Transcription
Lumension Guide toPatch Management Best PracticesWith the sophistication and sheer volume of exploits targetingmajor applications and operating systems, the speed ofassessment and deployment of security patches acrossyour complex IT infrastructure is key to mitigatingrisks and remediating vulnerabilities. Here are theLumension-recommended steps to cure yourpatch management headache.April 2012WP-EN-04-17-12
Lumension Guide to Patch Management Best PracticesIntroductionLaying the Groundwork1. Discover Assets32. Agent Maintenance 43. Classify Value and Risk84. Establish Workflow and Groups5. Identify Test Groups6. Staff Training81214Before Patch Tuesday7. Schedule Resources158. Reserve Down-Time for Servers159. Watch for Pre-Announcements1510. Confirm Reporting Up-to-Date1611. Deploy missing updates and prerequisites17On Patch Tuesday12. Study Vendor Information and Patch Tuesday Security Briefings 1913. Prioritize Potential Patches14. Change Control2015. Staged Testing211916. Installation of the Patches 22After Patch Tuesday17. Deployment History2418. Calculate Time to Deploy 2519. Monitor for Compliance2620. Checks and Balances2721. Metrics Improvement282
Lumension Guide to Patch Management Best PracticesIntroductionPatch and vulnerability management is a core component of your risk mitigation strategy. It is the first andlast line of defense against existing and new exploits – laying the foundation from which your AV and othersecurity technologies work. As the sophistication and sheer volume of exploits targeting operating systemsand major applications increases, the speed of assessment and deployment of security patches is key tomitigating risks and remediating vulnerabilities – and reducing costs.In this best practice guide, we are going to take a deep dive into a best practice process for patch and vulnerability management, developed by Lumension over thousands of customer engagements. This process– which is flexible and simple enough to be adapted into your environment – revolves around the well-knownmonthly release of security updates from Microsoft known as Patch Tuesday, and includes:»» Laying the Groundwork for a Successful Patch Process»» Before Patch Tuesday»» On Patch Tuesday»» After Patch TuesdayEvery company’s Patch Management process is going to be a little bit different, but what’s important about thesebest practices are: It’s a repeatable cycle. It’s based on calendar events – in this case Microsoft’s Patch Tuesday.It’s iterative – it can be tweaked based on what’s learned from previous patch cycles. It’s measureable.Documenting a process for the organization is really the best way to communicate the importance of patching your environment to the rest of the organization. In this best practice guide we chose to base the processon the well-known Patch Tuesday event, but you can align your patch process with other recurring IT tasks– with equally effective results – that works best for your organization.Laying the GroundworkThis section is about gaining an understanding of the machines under management and preparing the Patchand Remediation process. At a high level, this means identifying the systems to be managed, defining thepatch-roll out plan, and training the organization on the Patch and Remediation process.1. Discover AssetsWithin Lumension Endpoint Management and Security Suite (L.E.M.S.S.), identif y all hardwareand sof t ware on the net work and categorize themby platform, applications, depar tment, etc.Practical Steps:»» In L.E.M.S.S., navigate to Discover Assets3
Lumension Guide to Patch Management Best Practices»» Follow the Discover Assets wizard to set up an Asset Discovery job.»» As a best practice, administrators will want to schedule a more frequent recurring scan to identifynew endpoints that enter the network, then a less frequent scan as the number of machines undermanagement stabilizes2. Agent MaintenanceEnsure that all endpoint assets in the network have been fully installed with an automated patch solution.Install new patch management agents where required, if this task has not yet been fully automated witha group policy, login script or other technique. Identify offline agents and last contact date – either insideL.E.M.S.S. or by running the Endpoint Check-in report in Lumension Reporting Services (LRS), a free,integrated add-on to L.E.M.S.S.4
Lumension Guide to Patch Management Best PracticesPractical Steps:»» You can either set up a recurring Asset Scan oran Asset Scan/Install Agents job. In L.E.M.S.S., navigate to Discover Assetsor Discover Assets and Install Agents andfollow the wizard to set up a recurring or onetime job.5
Lumension Guide to Patch Management Best Practices»» We also recommend verifying agent availability and last check-in via LRS: Run the Asset Management report “Endpoint Check-in” in LRS. Select the desired date of last endpoint check-in (“Last Contact Date on or before”) – typically yourcurrent date. The report displays the list of endpoints that have not checked-in with the server in a giventimeframe. Ensure that agent communication is established with all the endpoints in your environment. Review endpoints that have not checked in recently and verify which endpoints need follow-up orattention prior to rolling out updates (training computers that are off vs. sales guy in field that needsto check in)6
