A Best Practice Approach to Third Party Patching Mike Grueber Senior Product Manager 1
Effective patch management is essential 90% of successful attacks occurred against previously known vulnerabilities where a patch or secure configuration standard was already available. Terrence Cosgrove Gartner Symposium/IT Expo Managing the Next Generation Desktop SYMANTEC VISION 2012 2
Agenda 1 Importance of third party applications 2 The 4A model: A best practice approach 3 Tips and tricks 4 Additional resources SYMANTEC VISION 2012 3
Top 15 Most Vulnerable Applications Application Total High Medium Low Score Apple Safari 81 2 71 8 413 Mozilla Firefox 44 3 30 11 236 Goggle Chrome 61 1 30 30 205 Microsoft Internet Explorer 34 1 30 3 178 Adobe Flash Player 34 0 34 0 170 Adobe Reader 34 0 34 0 170 Java Runtime Environment 28 5 5 18 168 Adobe Acrobat 32 0 32 0 160 Adobe Air 28 0 28 0 140 Mozilla SeaMonkey 26 1 20 5 130 Microsoft Office 22 0 22 0 110 Mozilla Thunderbird 18 1 14 3 98 Adobe Shockwave Player 18 0 18 0 90 Oracle Database Server 9 3 0 0 81 Microsoft Visio 3 3 0 0 75 Based on data feeds from National Vulnerability Database SYMANTEC VISION 2012 4
Internet Browsers and Plug-Ins IT organizations must strive for continuous improvement in vulnerability detection and rapid security patch management, especially in often overlooked non-microsoft components that are web-facing. All internet-based applications especially browsers and browser plug-ins (i.e., Adobe and Apple QuickTime), should be a top patching priority. Gartner Research Note, Top 10 Steps to Avoid Malware Infections SYMANTEC VISION 2012 5
Internet Security Report Year in Review 30% increase in overall number of vulnerabilities (6,253) 161% increase in new vendors affected by vulnerabilities Chrome and Safari vulnerabilities on the rise 346 vulnerabilities affecting browser plug-ins SYMANTEC VISION 2012 6
Third Party Coverage Altiris Patch Management Solution 7.1 SP1+ 7-Zip Citrix Virtual Desktop Agent Opera Adobe Acrobat Citrix XenApp Oracle OpenOffice.Org Adobe AIR Citrix XenDesktop Rarlab WinRAR Adobe Flash EMC Mozy RealPlayer Adobe In-Design Foxit Reader RealVNC Adobe Reader Google Chrome RIM Blackberry Desktop Manager Adobe Shockwave Player Google Desktop Skype AOL Instant Messenger Google Earth SourceForge.Net Audacity Applie itunes Google Picasa SourceForge.Net FileZilla Apple QuickTime Google Talk SourceForge.Net Pidgin Apple Safari HP System Management Homepage Sun Java Runtime Environment Citrix Delivery Controller SDK LibreOffice UltraVNC Citrix MetaFrame XP for Microsoft Windows Lightning UK ImgBurn Citrix Password Manager Console/Agent/Plug-In Mozilla Firefox WinZip Citrix Presentation Server for Microsoft Windows Mozilla SeaMonkey Wireshark VLC Media Player Citrix Provisioning Services Mozilla Thunderbird Yahoo Messenger Citrix Single Sign-On Console/Agent Nullsoft Winamp SYMANTEC VISION 2012 7
The 4A model: A best practices approach SYMANTEC VISION 2012 8
The Primary Challenge Help Security and Operations teams strike an optimal balance between risk and cost Security Team: Risk Vulnerabilities: Coverage Timeliness Operations Team: Impact & Cost Patches & Workarounds: Coverage Accurate priorities Optimal process Minimal impact SYMANTEC VISION 2012 9
The 4A Model Security Team Compliance Report Impact Report Risk Assessment Computer and Server Admins Change Management Team Remediation Strategy SYMANTEC VISION 2012 10
The 4A Model Assessment Phase Primary Role: Security Officer Inputs: Security advisories/bulletins and threat management alerts/feeds List of endpoints that are likely to have a given vulnerability Goals: Learn as soon as possible about potential updates Perform an initial evaluation of the situation Assign a priority to updates Promptly notify the appropriate people/organizations Output: Risk Assessment assigning priority to each update SYMANTEC VISION 2012 11
Assessment Phase Nature of Vulnerability SYMANTEC VISION 2012 12
Assessment Phase Impact on Your Environment SYMANTEC VISION 2012 13
Assessment Phase - Define Custom Severity Levels SYMANTEC VISION 2012 14
Assessment Phase - Assign Custom Severity Levels SYMANTEC VISION 2012 15
The 4A Model Analysis Phase Primary Role: Change Manager Input: Risk Assessment Goals: Identify the full scope Assess the potential impact Deliver the Remediation Strategy Output: Remediation Strategy, which identifies updates to be applied, endpoints to be targeted and excluded, roll back plan, etc. SYMANTEC VISION 2012 16
Analysis Phase Release Vehicles Monthly Releases Severity 2 updates Rollout to begin on Thursday following second Tuesday of each month (i.e. Patch Tuesday ) Bi-annual Releases Severity 3 updates Rollout to begin on Thursday following monthly release during February and August Out of Band Releases Severity Level 1 updates No set rollout schedule SYMANTEC VISION 2012 17
Analysis Phase Phased Rollouts To mitigate risk, rollout updates to different groups of computers in phases Test environment (lab) Pilot group (often subset of IT group, or power users of an application) Production (computers in production environment often broken down into multiple groups) If problems discovered during testing Defer rollout of update Exclude certain computers from rollout In addition to prioritizing updates, also prioritize groups of computers to which update will be distributed Business criticality Likelihood of exposure to vulnerability System availability requirements System redundancy SYMANTEC VISION 2012 18
