White Paper
Protect Critical Assets with
Virtual Patching
Closing the vulnerability window using
predictive threat protection
White Paper
Table of Contents
Vulnerabilities Lead to Risk Exposure and Downtime.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Out-of-band patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Change Management Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Reactive change management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Proactive change management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Virtual patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The McAfee Virtual Patching Solution: Layered Security Risk Management. . . . . . . . . . . . . . . . . . . . . . . . . . 5
McAfee Network Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
McAfee Vulnerability Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
McAfee Enterprise Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Deployment options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Improved protection through McAfee Global Threat Intelligence (McAfee GTI) . . . . . . . . . . . . . . . . . . . 7
Virtual Patching (A Step-by-Step Guide) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Step 1: Deploy McAfee Network Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Step 2: Scan your entire network for vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Step 3: Assess your organization’s risk posture based on vulnerability scans
and deployed countermeasures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Step 4: Enable additional vulnerability protections in McAfee Security Platform. . . . . . . . . . . . . . . . . 9
Trust Intel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Protect Critical Assets with Virtual Patching
2
White Paper
IT organizations have grown accustomed to underfunded budgets, low
staffing levels, and lack of IT security expertise. Unfortunately, they have
also grown accustomed to unpatched vulnerabilities, compromised security,
and the higher risks and costs that result. Virtual patching using predictive
threat coverage, automated vulnerability scanning, and risk visualization is a
scalable and cost-effective approach to protecting critical assets. It enhances
your patch and change-management processes while significantly reducing
security administration costs.
Vulnerabilities Lead to Risk Exposure and Downtime.
As long as there is software, there will be software vulnerabilities. Each year, IT organizations
face thousands of common vulnerabilities and exposures (CVEs) across hundreds of servers and
thousands of clients. Microsoft alone announced 488 CVEs in 2014, of which 391 (80%) were
classified as highest severity. Wherever you find vulnerabilities occurring at this scale, you will also
find malware and criminal exploits.
Cybercriminals are introducing new spyware, viruses, Trojans, worms, and other malware at alarming
rates. The total number of malware samples in the McAfee Labs zoo grew by 17% in Q4 2014, with
more than six new threats appearing every second. While both vulnerabilities and malware are
increasing, most IT organizations face ever-tightening IT budgets and limited staffing to combat
these cybercrimes.
Patching is a critical part of fighting malware and data theft, but it is also time-consuming, costly,
and unpredictable. Vulnerability announcements and patch releases arrive constantly, creating
inevitable gaps between unscheduled revelations and scheduled patch processes. When the interval
from discovery to patch deployment lengthens, a window of opportunity opens with a panoramic
exposure to risk, exploitation, and loss. The roll call of organizations that have paid the high price of
delayed patch distribution grows longer every month, with new victims from every industry sector:
retail, healthcare, financial services, entertainment, and government.
Out-of-band patching
To address critical vulnerabilities, IT organizations must frequently deploy patches out of band. This
is disruptive and carries its own risks, including unplanned downtime, service interruptions, lost
productivity, overtime expense, and even system crashes due to insufficient testing. The operational
costs and revenue loss can hit the organization’s bottom line hard. For example, the Conficker worm
alone had an economic impact of $9.1 billion according to ZDNet.1
Neither the risks of unpatched systems nor the high costs of frequent, unscheduled patching
operations are acceptable. IT organizations need a more efficient way to manage vulnerability-driven
change.
Protect Critical Assets with Virtual Patching
3
White Paper
How to Deal with the
“Culture of No” in
Patching Practice
Gartner analysts Andrew
Lerner and Jeremy
D’Hoinne describe a dozen
widespread worst practices
that often reduce network
availability, increase risks
and costs, and alienate
end users. Number two
in their dirty dozen is
something they call the
“culture of no.” It’s an elitist,
dictatorial approach to
security implementation and
enforcement that ignores
legitimate business needs.
As an example, the authors
cite patch processes that
force immediate system
reboots with no option for
users to defer or postpone
the interruption of their
work. Too often, this results
in a subculture of security
bypass that increases the
organization’s overall risk.2
Change Management Approaches
The available approaches to managing change in vulnerable systems fall into three categories:
reactive, proactive, and virtual.
Reactive change management
Reactive change management is essentially the failure to plan for change and impose order on the
change process. Patches are tested and applied whenever vendors release them. Some call it “the
patching fire drill.”
Companies that operate this way waste considerable time, effort, and money—and they leave
themselves open to attack. They have no concept of out-of-band patching, as nothing ever seems
to be patched according to a regular cycle. They also have no comprehensive way to prioritize
patches, relying almost exclusively on operating system (OS) and application vendors’ patch
releases to dictate patch schedules. As a result, critical CVEs are given immediate priority, as the
IT department has little or no visibility into its actual vulnerabilities or the threats that target its
network.
Proactive change management
In contrast to the reactive, after-the-fact fire drill way of patching, proactive change management
puts processes in place ahead of time and sticks to a predictive patch cycle based on typical
vendor patch release schedules. Organizations in this category typically schedule patch
deployment when it’s most beneficial for the business (after hours or on weekends, when critical
system use and network traffic are typically low). Client systems are often patched on a weekly or
bi-weekly basis, application servers on a monthly basis, and critical database infrastructure on a
quarterly basis.
Even with proactive change management, these organizations rarely have a consolidated view
into the number and severity of system vulnerabilities, and any connection between network
vulnerabilities and looming threats is the result of manual correlation efforts. Organizations with
proactive change management processes are still exposed to the risks and operational perils of
out-of-band patching, and typically don’t have the means to increase scheduled patching intervals.