Lumension Guide to Patch Management Best Practices»» It may also be useful to verify the agent versions and operating systems of your endpoints throughLRS, especially if you are planning to perform an upgrade to a newer version of L.E.M.S.S.: Run the Operational Report “Agent Version and Operating System Distribution” in LRS The report displays the mix of agent versions and operating systems in the endpoint environment,along with a detailed endpoint count. Ensure that all desired endpoints are listed, have the expected agent version(s) and communicateproperly.7
Lumension Guide to Patch Management Best Practices3. Classify Value and RiskDetermine which systems are most critical to protect based on the assets housed and/or the function theyprovide. Define the level of risk by criticality of system and how prone it is to attack.Practical Steps:»» Review your network topology and classify your assets by level of criticality.4. Establish Workflow and GroupsDetermine ownership, permissions needed and responsibilities for threat identification, testing and remediation across security, IT and business units. Define correlating system groups. L.E.M.S.S. will predefinesystem groups based on desktops, servers, physical or virtual hardware, as well as operating systems. Ifmore granular management is required, IT managers can create additional groups based on specific requirements, e.g. if servers are internet-facing, they may be grouped as high-risk but also as limited downtime. Use RBAC controls and set up permissions for desktop patch admin, server patch admin, as well asindividuals who have reporting access only.Practical Steps:»» Determine system ownership, uptime requirements,and patch windows for these machines. Define thepatch cycle for different managed systems.»» Define users and roles within your organization andwho needs access to which systems. On the Tools Users and Roles page, select theRoles tab and either select and assign existingrole(s) or create new roles.8
Lumension Guide to Patch Management Best Practices Next, assign users to the selected role(s) from the Users tab.»» Set up your categorized assets in custom groups in L.E.M.S.S. On the Manage Groups page, click on Custom Groups.Navigate to View in the upper right corner and select GroupMembership to create a custom group. Navigate to View in the upper right corner and select EndpointMembership to assign endpoints to that group. Click on Manage to assign endpoints to that group.9
Lumension Guide to Patch Management Best Practices»» Set Hours of Operation (HOP) for managed endpoints thatrequire a specific patch window. On the Manage Agent Policy Sets page, create a new agentpolicy and define the hours of operation. Then, apply that policy to specific endpoints or groups thatrequire this HOP policy.10
Lumension Guide to Patch Management Best Practices»» For machines managed over the WAN, it is recommended to set up a caching proxy per remotelocation to cache the package content. Deploy “Lumension Caching Proxy 2.7 for Windows” to a target machine in the remote location Create Agent Policy and set FastPath Servers – Both Interval and Define Servers Manage Agent Policy Sets Select Create and Save when completed Apply Agent Policy to your custom group Manage Groups Right-click on the group Select Policies Select Add Select Agent Policy andclick Save Note: Policy will not set until the next check-in to L.E.M.S.S. For more information on setting up a caching proxy please review the following resources: Best Practices Fast Path: KB article 523 Distribution Point (PDP) Does not Cache Large Deployment: KB article 23111
Lumension Guide to Patch Management Best Practices5. Identify Test GroupsBuild a representative sample set of each type of machine based on steps 2 (Agent Maintenance) and 3(Classify Value and Risk), in readiness for patch testing step 15 (Staged Testing). Make sure your test groupincludes a representative sample of platforms under management and includes a representative sample ofapplications in the environment, especially machines that have custom, in-house developed applications.As a best practice, at least one machine from each major group in the organization should be included in atest group.Practical Steps:»» Once test groups have been identified, create custom groups forthose test groups. On the Manage Groups page, click on Custom Groups. Navigate to View in the upper right corner and select GroupMembership to create a custom group.12
Lumension Guide to Patch Management Best Practices Navigate to View in the upper right corner and select Endpoint Membership, then click on Manage,select the desired endpoints and click Assign to assign these endpoints to that group.13
