Patch Management Strategy
Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager
Challenges in the IT Environment
Multi-platform environments Segmented networks Global distributed networks Custom applications Operations and management Localization problems Standardization Tools Audit and tracking Volume of patches
Legal and Regulatory Factors
Gramm-Leach-Bliley Act (GLB) HIPAA California - SB1386 Sarbanes Oxley Act Future trends for security & privacy
Patch Management Challenge
How do you know if you have an effective patch management strategy? Are the correct servers patched? Is the patch correctly applied? Does it conflict with other patches? Will it impact other server components and reliability?
Patch Management Overview
Process Improvement Patch Development Patch Monitoring Patch Management Process Deployment Auditing & Compliance Evaluate environment, risk, and needs Assign Teams responsibility Plan release Release development Acceptance testing Rollback planning Integrating with other processes Rollout planning / preparation Deployment mechanism Release deployment Review Document Optimize Microsoft Patches Correction Packaging Subscribe Monitor ROI Vulnerability Discovered Vulnerability lifecycle Patch Deployed
People, Process, Technology Effective Attributes of Effective Patch Management
Well documented Clear guidance Repeatable Proactive Integrated Reduce risk Reduce operating costs Increase productivity Increase security Increase quality Process Technology People Security Awareness Enablers / Contributors Compliance
People in Patch Management
Architects Server Admins App Admins Security Teams Dev,Release,NOC IT Managers Set Standards Provision Systems Provision Apps Patch Systems Manage Change Report & Plan Patch Management Processes Change History & Asset Tracking Policies & Guidelines Evaluate & Test Deployment Seattle Datacenter Tampa Datacenter
Technology in Patch Management
Microsoft Tools SMS SUS MBSA Windows Update Microsoft Product Enhancements VPN Network Quarantine Microsoft Guidance MOF Microsoft Guide to Security Patch Management
Process in Patch Management
Patch management is a subset of: Change Management Release Management Additional process considerations: Configuration Management Security Administration System Administration Network Administration Service Monitoring and Control Job Scheduling Problem Management
Patch Management Strategies
Patch management strategies should include: Policies and Standards Risk management methodology Change and release management strategies Patch evaluation & prioritization strategy Exception management strategy Asset tracking Know the current state of the environment Software, configurations, and patch levels Enable cost analysis Reporting strategy Testing and validation strategy (Monitoring / Auditing)
Risk Management Process
Identify Analyze Risk Assessment Documentation (Top n Risks) Retired Risks List Control Plan Track
Example – Policies & Standards
Sample patch management standard – patch filtering and analysis process An exploit must be ‘remote’ rather than ‘local’ (i.e. you do not need console access or an account on the server to exploit it). The patch must address an exploit that is ‘in the wild’ and not merely theoretical. A respected authority (e.g. the FBI/NPIC or Microsoft) has released a warning about the security problem and customers will likely be concerned about it. The patch must have a non-trivial impact on the overall security of the computer. (e.g. a DoS patch might not be needed if a load balancer could mitigate the problem)
Prioritizing and Scheduling the Release
* Available in the Microsoft Guide to Security Patch Management
How Mature is Your Process?
Maturity Scale Progress Maturity Optimization Integration MINIMUM DESIRED MATURITY LEVEL Maturity of operational processes Repeatability Control Awareness Startup Initiation Time Over time IT operations should scale to ensure Availability, Reliability, & Trust
Strategy Summary No matter the size or complexity your organization in order to: Reduce Risk Reduce operating costs Increase productivity Increase security Increase quality …You must begin with process Automation of processes becomes necessary with complexity
A member firm of Deloitte Touche Tohmatsu ©2003 Deloitte & Touche USA LLP. All rights reserved.
© 2023 SlidePlayer.com Inc.
All rights reserved.