White Paper The Return on Investment of Automated Patch Management



Similar documents
Automated Patch Management: Impressive Return on Investment

The Top 10 Requirements for Effective Enterprise Patch and Vulnerability Management. White Paper April 2006

PatchLink Update and Microsoft Systems Management Server 2003

How PatchLink Meets the Top 10 Requirements for Enterprise Patch and Vulnerability Management. White Paper Sept. 2006

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Quantifying ROI: Building the Business Case for IT and Software Asset Management

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

GENERATING VALUE WITH CONTINUOUS SECURITY TESTING

Virtual Patching: a Proven Cost Savings Strategy

Justifying a System Monitoring Solution. A White Paper

Altiris IT Management Suite 7.1 from Symantec

How To Monitor Your Entire It Environment

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

understanding total cost of

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

SERVICES BRONZE SILVER GOLD PLATINUM. On-Site emergency response time 3 Hours 3 Hours 1-2 Hours 1 Hour or Less

THE TOP 4 CONTROLS.

Lumension Endpoint Management and Security Suite

Vulnerability Management

Management Solution. Key Criteria for Maximizing Value and Reducing Risk. Author: Mark Bouchard WHITE PAPER

Convergence of Desktop Security and Management: System Center 2012 Endpoint Protection and System Center 2012 Configuration Manager

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

PREMIER SUPPORT STANDARD SERVICES BRONZE SILVER GOLD

Managed Service Plans

Organizations that are standardizing today are enjoying lower management costs, better uptime. INTRODUCTION

Enterprise Job Scheduling: How Your Organization Can Benefit from Automation

Making the Business Case for IT Asset Management

Service and Support as a Business

CA Vulnerability Manager r8.3

Implementing Hybrid Cloud at Microsoft

The Massachusetts Open Cloud (MOC)

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Altiris IT Management Suite 7.1 from Symantec

Guide to Vulnerability Management for Small Companies

Leveraging a Maturity Model to Achieve Proactive Compliance

Realizing the Benefits of Vulnerability Management in the Cloud

Why you need an Automated Asset Management Solution

Information and Communication Technology. Patch Management Policy

Taking Information Security Risk Management Beyond Smoke & Mirrors

Captaining datacenter security: putting you at the helm

Advanced Remote Monitoring: Managing Today s Pace of Change

How To Protect Your Network From Attack From A Network Security Threat

Challenges Facing Today s Data s Centers

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Ohio Supercomputer Center

See all, manage all is the new mantra at the corporate workplace today.

Metrics that Matter Security Risk Analytics

How To Manage A Patch Management Program

Justin Kallhoff CISSP, C EH, GPCI, GCIH, GSEC, GISP, GCWN, GCFA. Tristan Lawson CISSP, C EH, E CSA, GISP, GSEC, MCSA, A+, Net+, Server+, Security+

IT and Software Asset Management: A Key to Reducing Costs

Lumension Guide to Patch Management Best Practices

Going Thoroughly Virtual

WHITEPAPER: The advantages of system automation tools in remote management systems

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Computer System Security Updates

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Mobility, Security Concerns, and Avoidance

Patch and Vulnerability Management Program

Virtual Patching: a Compelling Cost Savings Strategy

Four Factors Not to Overlook When Trying to Save on Security

".,!520%'$!#)!"#$%&!>#($!#)!

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Security Patch Management

Penetration Testing Report Client: Business Solutions June 15 th 2015

CITY UNIVERSITY OF HONG KONG Change Management Standard

Consequences of Poorly Performing Software Systems

Closing the Vulnerability Gap of Third- Party Patching

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

Simplify Your Windows Server Migration

Northwestern University Dell Kace Patch Management

Proven LANDesk Solutions

Capturing the New Frontier:

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS. Disasters happen. Don t wait until it s too late.

THE BLUENOSE SECURITY FRAMEWORK

HEAT DSM Release Overview. Andreas Fuchs Product Management November 16th, 2015

Ovation Security Center Data Sheet

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Reduce IT Costs by Simplifying and Improving Data Center Operations Management

Appendix V Risk Management Plan Template

Securing the Microsoft Environment Using Desktop Patch Management

Reducing the Complexity of Virtualization for Small and Midsized Businesses

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

The Business Case for Virtualization Management: A New Approach to Meeting IT Goals By Rich Corley Akorri

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Preemptive security solutions for healthcare

Three Ways to Secure Virtual Applications

Managed Services. Business Intelligence Solutions

Integrated Threat & Security Management.

