Patch Management
Picking the Low-Hanging Fruit
Why fixing third-party application vulnerabilities is at
the core of sound information security—and how to
make sure patch management is optimizing your
security posture.
May 2011
WP-EN-05-18-11
Patch Management: Picking the Low-Hanging Fruit
Overview
“Set it and forget it” might work for rotisserie ovens,
your DVR and maybe even data backups. But it’s
a bad strategy when it comes to patch manage-
Why do hackers use old vulnerabilities
to exploit systems? Simply put, because
it works.
ment. Trouble is, too many security pros think they
can switch on Windows Server Update Services
What’s needed is a more reasoned approach to
(WSUS) and assume their patch management is
patch management. One that understands the is-
taken care of.
sues, recognizes the risks and applies a centralized,
comprehensive patch-management solution as the
If only it were that easy. But the truth is that non-
core of a complete defense-in-depth strategy.
Microsoft apps make up an ever-growing portion of
your application landscape. And every one of them
“Patching is the low-hanging fruit,” Henry says.
can contain vulnerabilities that remain unpatched and
“There is no better return on your network-security
therefore can be exploited in a cyber-attack. Consider:
dollar than patching.”
»» 95 percent of organizations have socialnetworking apps installed.
»» 66 percent of apps have known vulnerabilities.
»» 78 percent of Web 2.0 apps support
file transfer.
»» 28 percent of apps propagate malware.1
The problem isn’t that patches aren’t available—
though zero-day attacks are clearly a concern.
The issue is that in many organizations, the applications haven’t been identified, and the patches
haven’t been applied. And that leaves the door
wide open to cyber-criminals.
“Unpatched vulnerabilities remain a prime exploit
vector. If you look at the malware toolkits available,
the vast majority rely on exploits that are more than
a year old,” says Paul Henry, security and forensics
The Apps Accumulate
Our increasingly connected, mobile workforce relies on software to get the job done. And increasingly, that software comprises third-party, nonMicrosoft apps. Apps that lack a unified patch
mechanism. A few relevant facts:
»» Of the top 50 most common apps, 26 are from
Microsoft and 24 are from third-party vendors.
»» Non-Microsoft apps have four times more
vulnerabilities.
»» There was a 71 percent increase in
vulnerabilities in software typically found on
endpoint PCs in 2009.
»» In North America, Europe and Asia, the
average PC contains at least three vulnerable
apps at any given time. 2
analyst for Lumension.
1. Palo Alto Networks Application Survey 2009, 2010
2. Secunia Yearly Report, 2010
1
Patch Management: Picking the Low-Hanging Fruit
Report: Patched Vulnerabilities Remain Prime Exploitation
VULNERABILITY
DISCLOSED
PATCHED
1. Microsoft Internet Explorer RDS ActiveX
2006
2006
2. Office Web Components Active Script Execution
2002
2002
3. Microsoft Video Streaming (DirectShow) ActiveX Vulnerability
2007
2009
4. Real Player [ERPCt] Remote Code Execution
2007
2007
5. Adobe Acrobat and Adobe Reader CollectEmailInfo
2007
2008
6. Adobe Reader GetIcon JavaScript Method Buffer Overflow
2009
2009
7. Adobe Reader util.printf() JavaScript Func() Stack Overflow
2008
2008
8. Microsoft Internet Explorer Deleted Object Event Handling
2010
2010
9. Microsoft Access Snapshot Viewer ActiveX Control
2008
2008
10. Adobe Reader media.newPlayer
2009
2009
11. Microsoft Internet Explorer (IE) iepeers.dll
2010
2010
12. BaoFeng StormPlayer Buffer Overflow
2009
2009
13. JVM Buffer Overflow Vulnerabilities
2009
2009
14. Microsoft IE STYLE Object Invalid Pointer Reference
2009
2009
15. Java WebStart Arbitrary Command Line Injection
2010
2010
Source: M86 Security Labs
http://www.zdnet.com/blog/security/report-patched-vulnerabilities-remain-prime-expoitation-vector/8162?tag=n1.e539
The top 15 most-observed vulnerabilities involve software for which patches have long been available.
The problem isn’t that patches aren’t available for
about, by missing patches, deciding not to patch.
these apps. It’s that the patches aren’t applied. For
… Ninety-nine percent are exploited configurations
example, Secunia reports an average 4,364 com-
and unpatched machines that the simplest vulner-
mon vulnerabilities and exposures (CVE) per year.
ability scan would have found,” says Gartner secu-
For about half these advisories, a patch becomes
rity expert John Pescatore. 4
available on the day of disclosure. For the remaining half, a patch becomes available within 30 days.
Apps are often the gateway to organizational databases, which house personally identifiable infor-
But on average, large organizations take at least
mation and intellectual property. Cyber-criminals
twice as long to patch client-side application vul-
know that if they can get to the app, they can get
nerabilities as they do to patch operating system
to data that has value. And security measures typi-
vulnerabilities. As a result, “90 percent of attacks
cally focus on the periphery and the network, leav-
are exploiting vulnerabilities we already knew
ing apps and databases at risk.
