Transcript
Three simple steps to better patch security By John Metzger, Senior Product Marketing Manager and Sean Newman, Senior Product Manager It’s estimated that 90% of successful attacks against software vulnerabilities could be prevented with an existing patch or configuration setting. Yet patching is a persistent challenge for IT managers. With the glut of patches released each year, how do you know which ones are truly critical security patches and which ones aren’t? And how can you identify which computers are actually missing the patches they need? This paper details a simple approach to patching that gives you better visibility into and control over patch assessment and compliance.
Three simple steps to better patch security
It’s estimated that 90% of successful attacks against software vulnerabilities could be prevented with an existing patch or configuration setting.1 Despite this fact, many computers do not have the latest security patches installed. This puts organizations at serious risk from a variety of malware threats. Why are patches so often ignored? Because they are painfully time consuming to track and administer. You must identify which patches are truly needed to fix software vulnerabilities and which ones merely fix bugs and deliver new features. To complicate matters, there is no easy way to see which computers actually have critical patches installed correctly and which ones don’t. Without this visibility, IT managers have no simple method to get critical security patches to the computers that need them most. They also have no auditing mechanism to ensure compliance with data regulations.
You must identify which patches are truly needed to fix software vulnerabilities and which ones merely fix bugs and deliver new features.
With nearly 900 new software patches released in 2010 alone2, patch assessment and auditing tasks can be daunting. Busy IT managers often use seat-of-the-pants guesswork to track the patches they think are most important, or they rely on users to manage their own patches. Or, worse yet, they do nothing.
How IT managers handle patches
66% use WSUS 25% do nothing 9% use a dedicated patch management solution
* Source: Sophos
But this approach can lead to disaster. Take the example of the Conficker worm. This widespread and infamous security threat, discovered in 2008, exploits a vulnerability in Microsoft Windows software. Conficker has significantly impacted organizations, infecting 10 million or more computers worldwide. Early estimates placed the economic cost to business at a little more than $9 billion.3
1. Gartner Research: http://blogs.gartner.com/neil_macdonald/2011/01/04/improving-your-2011-security-bang-for-the-buck-patching-depth-and-breadth/ 2. Secunia 2010 Security Report 3. http://www.zdnet.com/blog/security/confickers-estimated-economic-cost-91-billion/3207
A Sophos Whitepaper October 2011
2
Three simple steps to better patch security
The Conficker worm timeline4: October 2008: Microsoft issues a critical security patch to combat threats like Conficker November 2008: Conficker worm first discovered December 2008: Approximately 1.5 million computers infected by Conficker in 195 countries January 2009: Conficker is estimated to lay hidden in 8 million computers worldwide September 2011: As many as 10 million computers infected, some of which remain unpatched 0
1
2
3
4
5
6
7
8
9
10
Infected computers (in millions) Microsoft made a patch available weeks before Conficker’s discovery. If installed, this patch could have helped prevent the rapid spread of the worm. Yet Conficker is still infecting computers today because some computers remain unpatched. Even now, in 2011, Sophos receives approximately 5,000 visitors to its Conficker removal tool page each month.
Three simple steps: 1. Monitor the latest patches from widely-used commercial software 2. Prioritize patches tied to critical, in-the-wild threats 3. Don’t leave patching up to users—identify which endpoints have the latest patches It’s clear that a patching solution combined with patch assessment can help give you confidence that your systems and data are secure. This paper highlights: • The common patch solutions that, on their own, are not enough. • Three best practices for a simple patch assessment system that can reduce security threats associated with software vulnerabilities with minimum IT effort.
4. Worm: The First Digital War, Mark Bowden
A Sophos Whitepaper October 2011
3
Three simple steps to better patch security
Common patch solutions and why they aren’t enough You realize the critical role that patches play in ensuring system security. Still, you may rely on patching tools that do not have the patch auditing capabilities you need. You may be using:
Around 70% of all vulnerabilities today are found in nonMicrosoft software.
