Page: 6

Note in Table 2 that a new baseline is created each month and includes all the updates from previous months. This will allow any new systems you build, or any systems that are rebuilt, to automatically receive updates and catch up to the current baseline. This makes software compatibility testing easier because all systems will be at the same patch level January February March Update 1 Update 2 Critical January Critical Update 1 January February Update 3 Critical Update 2 Update 1 Update 4 Critical Update 3 Update 2 Update 5 -- Critical Update 4 Update 5 Update 3 Update 4 -- -- Update 5 Table 2. Monthly Baselines Note that Table 2 shows five new updates fore each baseline. When getting started with continual patch management process, it is best to begin with a small number of new patches and work upward over time. Some organizations can successfully deploy 20 new updates in each successive baseline. A good way to do this is by increasing the number of new patches by just two or three each month. cloudmanagementsuite.com // Page: 7

Testing Patches Before deploying any update, you should fully test it against appropriate systems. This means performing a set of tests on suitable systems that are representative of your IT environment. When choosing which machines to use for testing, administrators should remember these important rules: 1. Do not test on your own machine If the patch fails or crashes your system, it could seriously delay the overall patch process. It is also difficult to troubleshoot and resolve the problems with the patch while using a broken system. 2. Check if the update has an uninstaller If the update doesn t have an uninstaller, it may require a cumbersome, error-prone manual process to uninstall it. Any update that does not have an uninstaller should be initially deployed and tested by itself on a system that can be quickly rebuilt if needed. cloudmanagementsuite.com // Page: 8

Patches should be tested in stages across separate groups of systems. It helps to create logical groupings of devices so that patch deployment can be completed and verified for success on low-risk systems before moving on to the next logical group of systems. Here is an example: STAGE 1 STAGE 2 STAGE 3 Virtual Machine Friendly IT Colleagues Some Safe Systems In The Company Review install success Review installation impact to the end user Review installation impact to the end user & your network Performing each test with an open mind is crucial. If any issue occurs to your test systems, no matter how trivial it may seem, it should be investigated to resolution. Knowing that your updates are fully tested breeds confidence not only in yourself, but also in your colleagues. While testing can take up most of the day, it is a vital step in the patch management process and should not be rushed. cloudmanagementsuite.com // Page: 9

Deployment and Reporting With patch testing completed and all problems resolved, your patch management tool should make it very easy to deploy your latest patch baseline across all target systems without disrupting end users. When patches are deployed during the business day they can negatively impact end users. For example, if reboots are required there may be a significant loss of productivity. A good patch management tool should have the ability to deploy patches overnight. It should utilize technologies like Wake-On-LAN to deploy required patches even when endpoints are asleep. It should also handle reboots and return endpoints back to their shutdown or sleep mode. The final but critical step in your monthly patch process should be to report your success. It is important that management see the patch coverage for the entire environment. A leading patch management tool should allow you to easily create automated reports that quickly convey patch status. It should support bright colors, timeline views and a security risk assessment to accurately gauge your company s existing vulnerability exposure. It doesn t hurt to share statistics about the success rate of your patches. The work you ve put in to patch testing should be recognized. cloudmanagementsuite.com // Page: 10

CONCLUSION IT problems of any kind can have a large negative impact on business success. Since unpatched operating systems and applications are often responsible for the majority of IT problems, it is crucial to have a solid patch management process. Without one, your company is moving down a path toward Patch Doomsday. Patch management best practices are an important part of the solution. As outlined earlier, discovery and inventory management are important best practices that set the stage for patch scanning, assessment, ranking and baselines. Patch testing, using appropriate systems across several stages is also critical to ensure success. Reliable patch deployment and clear reporting round out the list of best practices. Unfortunately, it isn t always easy to establish a trustworthy patch process, even with an understanding of best practices. Manual patch processes are time consuming, resource intensive and error-prone. Also, some automated patch management tools fall short. Thus, it is always important to select a patch management solution that overcomes the key challenges in developing a patch management process. A viable patch management solution should help: Identify all devices that can access your network Determine existing patch levels Identify and prioritize new patches Reduce IT staff time spent on patching Accelerate deployment of patches Easily manage patching across multiple geographies Reduce patch deployment failures Reduce occurrence of problems due to unpatched systems Handle a complete Windows environment, including patches for third-party software With the right processes and tools, you can gain control of patches and avoid Patch Doomsday. cloudmanagementsuite.com // Page: 11

ABOUT US Verismic Software, Inc. is a global industry leader providing cloud-based IT management technology focused on enabling greater efficiency, cost-savings and security control for users, all while engaging in endpoint management. Headquartered in Aliso Viejo, Calif., Verismic is a growing and dynamic organization with offices in four countries and 12 partners in nine countries. Over the past two years, Verismic has worked with more than 150 companies ranging from 30 to 30,000 endpoints delivering a variety of solutions for organizations of all sizes as well as managed service providers (MSPs). Verismic s software portfolio includes the first-of-its-kind agentless, Cloud Management Suite (CMS); Power Manager; Software Packaging and Password Reset. For more information, visit www.verismic.com. CALL US: +1 (949) 270-1903 UK: +44 (0) 1256-806567 CONNECT www.cloudmanagementsuite.com info@cloudmanagementsuite.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information