3
3. SANS Institute Report, September 2009
4. Gartner Security and Risk Management Summit, June 2010
2
Patch Management: Picking the Low-Hanging Fruit
Security advisories corroborate this view. “Web ap-
Surgical Strikes
plications now reign supreme in both the number
While third-party apps proliferate, attackers are
of breaches and the amount of data compromised
getting better at exploiting them. Some more wor-
through this vector,” says the Verizon 2010 Data
risome statistics:
Breach Investigations Report.
»» 98 percent of organizations experienced at
In January 2011, 60 percent of known
vulnerabilities were converted by cyber-criminals into attacks, according to
Dark Reading.
least one malware or virus intrusion in 2010.
»» 62 percent experienced at least 50 malware
attempts per month.
»» 43 percent said they had seen a major
increase in malware attacks 5
Security professionals are increasingly aware of
these realities. “What concerns them most about
“As the number of vulnerabilities increases, we’re see-
reducing the endpoint risk are preventing applica-
ing the bad guys increasingly being able to take them
tions from being installed or executing on their end-
and convert them into reliable exploits,” Henry notes.
points, discovering what applications are residing
on the network and ensuring that vulnerable appli-
Security pros agree. The three most challenging is-
cations are patched,” according to a survey of se-
sues they face are zero-day attacks, SQL injections
curity pros by Ponemon Institute, an independent
and the exploitation of software vulnerabilities more
research organization.
than three months old, according to the Ponemon
survey. As a result of these threats, more than one-
“On average, 15 new vulnerabilities are discovered
third of respondents said their networks are not
every day, and that’s a very conservative number,”
more secure today than they were a year ago.
Henry points out. “Software vulnerabilities are a
fact of life, and they’re growing daily. Understand-
They also said the risks are shifting. Today, they’re
ing these risks is crucial in defining your ability to
not primarily concerned about their data centers,
address them effectively.”
operating systems or network infrastructures. Instead, they’re most worried about mobile employees working from remote locations, downloading
unfamiliar third-party apps, and increasing the
threat of destructive, hard-to-detect malware attacks. It’s no surprise, then, that 61 percent predict
the top security risk over the next 12 months will
be the mushrooming volume of malware incidents.
5. Ponemon Institute, State of Endpoint Risk, December 2010
3
Patch Management: Picking the Low-Hanging Fruit
What’s troubling, though, is that the vast majority of
sources for vulnerabilities, threats and
organizations are using a broad range of security
remediation information. Finally, scan all
tools. For example, 98 percent have AV in place.
assets on a regular basis for vulnerabilities,
Sixty percent have endpoint firewalls. And 57 per-
patches and configurations.
cent use intrusion detection. Yet they’re still fall-
»» Prioritize —Maintain an inventory of assets
ing victim to attacks—in large part because they
and a database of remediation information.
haven’t patched their vulnerable applications.
Prioritize the order of remediation in terms of
risk, compliance, audit and business value.
Defense-in-Depth
In the face of increasing vulnerabilities and more sophisticated and persistent threats, smart organizations are moving toward a holistic, “defense-in-depth”
approach to security. Defense-in-depth leverages
layers of configuration management, application control, device control and AV. But at the very core lies
patch management—your first line of defense.
Patch management isn’t about simply switching on
WSUS. WSUS is a fine tool for patching Windows,
and Microsoft is very good about communicating
vulnerabilities in its operating system.
WSUS is useless in patching third-party
and Web apps though. And those apps
need to become a sharper focus of security efforts.
Aberdeen Group recommends a four-step approach to patch management:
»» Assess —First, identify all assets, including
platforms, operating systems, applications
and network services. Then, monitor external
»» Remediate —Start by modeling, staging and
testing remediation before deployment. Next,
deploy either manual or automated remediation.
Last, train administrators and users on
vulnerability-management best practices.
»» Repeat —Scan to verify the success of your
last remediation. Report on it for audit and
compliance. And continue to assess, prioritize
and remediate on an ongoing basis.
Achieving such effective patch management calls for
a centralized, comprehensive solution. Yet many organizations have relied on a fragmented approach.
They’ve deployed tools that don’t centralize or consolidate the management of heterogeneous environments. As a result, they lack visibility into their security posture. They miss devices and blind spots, and
they suffer from inconsistent reporting. They also
wind up with high management overhead and costs.
Instead, patch and configuration analysis and delivery must extend across all platforms, operating
systems and applications. Application and operating-system patching have to be benchmarked and
consistently
enforced.
Standard
configurations
should be assessed and enforced. And network
4
Patch Management: Picking the Low-Hanging Fruit
endpoints have to be managed, because unman-
have processes that are expensive and require
aged endpoints are unknown and unprotected.
high management overhead. Without centralized
management and reporting across your platforms,
“The old approaches clearly haven’t worked,” Hen-
systems and applications, you can’t achieve cost-
ry explains. “We have disparate products, and we
effective security.”
