Accelerate Patching. the Enterprise. Wolfgang Kandek Qualys, Inc. Session ID: STAR-301 Session Classification: Intermediate

Accelerate Patching Progress Title of in Presentation the Enterprise the Enterprise Wolfgang Kandek Qualys, Inc. Session ID: STAR-301 Session Classification: Intermediate Insert presenter logo here on slide master

Introduction Patch Management Patch Progress Data Common Steps Case Studies Actions Summary References Q&A 2

Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS) Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack, Blackhole 3

Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS) Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack, Blackhole 4

Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits feature between 5-15 vulnerabilities Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack 5

Patch Management Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications Patching is the best protection against malware infections Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities Malware toolkits allow low tech specialists to act in the market Toolkits feature between 5-15 vulnerabilities Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to normal software Elenore, Crimepack, Liberty, El Fiesta, ipack 6

Patch Management Average desktop machine requires monthly patches to be current and robust Sample numbers of security patches in 2009: Adobe: 19 bulletins Apple: 34 security updates Microsoft: 74 bulletins RedHat: 124 advisories Numbers are growing: Microsoft already has had 84 advisories in 2010 ZDI reported increasing number of collisions on vulnerability submissions (see Top 20 Cyber Security Risks Report) 7

Patch Management Average desktop machine requires monthly patches to be current and robust Sample numbers of security patches in 2009: Adobe: 19 bulletins Apple: 34 security updates Microsoft: 74 bulletins RedHat: 124 advisories Numbers are growing: Microsoft already has had 84 advisories in 2010 ZDI reported increasing number of collisions on vulnerability submissions (see Top 20 Cyber Security Risks Report) 8

Patch Progress - Laws of Vulnerabilities Worldwide coverage 2009 80M IPs scanned, 680M vulnerabilities 72M+ vulnerabilities of critical severity External (Internet) and Internal (Intranet) 200 external scanners and 5000+ internal scanners Data is anonymous and non traceable Simple counters are kept during scanning Summarized and logged daily Trends by Industry Area and Application Type 5 major industries Operating System and Applications 9

Laws of Vulnerabilities 2.0 Half-Life 140 Overall Critical Vulnerabilities 72M data points 120 100 Half-Life = 29.5 days 80 60 40 20 0 10

Laws 2.0 Half-Life by Industry Finance Sector Service Sector 120 120 100 80 60 Half-Life: 23 days 100 80 60 Half-Life: 21 days 40 40 20 20 0 120 100 80 60 40 20 0 Wholesale/Retail Sector Half-Life: 24 days 0 120 100 80 60 40 20 0 Manufacturing Sector Half-Life: 51 days 11

Laws 2.0 Half-Life - 2009 P e r c e n t 120 100 80 60 40 20 P P e e r c r c e n e n t t P e r c e n t 2009 mixed half-life Adobe Acrobat APSA09-1 & APSA09-02 MS09-017 Microsoft - Powerpoint OS vulnerabilities - 5/12/2009 120 120100 100 80 80 80 60 60 60 40 40 40 20 20 200 0 0 0 5 10 15 20 25 30 35 40 45 50 55 60 0 10 20 30 40 50 60 70 80 90 100 110 120 0 10 20 30 40 50Days 60 70 80 90 100 110 Days Days 0 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 Days 12

Laws 2.0 Half-Life - 2009 P e r c e n t 120 100 80 60 40 20 0 Microsoft OS vulnerabilities 0 10 20 30 40 50 60 70 80 90 100 110 P e r c e n t 120 100 80 60 40 20 0 Adobe Acrobat APSA09-1 & APSA09-02 0 10 20 30 40 50 60 70 80 90 100 110 120 Days Days P e r c e n t 120 100 80 60 40 20 0 MS09-017 - Powerpoint - 5/12/2009 0 5 10 15 20 25 30 35 40 45 50 55 60 Days 13

Patch Progress Data Patch Progress uneven Industries Applications Source: Project Quant - Securosis 14

Patch Management Common Steps Intelligence Monitoring NVD, Secunia, Symantec, US CERT, Verisign Vendors: Adobe, Apple, Microsoft, Oracle, RedHat Testing Internal Lab First and Second Adopters Group Deployment Automation Agent based: BigFix, Lumension, Microsoft WSUS (Eminent, Secunia for non Microsoft) Remote: Shavlik Verification 15

Case Study 1 Media company - 10,000+ IPs under Management Windows and Macintosh Workstations 10 days for critical OS and Application patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 volunteers < 1 % - day 2 Phase 2 10 % day 3 and 4 Phase 3 100 % starts day 5 16

Case Study 2 High-tech company - 200+ IPs under Management Windows Workstations - thin clients and laptops 4 days for critical OS and Application patches Backend Infrastructure - Windows 10 days (database, applications) Quality Assurance One Phase internal testing 17