• Windows Software Update Service
So WSUS can fix less
• Application update agents
than a third of the
• Application control • Patching software While these methods may play a part in delivering patches to computers, they don’t provide effective auditing of patch status or help identify the most critical patches needed to combat specific threats.
software security holes in your environment.
Windows Software Update Service IT managers use the Windows Software Update Service (WSUS) for Windows operating system and Microsoft application patches. WSUS offers a good starting point for patch deployment. But it does not offer patch auditing capabilities, which give you the confidence that your computers are protected against critical software vulnerabilities. Here’s why WSUS is not enough: • Around 70% of all vulnerabilities today are found in non-Microsoft software5. So WSUS can fix less than a third of the software security holes in your environment. • Microsoft does not provide granular prioritization of patches. It rates nearly all patches as “critical,” regardless of how easy the vulnerability is to exploit or whether malware exists for it. For example, a recent patch to render the correct currency symbol for the Indian rupee was rated as a “critical” update despite its low-level security impact. Without this security prioritization, you must invest significant time and resources to deliver all Microsoft patches—300 of which were released in 2010 alone6. • WSUS doesn’t offer a truly accurate reporting mechanism to confirm which patches have been installed on specific computers. And it doesn’t report on all possible patches. It only reports on those that have been added to policy. Reporting accuracy is also affected by users who stop or reboot during a patch installation. • WSUS may not detect users with administrator rights who break existing operating system patches when making their own changes. 5. Secunia Half Year Report 2011 6. Secunia 2010 Security Report
A Sophos Whitepaper October 2011
4
Three simple steps to better patch security
Application update agents Many software applications provide automatic update agents that prompt users to download patches on a regular basis. You often receive prompts from companies such as Adobe and Mozilla to download the latest software version. While these agents are helpful, they are difficult to manage from an IT perspective: • There are unique solutions for each application, making various patches virtually impossible to track. • There is no way to know when updates are installed. • Users can disable or block update agents, essentially turning them off without the IT manager’s knowledge. • Patched versions are not prioritized, so it is easy for users to ignore critical updates—and they often do. • When users have administrator rights, IT has no visibility into which applications have been installed in the user environment. This leaves the door open to installation of non-approved applications or older, less secure, versions of approved applications.
Application control Dedicated application-control software can help reduce the risks associated with malware by controlling the use of unwanted applications. Application block lists can prevent users from installing risky applications on computers, while application allow lists let users install only specific applications. But application control should not be viewed as a patch assessment solution. Here’s why: • Patches still need to be assessed for their security impact and audited separately for all allowable applications. This requires a significant investment of IT time and resources. • While application control prevents users from accessing certain applications, some vulnerable applications, such as Adobe Reader or Java, are required business tools.
A Sophos Whitepaper October 2011
5
Three simple steps to better patch security
Patch management software Dedicated patch management tools from third parties provide a range of features for handling patches. They typically target operational patch management and rarely have a security focus. These applications can manage some of the complexities of security patch management, but often fall short in these areas: • They don’t provide ongoing research of emerging malware threats or rate the importance of various patches to combat these security threats. • They require additional time, staff and budget to deploy and administer. IT staff often must manage a separate console, server and vendor relationship.
Three steps for better patch assessment and security There is a better way to create a security-focused patching system that is easy to deploy and use. When choosing a patch assessment solution, you should look for one tool that offers these capabilities in a single integrated solution.
1. Monitor the latest patches from widely-used commercial software New application and operating system patches are released frequently. You must be able to identify important patches quickly and deploy them immediately. Your patch assessment system should: • Regularly scan for patches related to widely-used commercial software from companies such as Adobe, Apple, Citrix, Microsoft and Skype, among others. These patches account for the majority of malware threats from application vulnerabilities. • Integrate patch scans into the endpoint security environment to identify which applications are used on each computer and which patches are missing. • Report on endpoint patch status from the same management console you use to manage your antivirus, firewall and other security solutions. A Sophos Whitepaper October 2011
6
Three simple steps to better patch security
2. Prioritize patches tied to critical, in-the-wild threats A patch assessment solution should prioritize security risks associated with various patches, so you don’t have to spend time making those decisions. You want to focus on the security patches that really matter to your company. Your patch assessment system should: • Automatically rate patches by importance, for example as critical, high, medium or low. These assessments should be based on real threat intelligence provided by experts who monitor the security landscape 24/7. • Match patches to specific threats, so you know which critical threats a patch protects against.