»
Top Perks of Patching
An effective patch-management solution delivers business benefits across a broad range of areas:
»» Security —Patch management is at the core of a complete defense-in-depth approach to security.
Patching known vulnerabilities is the most cost-effective, straightforward way to improve your
security posture.
»» Visibility —Discovery and agent deployment for both physical and virtual environments means
you always know what’s connected to your network. Reporting delivers critical feedback regarding
performance, endpoint events, return on investment and security overall.
»» Performance —By eliminating blind spots in network maintenance and ensuring that offline
machines receive crucial updates and patches during maintenance windows, you can improve
system performance.
»» Productivity —A centralized solution reduces setup and maintenance of users and user groups. It
also eases administration through workflow-based navigation and an intuitive management console.
And it ensures a more efficient, consistent and secure process for applying agent policies.
»» Risk —Security breaches can expose your organization to civil lawsuits and monetary damages. It
can also involve penalties related to service-level agreements and disrupted partner relationships.
Effective patch management can go a long way toward mitigation such risks.
»» Cost —Effective patch management reduces the time and effort IT staff need for installations,
upgrades, uninstalls and patches across your environment. An extensible platform with a single
»
infrastructure ultimately reduces your total cost of ownership. Most important, it reduces time and
resources spent on remediating security breaches.
5
Patch Management: Picking the Low-Hanging Fruit
Solid Solution
What’s needed, then, is a centralized, comprehensive approach to application patching. To that end,
Lumension® Endpoint Management and Security Suite: Patch and Remediation provides automated vulnerability assessment and patch management. The software enables you to automatically detect risks, deploy
patches and protect your business information across a complex, highly distributed physical and virtual
environment. These activities are seamlessly integrated into a single management console for complete
visibility into your network.
Lumension® Patch and Remediation enables patching of Microsoft, third-party and custom apps, as well as
patching based on CVEs. It also offers a full range of additional features, including granular patch control,
flexible management control, discovery of new and unauthorized clients, up-to-date data assessments, network visibility, software uninstall and built-in reporting.
The solution even delivers a lower total cost of ownership than WSUS, according to Tolly Enterprises, an
independent test lab. Tolly found that Lumension can provide at least 60 percent savings compared with
WSUS over one year and over five years. On average, it can save an enterprise with 500 workstations nearly
Traditional Endpoint
Security
Emerging Endpoint
Security Stack
A nt i V i r u s
p
l
ic a
De
t
ro
Ap
Malware
As a Service
pl
ro l
3rd Party
Application Risk
Patch &
Configuration
Mgmt.
Ap
Consumerization
of IT
Zero Day
v i c e C o nt r o
l
on Co
i
t
a
lic
De
nt
Blacklisting
As The Core
Defense-NDepth
tion C on
v i c e C o nt r o
l
An effective defense-in-depth approach places patch and configuration management at the center and then surrounds it with layers of application control, device control and AV software.
6
Patch Management: Picking the Low-Hanging Fruit
$75,000 over one year and nearly $400,000 over five years. That cost advantage comes from the solution’s
“diverse application support, powerful operations tools, … software removal and extensive reporting capabilities,” Tolly reports.
Lumension® Patch and Remediation is a key enabler of a comprehensive defense-in-depth strategy in
which patch and configuration management are at the core, surrounded by effective layers of application
control, device control and antivirus measures.
Ultimately, effective patch management promises to strengthen your security posture, boost your system
performance, improve IT and user productivity, and reduce your IT risk—all in a cost-efficient manner.
“Patch management is not the Holy Grail. But it is an absolute core component of defense-in-depth for securing any environment,” Henry concludes. “The best way to mitigate the risk of a vulnerability is to patch
it. End of story.”
7
Patch Management: Picking the Low-Hanging Fruit
About Lumension Security, Inc.
Lumension Security, Inc., a global leader in operational endpoint management and security, develops, integrates and markets security software solutions that help businesses protect
their vital information and manage critical risk across network
and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success
by delivering a proven and award-winning solution portfolio that
includes Vulnerability Management, Endpoint Protection, Data
Protection, and Compliance and Risk Management offerings.
Lumension is known for providing world-class customer support
and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including
Florida, Texas, Luxembourg, the United Kingdom, Germany, Ireland, Spain, France, Australia, and Singapore. Lumension: IT
Secured. Success Optimized.™ More information can be found at
www.lumension.com.
Lumension, Lumension Patch and Remediation, Lumension
Vulnerability Management Solution, “IT Secured. Success
Optimized.”, and the Lumension logo are trademarks or
registered trademarks of Lumension Security, Inc. All other
trademarks are the property of their respective owners.
Global Headquarters
8660 East Hartford Drive, Suite 300
Scottsdale, AZ 85255 USA
phone: +1.888.725.7828
fax: +1.480.970.6323
www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
8