Case Study 3 Finance company - 50,000+ IPs under Management Windows Workstations 5 days for critical OS and Office patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 1 % - day 1 Phase 2 10 % day 2 and 3 Phase 3 100 % starts day 4 18

Case Study 4 Technology - 300,000+ IPs under Management Windows Workstations 8 days for critical OS and Office patches Backend Infrastructure 30 days (database, applications) Quality Assurance Phase 1 1 % - day 1 Phase 2 10 % day 2 and 3 Phase 3 100 % starts day 4 19

Common Characteristics Accurate Inventory challenging Traditional defenses taxed Firewall, IPS increasingly mobile systems AV Anti Malware signature quantity and freshness Attacker competence rising Professionally driven, profit oriented Division of labor with specialization Exploit availability now measured in days, 0-day has become a common term Targeted Attacks Multiple OS and Application platforms 20

Common Characteristics Divide and Conquer Vertical Partitioning Workstations = streamlined testing, fast patching Servers = longer test cycles, normal patching Slow patching on request -> additional security techniques Stringent Firewalling Bastion Hosts IPS systems 21

Common Characteristics Horizontal Partitioning Internet Explorer = streamlined testing, fast patching Adobe Reader = streamlined testing, fast patching Office Applications = streamlined testing, fast patching Servers = longer test cycles, normal patching Slow patching on request -> additional security techniques Stringent Firewalling Bastion Hosts IPS systems Patch prioritization tools - Superceded patches, IPS integration 22

Sample Patch Prioritization Patch Priority: 1. Apply Microsoft Windows XP Service Pack 3 which will fix MS06-025, MS05-039, MS07-056, MS07-034, MS07-011, MS08-022 and 35 other vulnerabilities. 2. Apply MS09-037 - Fix for: Microsoft Active Template Library (ATL) Remote which will fix MS07-056, MS06-076, MS06-016, MS06-005, MS06-024, MS06-043, MS07-047 3. Apply MS09-028 - Fix for: Microsoft DirectShow Remote Code Execution Vulnerability which will fix MS08-033, MS09-011, MS07-064 4. Apply MS09-034 - Fix for: Microsoft Internet Explorer Cumulative Security Update which will fix MS09-019, MS09-014 5. Apply Microsoft Office 2003 Service Pack 3 which will fix MS07-042, MS06-061 23

Sample Patch Prioritization Tools IDS/IPS Patch Priority: 1. Apply Microsoft Windows XP Service Pack 3 which will fix MS06-025, MS05-039, MS07-056, MS07-034, MS07-011, MS08-022 and 35 other vulnerabilities. 2. Apply MS09-037 - Fix for: Microsoft Active Template Library (ATL) Remote which will fix MS07-056, MS06-076, MS06-016, MS06-005, MS06-024, MS06-043, MS07-047 3. Apply MS09-028 - Fix for: Microsoft DirectShow Remote Code Execution Vulnerability which will fix MS08-033, MS09-011, MS07-064 4. Apply MS09-034 - Fix for: Microsoft Internet Explorer Cumulative Security Update which will fix MS09-019, MS09-014 5. Apply Microsoft Office 2003 Service Pack 3 which will fix MS07-042, MS06-061 24

Actions Local: Get an Accurate Inventory with Network Mapping Tools Use an Automated Patch System Minimize installed software, alternate versions Investigate autonomous patching Verify successful application of patches Develop a strategy for mobile systems Global: Contact Microsoft, request Distribution of 3 rd party patches start with Adobe, then Oracle (Java) and Apple 25

Up and Coming Virtualization Additional vulnerabilities, Dormant VM patching VDI, application streaming Autonomous Applications Firefox autonomous patching Chrome with silent patching Adobe Reader, automatic patching Smartphones Enduser owned systems 26

Summary Diversity and Mobility of IT devices increasing Vulnerability/Exploit cycle accelerating Standard defenses stressed Patching, a fundamental protection Fast patching a challenge to many companies Accurate Inventory, an automated Patch system and a trustworthy verification system are key to a successful patching program 27

References Exploits kits and speedup http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html http://isc.sans.org/diary.html?storyid=8437 http://vrt-sourcefire.blogspot.com/2010/03/apt-should-your-panties-be-in-bunchand.html Project Quant http://www.securosis.com/research/project-quant Patch Management Community http://www.patchmanagement.org Qualys Laws of Vulnerabilities 2.0 http://laws.qualys.com Secunia Security Exposure of Software Portfolios http://secunia.com/gfx/pdf/secunia_rsa_software_portfolio_security_exposur e.pdf Top 20 Cyber Security Risks http://dvlabs.tippingpoint.com/toprisks2010 28

Q&A Thank You wkandek@qualys.com http://laws.qualys.com http://twitter.com/wkandek 29