Cyber Talk
Chris Andrew of PatchLink Discusses How to Prepare for Microsoft’s Patch Tuesday

ITSS: What are the biggest challenges to vulnerability management today?
Andrew:Vulnerability management is a complex process involving multiple departments within an organization including security teams, IT operations, systems administrators and lines of business units. Coordinating all of these people, who often have disparate goals, can be a difficult task. To make matters worse, IT assets typically grow both organically as well as by acquisition of new businesses leading to heterogeneous environments with many different platforms, applications and operating systems to maintain.

When combined with the ever closing window between security vulnerability discovery & exploits in the wild, most organizations are poorly prepared for rapid response times that will be needed in 2006. Reaching every single system in the network with a scheduled update is hard enough – clearly dealing with an emergency patch or workaround for a zero-day exploit will be almost impossible unless a clearly defined process & an automated solution has been implemented correctly.

ITSS: Has Microsoft’s scheduled Patch Tuesday’s helped or hindered that task?
Andrew:For the most part, our customers appreciate the regularity of Patch Tuesday. It gives them the opportunity to better prepare and execute patch deployment. At the same time, as we have seen with the rise of zero-day threats, once a month may not be frequent enough timing to update systems: administrators need to prepare a plan for how to handle emergency policy or patch updates.

ITSS: How can organizations better prepare for Patch Tuesday?
Andrew:The best practices for patch and vulnerability management process are particularly applicable to Patch Tuesday. The first two steps are asset discovery and risk analysis. You can’t secure what you don’t know you have and clearly there is always a need to prioritize your most critical systems. The third step is often the most difficult – to establish a workflow and common process between groups. By determining ownership, permissions needed and responsibilities for threat identification, testing and remediation across security, IT and business units, the organization can respond as a whole to threats.

Specific to Patch Tuesday, a good way to prepare is to monitor the outcome of prior patch deployments and use those metrics as a basis for continuous improvement. If ten systems failed to receive the updates last month, the administrator should look for the root cause and fix the issue, thus preparing for future patch deployments.

Once automated patches are available for deployment, our customers are always encouraged to study the release notes and testing notes provided with the patch updates – and to test each patch in a representative sample network of systems prior to deployment en masse.

ITSS: What does the recent Windows Meta-File zero-day vulnerability say about the current threat climate and the effectiveness of Patch Tuesday?
Andrew:Zero-day exploits are becoming increasingly more prevalent making out-of-cycle patching an imperative for most organizations. While the WMF vulnerability was the first time that Microsoft broke the Patch Tuesday cycle, given that there was a similar issue in November 2005, it is clear that the industry can expect to see more zero-day security threats in 2006.

Just based on the sheer number of vulnerabilities still open (patches that have not yet been made available) we predict that this year will bring back a few worm attacks as well as some successful exploitation of zero-day issues on Internet connected PCs. Signature driven Anti-Virus will likely prove ineffective against these threats, particularly as the number of variants and points of attack grows over time; patching and good security policies are truly the last line of defense in network security.

However, the problem is not only about patch creation by the vendor. In 2005 the industry average was a full 30 days for IT administrators to fully deploy a new critical security patch. This is clearly a huge window of exposure for companies looking to manage risk on their corporate network.

ITSS: How can organizations shrink that 30-day window to patch deployment?
Andrew:Automation of patch and vulnerability management is the key. IT administrator need to take a best practices approach to mitigating risks through preparation steps as discussed earlier and then rapid testing and deployment of patches where each stakeholder patches their own systems. Clearly putting too many levels of red tape between the patch and the stakeholder who needs to deploy the patch can be counter-productive – so streamline and automate as many processes as possible.

We recommended setting a goal of a 48 hour window which allows ample time for testing each patch in the various environments within the corporation, as well as time to get the patches deployed during an operational patching window.

Frequently mission critical servers may only be available for patching once a week, once a month or even less frequently. Clearly server administrators need to plan for downtime that can be used in an emergency, as well as the regular Patch Tuesday cycle.

<< Previous Page