Enterprise software risk reduction

Accounts Payable Imaging & Workflow Automation. In-House Systems vs. Software-as-a-Service Solutions. Cost & Risk Analysis

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

The Power to Take Control of Software Assets

ENTERPRISE IT SERVICE MANAGEMENT BUREAU OF ENTERPRISE SYSTEMS AND TECHNOLOGY ENTERPRISE SERVICE DESCRIPTION FOR. Ocotber 2012

Stronger than Firewalls And Cheaper Too

White Paper The Dynamic Nature of Virtualization Security

Governance, Risk, and Compliance (GRC) White Paper

SaaS Model - A Solution For Clean Up Garbage Stamps

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Transcription:

White Paper The Return on Investment of Automated Patch Management July 2006

Introduction It s a simple truth: applying patches is the only definitive way to keep vulnerable systems from being exploited. Accordingly, the vast majority of organizations acknowledge the need to have a formal patch management strategy and solution. Furthermore they clearly recognize that the demands in this area are escalating due to the proliferation of new vulnerabilities and the rapid emergence of associated threats. Seemingly irreversible conditions require that organizations not only deploy more patches than ever before, but also that they do so with a much greater degree of urgency. Figure 1: A Perfect Storm for Information Security Given this situation, it intuitively makes sense to implement an automated patch management solution. However, IT and security personnel inevitably need to provide more than just their intuition to justify such an investment. This paper is intended to address this necessity by enumerating the cost savings and other associated benefits of automated patch management. Ultimately it will be demonstrated that, relative to a manual approach, an automated solution can reduce the annual cost of patching from $222 to $40 per computer resulting in an expected savings of over $180,000 per year for an organization with 1000 computers. Cost/Savings and Benefits Analysis There are many factors and dependencies associated with an analysis of the benefits of automated patch management not all of which are straightforward. The assumptions, choices, and rationale provided in the following sections are based on the experience of the authors, the expertise of the developers and engineers at PatchLink, and the continuous feedback collected from PatchLink s extensive customer base. Page - 1

Overview of Benefits The benefits of automated patch management can be assigned to two general categories: quantitative and qualitative. The primary distinction between these is whether reasonably defendable estimates can be calculated for the given benefit. The most significant quantifiable benefit is the reduction in administrator effort that results from automating many portions of an otherwise manually intensive exercise. Understanding this further is facilitated by Figure 2, which provides a summary of the individual tasks that comprise the major steps of a typical patch management process. To be clear, the benefit here is one of achieving greater efficiency of operations. It could also be argued that administrator and end-user productivity gains due to incurring fewer successful attacks deserve to be classified as quantifiable benefits. However, it is probably more appropriate to classify these as red herrings. The problem in this case is that the potential gains hinge on the anticipation of remediating a vulnerability much sooner than would otherwise be possible (which is fundamentally different than doing it more efficiently). But there are several challenges with this notion. First, the presence of intermediate steps in the process which are necessarily manual diminishes the potential improvement in the overall elapsed time before a patch is applied and, more importantly, complicates its quantification. The second challenge is assigning a value to whatever degree of improvement is actually attained. By how many will the number of successful attacks actually be reduced? One can only guess. Finally, there is the point that taking advantage of any gain in this area requires the patch management process to be executed more frequently. In the extreme, it would need to be conducted every time a patch became available as opposed to the widely favored approach of executing it at regularly scheduled intervals (e.g., monthly). Overall, it is expected that the cost of these extra cycles (i.e., rollouts) would offset the productivity savings attributable to experiencing a few less successful attacks. In any event, this potential benefit is simply too difficult to defend concretely and, therefore, is relegated to the qualitative category. It is important to realize, however, that just because it is not easily quantified does not mean that the ability to remediate vulnerabilities sooner, at least in some cases, is not a valid benefit. In reality, it can and does save organizations from successful attacks. It s just that the actual number of such occurrences is irregular and highly unpredictable. Instead, the real value in this case is a general level of risk reduction that yields a range of qualitative benefits, such as the reduced likelihood of: Loss of data; Loss of revenue; Loss of credibility with customers and partners; and, Legal action/liability. Furthermore, the potential magnitude of these benefits is so great that productivity gains due to fewer user disruptions and reduced recovery efforts, whatever they may be, become relatively meaningless. Indeed, it is well documented that even a single successful attack could lead to intangible Page - 2

