Microsoft Security & Patch Management Solutions And Strategy

Microsoft Corporation

Situation

Process, Guidance, Tools Critical

Why does this Most attacks occur here gap exist?

Product ship

Vulnerability discovered

Component modified

Patch released

Patch deployed at customer site

Exploit Timeline
exploit patch code

Why does this gap exist?

Days between patch and exploit

331 180 151 25

Nimda SQL Slammer Welchia/ Nachi Blaster

Days From Patch to Exploit

The average is now days for a patch to be reverse-engineered As this cycle keeps getting shorter, patching is a less effective defense in large organizations, automation for testing and deployment needed

Microsoft Security Response Security Team Product Process Team

Vulnerability Report Received
BugTraq, etc.) Web form

Secure@microsoft.com Microsoft Technical Support Mailing lists (NTBugTraq,

Issue Reproduced Patch Developed

Verify issue is fixed Developer testing

Triaged for Criticality Documentation Developed Field Guidance Developed Patch Released & Notification Sent

Critical Low Important None Moderate Security Bulletin Knowledge Base Article Premier Customer Alert

Sustained engg. testing Testing by customers

Patch Tested

Development Practices Updated

Notification via: www.microsoft.com/security Notification service Mailing lists

Patches released*

*On second Tuesday of each month

Associated with patch release: Security bulletin Updated MSSecure.xml file for MBSA Patch (including localized versions) on Windows Update and Download Center Update catalog for SUS

Improved Patching Experience

Microsoft Patch Policies patches on a monthly Non-emergency security

release schedule, the second Tuesday of every month (if there are some to release, sometimes there are none, as was the case for March 2005) Security Notification Service sends an alert 3 business days ahead of time New alert mechanisms such as RSS Feed, IM, or MSRC Blog Security Bulletins now very comprehensive, detailed Language clear and concise

Patches for emergency issues will still release immediately

Enhancements to the Advanced Notification Program in November 2004 to assist with Program introduced

preparation and resource planning Expanded to include the following information each month:
Strains of malicious software that will be cleaned with the Malicious Software Removal tool Information about the detection tool applicable to the upcoming security updates Any non-security, high priority updates on Windows Update that will be released on the same day as security updates

More information:

www.microsoft.com/technet/security/bulletin/advance.mspx

New Resources This Month (April) Alerts: MSN Security

A new security category added to the MSN Alerts Service:
Security bulletin release notifications Security incident updates

MSN Messenger user can receive a popup whenever new information is available For more information: www.microsoft.com/security/bulletins/alerts.mspx

RSS feed for consumer level security bulletins:

By using an RSS reader, customers can now be proactively notified when new bulletins are available More information: www.microsoft.com/updates

MSRC Blog on TechNet:

First introduced during the RSA Conference in February 2005 Received positive customer response Moved to a more permanent home on TechNet http://blogs.technet.com/msrc

Microsoft Security360 April

2005

Topic: E-mail Security, Its More Than Filtering

E-Mail security is not just about preventing unsolicited messages; it is also about protecting the digital information assets you send through e-mail Discussion covering the whole spectrum of e-mail security, including filtering technologies, e-mail policies and enforcement, and partner solutions A checklist of recommendations and resources

Register to review the April 19 session: www.microsoft.com/security360

Resources
Security Bulletins Summary Security Bulletins Search
www.microsoft.com/technet/security/bulletin/ms05-Apr.mspx www.microsoft.com/technet/security/current.aspx

May Security Bulletins Webcast http:// Windows XP Service Pack 2

msevents.microsoft.com/CUI/EventDetail.aspx?EventID =1032273403&Culture=en-US www.microsoft.com/technet/winxpsp2

Windows Server 2003 Service Pack 1 Security Newsletter

www.microsoft.com/windowsserver2003/default.mspx www.microsoft.com/technet/security/secnews/default.mspx

On-demand Supplement Webcast on Detection & Deployment

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?Ev =1032268810&Culture=en-US

Solutions for Management

Patch Management Guidance
People, Process & Tools Guidance consists of:
End to End Process for Patching (built on MOF) Description of how the tools (SMS 2003 & SUS) automates the process Guidance on roles and responsibilities

Provides best practices guidance for patch management

Scales from small organizations up to an enterprise organization

Built upon a Management Architecture The MSM offering may be downloaded from
http://www.microsoft.com/technet/itsolutions/msm

The Patch Management Guidance can be found at

http://www.microsoft.com/technet/security/topics/patchmanagement.mspx

Patch Management Process

1. Assess Environment to be Patched
Periodic Tasks A. Create/maintain baseline of systems B. Access patch management architecture (is it fit for purpose) C. Review Infrastructure/ configuration Ongoing Tasks A. Discover Assets B. Inventory Clients