The 4A Model Application Phase Primary Role: Computer/Server Administrator Input: Remediation Strategy Goals: Apply software updates on a timely basis Apply software updates in a manner that appropriately mitigates the risks involved Output: Compliance Report verifying that required updates have been successfully applied to a requisite percentage of relevant endpoints SYMANTEC VISION 2012 19
Application Phase Phased Rollouts Release Date Test Group (Lab) Pilot Group (IT) Production Group #1 Production Group #2 Production Group #3 SYMANTEC VISION 2012 20
Application Phase Phased Rollouts SYMANTEC VISION 2012 21
Application Phase Phased Rollouts SYMANTEC VISION 2012 22
Application Phase - Compliance Report Verify that expected compliance rate was achieved according to terms of SLA Note that Compliance Rate is calculated based on computers that have been scanned SYMANTEC VISION 2012 23
The 4A Model Advancement Phase Primary Roles: All involved in process Inputs: Goals: Lessons learned Data analysis Ongoing evaluation and fine-tuning of process Continuous improvement Output: Process improvements SYMANTEC VISION 2012 24
Tips and Tricks SYMANTEC VISION 2012 25
Installing under System Account Some third party vendor packages (e.g. Sun JRE) cannot be installed under System Account By default, Patch policies install updates under the System Account The account used to install each package can be configured in Resource Manager SYMANTEC VISION 2012 26
Disabling previously installed versions in use Updates to Sun JRE require that previously installed versions be disabled before installing a new version/update The batch file which drives the installation of Sun JRE updates does not disable previously installed versions before attempting to install the new version/update, as this could result in unexpected user disruption Workaround is documented in release notes (i.e. Add 'tskill java /A' command to batch file) SYMANTEC VISION 2012 27
Disabling previously installed versions in use View command line information in Resource Manager SYMANTEC VISION 2012 28
Disabling previously installed versions in use Locate batch file in folder for package associated with update Modify batch file SYMANTEC VISION 2012 29
Maintaining application customizations Third party vendors such as Adobe sometimes address security issues in packages that install a full version of the application rather than in a hot fix that only updates the affected files Updates distributed as full installation packages may fail to preserve customizations made to previously installed versions of the application (e.g. turning off an auto update feature) Customizations can be preserved by: Running a separate task following installation of the update; Creating a transform file, adding the transform file to the package folder associated with the update, and creating a custom command line for the update package SYMANTEC VISION 2012 30
Application Customizations - Adobe Flash Auto-update configuration settings stored in mms.cfg file For Flash 8 and later, mms.cfg is stored in the following location: Windows NT, 2000: \\WINNT\System32\Macromed\Flash Windows XP, Vista: \\WINDOWS\System32\Macromed\Flash Windows 64 bit: \\Windows\SysWOW64 Parameter Default Description AutoUpdateDisable 0 0 allows auto-update based on user settings. 1 disables auto-update. SilentAutoUpdateEnable 1 0 allows background update. 1 disables background update. For more information, see: http://helpx.adobe.com/flash-player/ kb/administration-configure-auto-update-notification.html SYMANTEC VISION 2012 31
Application Customizations - Adobe Acrobat and Reader Three ways to customize installation Command line Changes to registry following distribution Customization wizard For more information, see Enterprise Administration Guide: http://helpx.adobe.com/content/dam/kb/en/837/cpsid_83709/a ttachments/acrobat_enterprise_administration.pdf SYMANTEC VISION 2012 32
Adobe Acrobat and Reader Command Line Set value of Windows Installer properties on command line e.g. msiexec /i "[UNC PATH]\AdbeRdr1010_en_US.msi" EULA_ACCEPT=YES /qn SYMANTEC VISION 2012 33
Adobe Acrobat and Reader Registry changes Administrator s Information Manager (dictionary of 450 registry/plist preferences) Example #1 Disable automatic updates and remove associated user interface items SYMANTEC VISION 2012 34
Adobe Acrobat and Reader Registry Changes Example #2 Disable prompts for upgrades to next major version (e.g. 10.0 to 11.0) For more information, see http://learn.adobe.com/wiki/ download/attachments/46432650/aim.air SYMANTEC VISION 2012 35
Adobe Acrobat and Reader Customization Wizard Free utility that enables pre-deployment installation customization Creates transform file that gets applied to.msi at installation time See: ftp://ftp.adobe.com/pub/adobe/acrobat/win/10.x/ 10.0.0/misc/ SYMANTEC VISION 2012 36
Adding Transform File to Software Update Package SYMANTEC VISION 2012 37
Creating Custom Command Line SYMANTEC VISION 2012 38
Additional Resources For tips and tricks on installing applications and updates to those applications, see IT Ninja (formerly AppDeploy): www.itninja.com/tips For informative discussions among system administrators regarding the distribution of software updates, subscribe to the Patch Management Mailing List: www.patchmanagement.org For more questions and answers regarding use of the Altiris Patch Management Solution, see Symantec Connect: http://www.symantec.com/connect/endpointmanagement/forums SYMANTEC VISION 2012 39
Thank you! Mike Grueber Mike_Grueber@symantec.com Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 40