Integrating the Patch Management Process with Infrastructure Management

Enterprise Networks & Servers, Oct 2004 by Neray, Phil

Holistic Patch Management

By now we are all familiar with the major challenges posed by patch management. The story goes something like this: The number of patches released by software vendors is increasing dramatically due to the continuous increase in the number of vulnerabilities uncovered in widely used software programs. Simultaneously, the time between announcement of a known vulnerability and the appearance of a threat targeting that vulnerability is rapidly diminishing, thereby significantly raising the pressure on IT administrators to quickly identify vulnerable systems, test new patches, and rapidly deploy them.

Finally, it doesn't help that worms and viruses, once released by their perverse creators, can now spread from machine to machine at a much faster rate than ever before, leveraging the "always on" connectivity that has dramatically changed both our consumer lifestyles and the way we conduct business globally.

The following facts illustrate the current situation.

* In 2003, Symantec documented 2,636 new vulnerabilities on all platforms - an average of seven per day. As a result, Gartner estimates that IT managers typically spend up to two hours per day managing patches, and that it costs about $300 per server to manually install a single patch.

* In the second half of 2003, Symantec documented more than 1,702 new Win32 viruses and worms, a 250 percent increase over the 687 documented in the second half of 2002.

* During the summer of 2003, the Blaster threat appeared just 27 days after the associated vulnerability was announced - the shortest such time period ever.

* Code Red, released in mid-2001, doubled its infection rate every 37 minutes. Slammer, released in January 2003, doubled every 8.5 seconds, and infected 90 percent of unprotected servers in 10 minutes.

* The recent MyDoom worm infected email systems across the world; at its peak, one out of every 12 e-mails on the Internet carried MyDoom.

And of course, everyone is also now familiar with the impact of not ensuring that all your computers have the latest patches. Just ask a major well-known freight transportation company, which was forced to shut down all its freight trains after an attack from the Blaster worm. Or ask a major airline about the revenue and reputation it lost due to delays and cancellations caused when Blaster shut down its phone-reservation system. Or think about your college-age daughter, who called home in a panic when she couldn't finish a critical term paper in time because her "laptop was acting funny."

Patch Management Tools to the Rescue

Industry experts have quickly coalesced around a series of common product requirements for patch management solutions. In order to be effective, experts agree that patch management solutions must deliver on the promise of ease-of-use while reliably addressing the following core needs.

Patch Assessment: Modern patch management solutions require specialized patch ; scanning engines to accurately identify the presence or absence of specific patches. Unlike general-purpose asset management scanners found in traditional desktop management solutions, specialized patch scanners require an innate understanding of complex patch issues such as false positives, mistakenly identifying that a patch is present because the registry "says so," when in fact the computer is missing key patch files, or worse yet, the files are actually present with correct file names and version numbers but the wrong content, perhaps even "Trojan" content inserted by the worm writers.

False positives are dangerous because they provide a false sense of security; you assume the machine is protected when in fact it is quite vulnerable. False negatives are almost as bad because they waste time, effort, and bandwidth in testing and deploying patches that aren't really required. False negatives are typically caused by the patch engine lacking specialized knowledge of "supercedence." All the files of an earlier patch are included in a later patch, eliminating the need to deploy the earlier patch.

Knowledge Management: IT administrators need to see detailed information about each patch so they can best make decisions about whether to implement the patch in their environments. For example, they need to know the severity and criticality of the patch, the impact the patch might have (e.g., if it installs specific DLLs known to cause problems in their environments), as well as links to vendor security bulletins and knowledge base articles from third-party sources such as the securityFocus database and the Common Vulnerabilities and Exposures Database (CVEID).

Patch Deployment: Once the administrator has chosen specified patches for deployment, the patch management solution must provide a simple, automated, and reliable solution for securely obtaining patches from the vendor (e.g., validated by digital signatures), and deploying these patches to all affected machines in a silent and unattended manner. Additional capabilities include the ability to deploy multiple hotfixes at one time with only one reboot (thereby minimizing impact on server availability and end-user productivity), the ability to roll back or uninstall patches that have been previously deployed (in case of unanticipated problems), and the ability to target groups of machines by a flexible range of criteria (e.g., pre-defined groups based on function such as "all IIS servers," Active Directory organizational unit, IP address range, etc.).