losses of millions of dollars, particularly if the incident receives any degree of public exposure and attention. Description of Scenario As intuitively helpful as large-magnitude qualitative benefits can be, they simply do not have the same motivational impact as cold-hard data, especially if it s in the form of dollars. With this in mind, a cost model comparing manual and automated approaches of executing the patch management process is provided in Table 1. Although this model is essentially generic, and therefore adaptable to the situation at virtually any organization, the specific scenario for which the calculations were made in this case is defined by the following high-level characteristics. There are 1000 end-user computing stations split among two sufficiently different builds (i.e., combinations of hardware, operating system, and applications) such that certain tasks must be performed independently for each group. There is a moderate level of heterogeneity, with operating systems and applications from multiple vendors. This leads to a total number of applicable patches that corresponds to twice the annual average of patches encountered by the typical Microsoft-only shop (i.e., 2*160). However, risk analysis and shrewd planning result in the need to only deploy three quarters of this number (i.e., 240). The organization prefers to aggregate its patches and deploy them at regularly scheduled intervals (i.e., monthly), but will conduct additional, off-cycle rollouts to account for critical situations (i.e., 2 per year). It should also be emphasized that estimates, where needed to supplement real-world data, were made in a conservative manner (i.e., in favor of the manual approach). As a result, the actual cost advantage that any given organization derives from automated patch management is likely to be somewhat greater than what the model predicts. Examination of Findings Speaking of cost advantages, the outcome for the given scenario is that, due to a per-computer reduction in patch management costs from $222 to $40 per year, an automated patch management solution is projected to yield an annual savings of approximately $182,000. In other words, without even accounting for any of the associated qualitative benefits, automated patch management will provide an ROI of approximately 450%, essentially paying for itself in less than three months. Review of Table 1 reveals that the largest contributions to these projected cost savings come from gains in the deployment step of the patch management process. These gains can be attributed in large part to the ability of client-side agents to minimize distribution/installation errors and to significantly facilitate any required troubleshooting. It is also important to recognize that while deployment related tasks are responsible for the greatest degree of savings, they are not the only ones that have an impact. In fact, as can be seen in the table, modest yet still significant gains are made in each of the other steps of the patch management Page - 3

process as well. Particularly telling is that even these smaller gains alone are sufficient to yield an annual reduction of 940 hours of labor, resulting in savings ($47,000) that is more than twice the cost of the patch management solution ($20,300). Again, a significant portion of the benefit can be attributed to the client agents. They automate both the pre-deployment task of establishing patch applicability as well as the post-deployment task of periodically validating that each patch remains properly installed. Extending beyond the patch management process, they can also facilitate inventory management objectives by identifying the software and hardware components residing on all managed systems. Mileage Will Vary As noted earlier, the cost analysis model and resulting savings projections of Table 1 are based on a wealth of experiential data. Nonetheless, it is appropriate to acknowledge that a number of factors can impact the real-world outcome for any given organization. Some of the more significant ones include: Size of organization; Degree of centralization/de-centralization; Level of administrator expertise; Diversity of operating systems; Diversity of application portfolio; Complexity of system configurations; and, Enterprise policies and procedures In addition, the patch management product that is selected can be another potentially significant factor. By no means are they all created equal. For example, unlike PatchLink Update, not all of them will have flexible system inventory capabilities, a streamlined patch deployment wizard, and assessment and validation services that are based on patented Patch Fingerprinting Technology. Nor will they all exhibit the advantages attributed to an agent-based architecture. For assistance selecting a best-of-breed automated patch management solution, readers are referred to the separately published whitepaper The Top 10 Requirements for Enterprise Patch and Vulnerability Management 1 Summary In this day and age of vulnerability proliferation and fast-following threats, automated patch management is an intuitively appealing solution. The qualitative benefits alone can often be quite compelling, with better (i.e., more accurate and potentially quicker) patching leading to an overall reduction in risk as a result of incurring fewer successful attacks. In addition, for organizations seeking more concrete evidence, it can fortunately be found in the form of quantifiable cost savings. Specifically, it is expected that an enterprise patch management solution featuring a high degree of automation will reduce the annual cost to patch a single computer from $222 to $40, representing an annual savings of over $180,000 for an organization with 1000 workstations. Footnotes: 1. The Top 10 Requirements for Enterprise Patch and Vulnerability Management is accessible at www.patchlink.com. Page - 4