Lumension Guide to Patch Management Best Practices6. Staff TrainingTrain applicable staff on vulnerability monitoring and remediation techniques. At a minimum, administratorsresponsible for deploying Patch updates need to be trained in the Patch and Remediation application. As abest practice, there should be an internal resource for all employees to learn more about why it is importantto keep machines in the organization fully patched.Practical Steps:»» Use Lumension Learning resources to help build your internal staff training.Continued »14
Lumension Guide to Patch Management Best PracticesBefore Patch TuesdayThis section is about preparing the environment for the monthly patch deployment, including industry research on what is expected to be released by Microsoft and other application vendors and assess the impactof those planned releases to your managed machines.7. Schedule ResourcesAllocate IT resources for Patch Tuesday while also integrating additional patch release schedules from thirdparty software, such as Adobe, Apple (ad hoc), Java and so forth. In addition, review the patching needs ofany internally-developed applications and/or custom patches and consider deploying these patches as partof the monthly patch cycle.8. Reserve Down-Time for ServersReserve time slots to be able to deploy patch updates to any mission critical servers within 72 hours of thePatch Tuesday release.9. Watch for Pre-AnnouncementsMonitor security sites for pre-announcements of patches and discussion of vulnerabilities and possiblezero-day exploits that they may address from sources such as Lumension Endpoint Intelligence Center(LEIC), Microsoft Security Response Center (MSRC), SANS Internet Storm Center, National VulnerabilityDatabase (NVD), etc.Practical Steps:»» In addition to reviewing vendor sites, we recommend setting up email notifications within L.E.M.S.S. toreceive an email when new vulnerabilities have been replicated to L.E.M.S.S.15
Lumension Guide to Patch Management Best Practices10. Confirm Reporting Up-to-DateReview last deployment reports via Lumension Reporting Services (LRS) and make sure all computersare being regularly scanned. Validate the L.E.M.S.S. application server is actively communicating with theglobal subscription service (GSS).Practical Steps:»» To confirm recent deployments and ongoing scanning in LRS: Run the operational report “Deployment Detail” Select the group(s) that you are monitoring Review success/failure results (Patched and Complete %)»» To confirm communication with GSS in L.E.M.S.S.:16
Lumension Guide to Patch Management Best Practices Go to the Tools Subscription Updates page. Confirm that the “Successful” column shows “true”, indicating successful replication. If “false” is shown in any of the rows, troubleshoot to ensure replication.11. Deploy missing updates and prerequisitesDetermine if your software is fully updated or if there are any missing Service Packs, hotfixes or rollupsfrom prior months that are still outstanding. Remember that some patches won’t install if you have missing prerequisites. Check that each machine in the defined group has received the latest Service Packor update needed.Practical Steps:»» To verify if your software is fullyupdated: In L.E.M.S.S., go to the Review Software Service Packs(Software Installers / Updates)page and investigate anymissing service packs, hotfixesor rollups from prior months that17
Lumension Guide to Patch Management Best Practicesare still outstanding.»» Deploy missing updates: Deploy any missing updates directly from the page above by selecting the missing patches andclicking on Deploy.18
Lumension Guide to Patch Management Best PracticesOn Patch TuesdayThis section outlines the steps to prioritize the Security Patches released by Microsoft and other applicationvendors and to deploy those patches out to the machines managed in your environment.12. Study Vendor Information and Patch Tuesday Security BriefingsMicrosoft and other vendors provide webinars, email alerts and comprehensive online information on all new PatchTuesday updates.Lumension offers a monthly Patch Tuesday Security Briefing as well as other patching guidance on theLumension Optimal Security Blog, the Lumension Patch Tuesday Alerts webpage and in the Patch Tuesdaynewsletter.Important information to consider when understanding the impact of Patch Tuesday on your environment includes:»» What is the bulletin severity rating?»» Is the vulnerability known / publicly disclosed at the time of release?»» Does the vendor know of any active exploits at the time of release?»» How easily can the vulnerability be exploited once the bulletin is been released?13. Prioritize Potential PatchesWith the vendor information gathered in step 12 (Study Vendor Information and Patch Tuesday Security Briefings), use patch impact (Critical, Important, etc.), asset risk and value to prioritize your systems for patch testingand deployment. Understand the applicability and impact of deploying these patches to your environment, especially critical machines. When making this assessment, consider:1. Threat Level;2. Known Active Exploits in the Wild;3. Risk of Compromise;4. Consequences of Compromise.19
