Patch ManagementOnly part of the solution…..

Bob Isaak

Mar 04, 2004

2

Monthly Vulnerability Alerts

Source: Security Focus Statistics 2002

3

Operating Systems

Source: Security Focus Statistics 2002

4

Vendors

Source: Security Focus Statistics 2002

5

The Challenges

Server & PC Inventory-What & Where Software components & running services Agentless Auto discovery to remain current

Patch and Service Pack Status of Servers and PCs

Currently installed service packs Previous patches All components O/S, Exchange, SQL & IIS

Patch Dependency Analysis Pre-requisites Co-requisites Service Packs which supersede patches

Patch Inventory and Patch Classification Criticality Severity or Exposure

6

The Challenges (cont…)

Patch Matching Reports or System Base lining/Modeling Patches required based on role Patches required compared to “the standard”

Role-Based Administration/Server and PC Grouping Security vs Admin SQL vs IIS vs Domain Controller vs File Server

Patch Distribution and Installation Automate intervention Distributed patch servers Roll back if required

7

Platform and Application Support Not just a Microsoft problem Not just an IIS or Windows problem Extends to Unix, Application Servers, & Database Servers

Agent vs. Agentless Architectures Agents provide more functionality but are more expensive to deploy and

maintain Agents may be required for mobile and remote users. Leverage existing configuration management technologies Agents may conflict with applications

The Challenges (cont…)

8

Weekly Vulnerability Assessment SANS Weekly CVE Notification Review Security Team & Operational Teams Initial Exposure Assessment Formal Risk Assessment Customer Notification & Approval Remediation Recommendations Review

Our Approach