3. Don’t leave patching up to users—identify which endpoints have the latest patches You want to act with confidence when a serious malware threat emerges. In our 24/7 world, this means you must be on call to assess and assist the distribution of high-priority patches. Your patch assessment system should: • Set a regular and frequent schedule to scan endpoint computers hourly, daily or weekly. • Offer accurate visibility into missing patches with easy-to-use reports. • Provide easy rollout of patch assessment policies and reports.
Patch assessment as part of one integrated endpoint security solution You can follow the three best practices for security-focused patch assessment by using a single, integrated endpoint security tool that includes these capabilities: • Ongoing threat analysis and patch ratings based on real intelligence from security experts. • Comprehensive patch assessment and compliance review capabilities at the endpoint. • Easy integration with your existing, operationally focused patch management tools, such as WSUS. • Simple administration using a single management console that handles all endpoint security oversight, including reporting for auditing and compliance.
A Sophos Whitepaper October 2011
7
Three simple steps to better patch security
For example, Sophos Endpoint Protection identifies and reports on the patch status of endpoint computers so you can reduce the risk of infection and know your patch status with certainty. With one management console, you can: • See missing patches by computer. • See patches by threat and priority. • Click on a patch or threat to get more detailed information about it. • Get an audit report that shows which computers are missing patches. This lets you quickly cut through the clutter of available patches and focus on the securityrelated patches that really impact your company.
Sophos Endpoint Protection shows which computers are missing critical security patches.
Sophos Endpoint Protection also prioritizes patches that are tied to current threats to provide the most up-to-date protection. It continually scans for application and operating system patches at the endpoint. Sophos Endpoint Protection: • Receives information about the latest malware threats via its integration with SophosLabs, which supplies continuous threat detection and protection information as it becomes available 24/7.
A Sophos Whitepaper October 2011
8
Three simple steps to better patch security
• Prioritizes missing patches through SophosLabs intelligence, which considers the difficulty of the exploit and the prevalence of threats attacking it. So you have the information you need to take action on the most critical security patches. • Regularly scans all endpoint computers, according to a schedule you set. It identifies needed patches for the most popular and commonly exploited commercial software for easy deployment at the endpoint. Patch assessment features in Sophos Endpoint Protection are also fast and simple to manage: • A single management console handles all endpoint security as well as patch reporting and administration. This streamlines your vendor and support channels and eliminates the need for additional deployments or systems. • Sophos Endpoint Protection is scalable and can meet the needs of small to large organizations whether they have hundreds or thousands of endpoints. These simple yet powerful management features help companies stay as secure as possible with minimum IT effort.
A single management console handles all Sophos Endpoint Protection capabilities.
A Sophos Whitepaper October 2011
9
Three Simple steps to better patch security
The simple patch assessment solution Patching can be difficult, but there is a simple solution. You can assess and track critical security patches using an endpoint security solution, such as Sophos Endpoint Protection. An endpoint security solution can easily identify which computers need critical security patches. It can identify emerging software vulnerabilities based on real threat intelligence to provide ongoing information about the latest security patches. And it offers visibility into and control over the patching process at the endpoint to meet reporting and compliance requirements. When patch management is delivered as part of an existing endpoint security solution, it can be deployed from a single, familiar management console. You can quickly take action on the patches that matter most to your business. You spend less time on day-to-day patch management and receive better overall protection from malware threats. See how Sophos Endpoint Protection works: http://www.sophos.com/images/flash/product-demos/endpoint-demo.html
For a Free Trial Visit sophos.com or email
[email protected]
United Kingdom Sales: Tel: +44 (0)8447 671131 Email:
[email protected]
North American Sales: Toll Free: 1-866-866-2802 Email:
[email protected]
Boston, USA | Oxford, UK © Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. A Sophos Whitepaper 10.11v1.dNA