Lumension Guide to Patch Management Best PracticesPractical Steps:» » To review the released Patch Tuesday patches and their applicability in your endpointenvironment, we recommend you use LRS and run the report “ Patch Release by Vendor ” The report provides a high-level overview of the applicability of the released bulletins to yourmanaged endpoints and groups. It reflects the severity of and expected workload for that month’sPatch Tuesday release and the organization’s patch status. When choosing your parameters, we recommend selecting all the criticalities and the first day of themonth. The report will then display the number of vulnerability patches and content released by eachvendor in the top section and the vulnerability patches and content applicable to your environment inthe “Applicable” section directly below.14. Change ControlFollow any internal planning and approval processes for agreeing on patch deployment. This may includefollowing different processes for the server side than for the desktop side. Some organizations will have different change control processes for desktop machines than for server machines due to high uptime requirements for servers or to limit reboot interruptions for desktop users.20
Lumension Guide to Patch Management Best Practices15. Staged TestingTesting each patch is vital; automated deployment is very risky and not advised. Be certain to test the patchin each environment of your previously defined groups and deploy the patches in phases. In addition, before remediation, and especially if there is a lack of time or resources to perform a test on the patch beforedeploying it on a production system, there is great benefit in joining patch user forums and learning whatexperiences others have had in installing or using the patch.Practical Steps:»» Deploy applicable bulletins to test groups configured in step 5 (Identify Test Groups) above.»» Ensure successful deployment before rollout to additional groups in the environment.»» Pay special attention to impact to custom-developed, internal applications, especially when deployingJava updates.21
Lumension Guide to Patch Management Best Practices16. Installation of the PatchesStage deployments by system groups and prioritization. Start with smaller, low-risk groups, and validate thatno problems occur, and then work your way to larger and higher-risk areas of the network. As a best practice, and especially if your servers have a limited maintenance window, it is recommended to cache all thepatch content before deployment. If deployments are scheduled off-hours, take advantage of Wake-on-LANsettings to wake up any powered-down endpoints and ensure that they receive the content.Practical Steps:»» In L.E.M.S.S., go to the Review Vulnerabilities New Vulnerabilities page,select content applicable to your environmentand cache the packages associated withthose binaries by selecting the bulletins andclicking on the “ Update Cache” button.22
Lumension Guide to Patch Management Best Practices»» Go to the Manage Groups page under the Vulnerabilities viewand filter for new critical bulletins. Deploy bulletins that areapplicable to that target group.»» After successful deployment, move on to other groups in yourpatching plan.23
Lumension Guide to Patch Management Best PracticesAfter Patch TuesdayThis section is about assessing the success of the Patch and Remediation deployments in your environment.17. Deployment HistoryMaintain accurate records of all patches deployed. Validate that any necessary reboot(s) occurred and/orthat your endpoints don’t require a reboot.Practical Steps:»» To confirm recent deployments in LRS: Run the operational report “Deployment Detail” Select the group(s) that you are monitoring Review success/failure results (Patched and Complete %)24
Lumension Guide to Patch Management Best Practices18. Calculate Time to DeployMeasure how long it takes to get all servers, desktops and laptops fully patched in your organization. This isa great metric to measure against. Remain vigilant for laptops and VPN-connected systems that may connect days (or weeks) after the initial deployment.Fully patched and time to deploy success metrics may be defined differently for different organizations depending on the mobility of the machines being managed, how often the machines are online, or the type ofmachines under management, such as desktop or server.Practical Steps:»» To strategize and organize patch deployments to the
Lumension Guide to Patch Management Best Practices 3 Introduction Patch and vulnerability management is a core component of your risk mitigation strategy. It is the first and last line of defense against existing and new exploits – laying the foundation from which your AV and other security technologies work.