2. Identify New Patches

Tasks A. Identify new patches B. Determine patch relevance (includes threat assessment) C. Verify patch authenticity & integrity (no virus: installs on isolated system)

1. Assess

2. Identify

4. Deploy
4. Deploy the Patch
Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment

3. Evaluate & Plan

3. Evaluate & Plan Patch Deployment
Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing

Microsoft Severity Ratings

Rating Critical Important Definition
Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action Exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or in the integrity or availability of processing resources Serious vulnerability, but exploitability mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation Exploitation is extremely difficult, or impact is minimal

Moderate

Low

Patching Timeframes
Severity Rating
Critical Important Moderate Low

Recommended Patching Timeframe

Within 24 hours Within 1 month Depending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 4 months Depending on expected availability, wait for next service pack or patch rollup that includes the patch or deploy the patch within 1 year

Factors Impacting Release Timeframes

Factor
High value or high exposure assets impacted Assets historically attacked are impacted

Potential Impact
Decrease timeframe Decrease timeframe

Mitigating factors in place or will be quickly put in place Increase timeframe Low risk of exposure for impacted assets Increase timeframe

Patch Management Process

Step 1: Assess
Are there any threats or vulnerabilities in the environment? Has anything changed in production?
New operating systems and applications Changes to network or management infrastructure

Accurate and up-to-date inventory information is essential to the process Is the management infrastructure able to support patch management

Patch Management Process

Step 2: Identify
How can you be notified about new patches? Is the patch relevant to the organization? Which systems need to be patched? Do all systems need to be patched with the same level of priority? Which systems are most vulnerable? Has the patch been downloaded and checked to be virus free? Does the patch install successfully on a trial system? Has a change request (RFC) been submitted for this patch?

Patch Management Process

Step 3: Evaluate and Plan
Need to test the patch before deployment
Important to ensure that business critical functions still work Amount of testing will depend on risk

Use change management process to ensure all parties agree with need to deploy
If critical, use an expedited process!

Patch Management Process

Step 3: Evaluate and Plan (Cont.)
Consider how & when to install the patch
Installation process may differ for server and desktop devices Need to consider outage windows and business continuity Need to consider how to patch mobile clients and clients connection across slow or unreliable networks Can the patch be combined with other changes to minimize down time

Patch Management Process

Step 4: Deploy
Production environment needs to be prepared for new patches
Administrators/users will need to be informed of possible downtime Possible training to assist support desk Distribution points checked to confirm presence of patch and associated binaries

Patch Management Process

Step 4: Deploy (Cont.)
Monitor patch distribution
Check progress and deal with exceptions

Releasing patches to mobile clients and slow connections

Size of patch may be a significant issue Options include forcing mobile clients into the office or distributing across the network

Patch Management Process

Roles and Responsibilities
Perform daily, weekly, monthly, and as-needed tasks
Audit server production environment (daily) Check for new information sources (monthly) Review new patch notifications (as needed)

People need to have defined roles and responsibilities

Points about Patching

For successful patch management in a distributed IT environment consider:
How to stay aware of new patches and fixes. Whether it is necessary to apply a particular patch. The system-wide impact of installing a patch. What specifically a patch will change. If a patch can be removed, once installed. Dependencies between components in the production environment and the impact of applying a patch to one of those components. How to evaluate the success of a patch installation. The possible scenarios for restoring a patched environment.

Solution Components
Analysis Tools
Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool

Online Update Windows Update Services Office Update Content Repositories

Windows Update Catalog Office Download Catalog Microsoft Download Center

Management Automatic Updates (AU) feature in Windows Tools Software Update Services (SUS)
Systems Management Server (SMS)

Prescriptive Guidance

Microsoft Guide to Security Patch Management Patch Management Using SUS Patch Management Using SMS

Content Repository Comparison

Windows Update*
Supported Software Supported Content Types Scans for Updates Usage Options

Office Update

MS Download Center
All Microsoft products All types of content

Windows operating systems and its components only

Microsoft Office and its components only

Security patches, critical Security patches, security rollups, critical updates, SPs and updates, and SPs driver updates

Yes User initiated -- automatically detects, downloads, & installs updates via online service Automatic Updates initiated automatically detects & downloads updates

Yes User initiated -automatically detects, downloads, & installs updates via online service

No

Manual content search & download (from Windows Update Manual content search & download (from Office Catalog) Download Catalog)