Figure 2: Elements of A Typical Patch Management Process Research involves identifying new vulnerabilities and patches that are applicable to the organization. Although straightforward, this task can be time consuming if accomplished manual. An automated approach can save the effort of sifting through a plethora of vendor and relevant security websites, press releases, and email notifications. Analysis begins by establishing the general extent to which a given patch is applicable to the organization approximately how many systems are affected and what roles/services/applications are they supporting. Inventorying capabilities of an automated solution can facilitate these sub-tasks. This information is then combined with other factors (e.g., severity of the vulnerability, presence of an associated threat, business criticality of affected systems, and availability of other mitigating controls) in the highly manual task of analyzing and deciding whether the given patch should in fact be deployed. Indeed, another unfortunate yet all-too-real consideration that must also be factored in is the potential that any given patch will have negative repercussions on business operations (e.g., by causing system crashes, or even by introducing additional vulnerabilities). This will often lead to blanket policies, such as for critical servers, only apply patches associated with critical vulnerabilities. Testing involves applying each patch (typically individually) to a small subset of each type/build of computer that is affected and then monitoring them for any adverse side effects while the systems and their applications are Page - 5

exercised. While the first part of this step can be accelerated by an automated solution, there is minimal opportunity to improve the second part. Preparation starts with the highly manual effort of deciding on the particulars of how to deploy a patch, or more likely, a package of several patches. This entails answering questions such as: Which machines should be excluded? How will reboots be handled? Will the rollout be phased and, if so, how? What are the timing details (e.g., deadlines, maintenance windows)? It also involves collecting the patches themselves, and finally scripting or otherwise configuring the details of the deployment plan into an appropriate tool. Deployment of a patch package and any subsequent troubleshooting that is required can be aided significantly by an automated system, particularly one that is agent-based. In contrast, a manual approach will typically involve directly administering patches to a select subset of machines, as well as a higher failure rate for remote, script-based installations with both cases requiring a physical visit to the computers in question. Monitoring involves reporting on patch deployment and status (e.g., for compliance purposes) and then validating that all of the patches remain properly installed. Validation should also be repeated on periodic basis, since it is well established that approximately 20% of all systems will become unpatched over the course of a year (e.g., due to the installation of old versions of components, such as DLLs, by new patches, applications, or system rebuilds). In any event, both of these tasks can be challenging if done manually, requiring generation of custom signatures, scanning scripts, and reporting mechanisms. Page - 6

Table 1: Cost Comparison of Manual and Automated Patch Management Variables & Assumptions Notes Number of computers 1000 Classes of computers 2 Applicable patches per year 320 Annual Average for Microsoft *2 to account for other apps & systems Install rate 75% One per month plus 2 out-of-phase cycles to account for emergencies Install cycles (i.e., 14 rollouts)/yr Hourly rate ($'s) 50 Workdays/yr 250 Install failure rate, manual 15% Scripts don t work properly, glitches due to custom images, etc. Install failure rate, 1% automated Local install rate, manual 15% Pre-emptively decide to patch locally Local install rate, automated 0% Patch Management Process Task Task Units Hours per Task Unit Annual Labor (Hours) (i.e. frequency) Manual Automated Manual Automated Research Identify available patches per workday.5.17 125 43 Analysis Establish scope of per patch.5.17 160 54 applicability Determine whether to install per patch.5.5 160 160 Testing per class/rollout Install in test environment.5.17 140 5 Establish impact 2 2 56 56 Preparation per class/rollout Determine distribution plan 1 1 28 28 Compile patches 3 0 84 0 Script/Configure plan detail 9.25 252 7 Deployment per computer/rollout Local installs in production.5.5 1050 0 Troubleshoot failures 1.25 2100 35 Monitoring Reporting per rollout 8.17 112 2 Validate installation per month 15.17 180 2 Total 4447 392 Page - 7

Summary of Costs Manual Automated Notes Patch Process $222,350 $19,604 Patch Management Software $0 $18,000 Patch Management Hardware $0 $800 annual cost = one time cost divided by 3 years Patch Management Training $0 $250 annual cost = one time cost divided by 3 years Patch Management Installation $0 $400 annual cost = one time cost divided by 3 years Annual Maintenance $0 $480 20% of one-time hardware costs Total Annual Costs $223,350 $39,534 Total Annual Cost Savings $182,816 Page - 8

ABOUT THE AUTHOR Mark Bouchard, CISSP, is the founder of Missing Link Security Services, LLC, a consulting firm specializing in information security and risk management strategies. A former META Group analyst, Mark has assessed and projected the business and technology trends pertaining to a wide range of information security topics for nearly 10 years. He is passionate about helping enterprises address their information security challenges. During his career he has assisted hundreds of organizations world-wide with everything from strategic initiatives (e.g., creating 5-year security plans and over-arching security architectures) to tactical decisions involving the justification, selection, acquisition, implementation and operation of their security and privacy solutions. Dennis Roberson is Regional Director for the Mid-Atlantic for PatchLink Corporation. Page - 9

PatchLink Corporation Scottsdale, AZ 85255 480.970.1025 www.patchlink.com Page - 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information