Manual content search & download only

Choosing A Patch Management Capability SMS 2003 Solution Windows Update SUS 1.0
Supported Platforms for Content Supported Content Types NT 4.0, Win2K, WS2003, Win2K, WS2003, WinXP WinXP, WinME, Win98 All patches, updates (including drivers), & service packs (SPs) for the above NT 4.0, Win2K, WS2003, WinXP, Win98 Only security & security rollup All patches, SPs & updates for patches, critical updates, & the above; supports patch, SPs for the above update, & app installs for MS & other apps

Core Patch Management Capabilities

Granularity of Control

Targeting Content to Systems Network Bandwidth Optimization Patch Distribution Control Patch Installation & Scheduling Flexibility Patch Installation Status Reporting

No No No Manual, end user controlled Assessing computer history only

No Yes

Yes Yes

(for patch deployment)

(for patch deployment & server sync)

Basic

Advanced

Admin (auto) or user (manual) Administrator control with granular controlled scheduling capabilities Limited
(client install history & server based install logs)

Comprehensive
(install status, result, and compliance details)

Additional Software Distribution Capabilities

Deployment Planning Inventory Management Compliance Checking

N/A N/A N/A

N/A N/A N/A

Yes Yes Yes

MBSA Update Scanning Functionality

Overall direction
MBSA update scanning functionality integrated into Windows patch management functionality MBSA becomes Windows vulnerability assessment & mitigation engine

Near- and Intermediate-term plans

MBSA 1.2.1 (Q1 2004)
Windows XP SP2 support Improves report consistency, product coverage, and locale support Integrates Office Update Inventory Tool

MBSA 2.0 (Q2 2005)

Update scanning functionality migrates to Microsoft Update Services /Microsoft Update MBSA leverages MSUS 2.0 for update scanning Beta program now open for participation

Adopt a Patch Management At Microsoft, our #1 Solutionconcern is the security and availability of your IT environment
If none of the Microsoft patch management solutions meet your needs consider implementing a solution from another vendor. Below is a partial list of available products:

Company Name
Altiris, Inc. BigFix, Inc. Configuresoft, Inc. Ecora, Inc. GFI Software, Ltd.

Product Name
Altiris Patch Management BigFix Patch Manager Security Update Manager Ecora Patch Manager GFI LANguard Network Security Scanner

Company URL
http://www.altiris.com http://www.bigfix.com http://www.configuresoft.com http://www.ecora.com http://www.gfi.com http://www.securitybastion.com http://www.landesk.com http://www.novadigm.com http://www.patchlink.com http://www.shavlik.com http://www.stbernard.com

Gravity Storm Software, LLC Service Pack Manager 2000 LANDesk Software, Ltd Novadigm, Inc. PatchLink Corp. Shavlik Technologies St. Bernard Software LANDesk Patch Manager Radia Patch Manager PatchLink Update HFNetChk Pro UpdateExpert

*Microsoft does not endorse or recommend a specific patch management product or company Note: Enterprise Systems Management products such as IBM Tivoli, CA Unicenter, BMC Patrol, and HP OpenView may also provide patch management functionality

Summary
Addressing the patch management issue is a top priority Taking a comprehensive, tactical & strategic approach Made progress, but much more work to be done Microsoft focused on:
Reducing the number of vulnerabilities & associated patches Improving customer preparedness, training & communication Simplifying & standardizing the patching experience Improving patch quality Unifying and strengthening patch management offerings

Key Recommendations:
Implement a good patch management process its the key to success Adopt a patch management solution that best fits your needs

Resources
Microsoft Security Response Center
To report a suspected vulnerability, send e-mail to Secure@Microsoft.Com

Microsoft Virus Safety Line

Outside U.S. contact the local Microsoft PSS support center In the U.S. 1-866-PC-SAFETY Premier Support 1-800-936-3100

Warning: Microsoft never distributes software via e-mail please see:

http://www.microsoft.com/technet/security/policy/swdist.asp

The Ten Immutable Laws of Security Patch Management

Law #1: Security Patches are a Fact of Life. Law #2: It Does No Good to Patch a System That Was Never Secure to Begin With. Law #3: There is No Patch for Bad Judgment. Law #4: You Cant Patch What You Dont Know You Have. Law #5: The Most Effective Patch is The One You Dont Have to Apply. Law #6: A Service Pack Covers a Multitude of Patches. Law #7: All Patches Are Not Created Equal. Law #8: Never Base Your Patching Decision on Whether Youve Seen Exploit Code Unless Youve Seen Exploit Code. Law #9: Everyone Has a Patch Strategy, Whether They Know It or Not. Law #10: Patch Management is Really Risk Management.