Virtual patching
The third way to handle change management is virtual patching—a complement to proactive
change management. Virtual patching uses proven security technologies to protect you from
emerging threats until you can actually patch the targeted vulnerabilities through normal
processes. It reduces the “fire drill” mentality of patch management, streamlining operations and
reducing costs. Virtual patching is particularly useful in reducing the need for frequent, out-ofband patch cycles.
Technologies that help assist virtual patching include the following:
■■
■■
■■
■■
Vulnerability scanning that discovers vulnerabilities on every device, application,
operating system, IP address, and URL associated with your network.
Risk assessment tools that combine threat, vulnerability, and countermeasure
information to pinpoint assets that are truly at risk and prioritize security activities.
Network intrusion prevention systems (IPSs) that monitor network traffic and block
malicious activity.
Enterprise security consoles that cull all the data from the above systems to provide a
real-time view of network security and allow integrated operation of these interrelated
systems from one centralized point.
Protect Critical Assets with Virtual Patching
4
White Paper
Efficiency
Reactive Change
Management
Proactive Change
Management
Virtual Patching + Proactive
Change Management
Inefficient; lots of
wasted effort
More efficient
Highly efficient
On-cycle patching
Not practiced
Yes
Yes
Out-of-band patching
N/A
Required for critical updates
Eliminated, reducing costs
Quantifiable risk
exposure
No
No
Yes
Effect on risk posture
Limited
Better, but companies still face
enormous risk
Best, risk is greatly reduced
Window of exposure to
critical vulnerabilities
Wide open
Days or even weeks
Hours
Overall risk mitigation
strategy
Keep fingers
crossed
Actively try to safeguard IT
infrastructure
Close vulnerability window by
employing multilayer security and
systematic patching
Table 1. Implications of the three change-management methods.
The McAfee Virtual Patching Solution: Layered Security Risk Management
Virtual patching is more than a temporary fix; it’s a fundamentally sound approach to ensuring
security by enhancing your patch and change-management processes while reducing system
exposure.
The virtual patching solution from McAfee, a part of Intel Security, provides a layered approach
to security risk management while adding the ability to apply a virtual patching strategy to your
existing change-management process. It combines proven defenses and security insight with realtime threat intelligence to help close the vulnerability window until patching can occur through your
regular change-management processes.
McAfee virtual patching integrates McAfee® Network Security Platform, McAfee Vulnerability
Manager, and McAfee Enterprise Security Manager to provide comprehensive risk assessment and
rapid remediation for vulnerable systems.
McAfee Network Security Platform
McAfee Network Security Platform provides integrated network and systems security, including
industry-leading intrusion detection and prevention. Its predictive security engine combines
anomaly detection and cloud-based threat intelligence with more traditional signature-based
defenses that allow you to prevent attacks on vulnerable systems. McAfee Network Security
Platform not only detects suspicious network intrusions, it also blocks malicious attacks before they
can inflict harm through the use of vulnerability-based signatures and real-time threat information
with McAfee Global Threat Intelligence. To further facilitate virtual patching, McAfee Network
Security Platform allows you to quarantine suspect or vulnerable systems, protecting other network
resources until patches can be created, tested, and deployed during your regular patch cycle.
McAfee Vulnerability Manager
McAfee Vulnerability Manager scans all your network assets for vulnerabilities and identifies risk
exposures and policy violations. By prioritizing vulnerabilities, McAfee Vulnerability Manager
improves IT efficiency, providing an attractive ROI while accelerating critical patch deployment.
Once vulnerabilities are identified, McAfee Vulnerability Manager helps you identify the most critical
remediation and patching needs quickly and accurately. Through standards-based scoring, you can
run targeted scans on critical assets and determine whether appropriate protection is in place.
Protect Critical Assets with Virtual Patching
5
White Paper
McAfee Global Threat
Intelligence (McAfee GTI)
McAfee GTI is based on:
■■
■■
■■
■■
More than 100 million
nodes deployed around
the globe.
112 reputation servers in
seven data centers.
More than 100 billion
queries each month from
all threat vectors: file, web,
message, and network.
The most comprehensive
set of threat intelligence
services in the market­—file
reputation, web reputation,
web categorization,
message reputation,
and network connection
reputation.
McAfee ePolicy Orchestrator
The McAfee® ePolicy Orchestrator® (McAfee ePO™) platform is a centralized security management
solution that unifies security policy and execution across endpoints, networks, data, and
compliance solutions from McAfee and third-party software providers. It provides a dashboard
view of the security environment with drill-down views that reveal granular details of threats
and compliance issues as they relate to specific assets. It collects host information via multiple
discovery techniques and provides automated system management and configuration control to
streamline threat remediation.
McAfee Enterprise Security Manager
McAfee Enterprise Security Manager is a revolutionary security information and event management
(SIEM) solution that delivers actionable insight into the security state of a network and all the
systems, applications, networking components, and security controls that reside on it. McAfee
Enterprise Security Manager collects and correlates billions of log events and flow data in a highly
tuned database, keeping years of information available for ad hoc queries, forensic analysis, rules
validation, and compliance reporting. Results are delivered in seconds or minutes, not hours,
providing real-time situational awareness at the speed and scale necessary to detect critical events,
direct intelligent response, and enable continuous compliance.
Beginning with version 9.5, McAfee Enterprise Security Manager includes a new threat management
module that incorporates much of the functionality previously developed within McAfee Risk
Manager. This module serves as the nerve center of our virtual patching solution.
When activated and configured, the threat management module collects vulnerability information
(CVEs) from McAfee Vulnerability Manager (and many third-party vulnerability scanners), as well
as real-time threat feeds from McAfee Global Threat Intelligence. It correlates open CVEs and
emerging threats against inventories of current assets and available security countermeasures,
which it acquires from McAfee ePO software. The module then calculates the risk posed by each
threat and vulnerability, and prioritizes the available countermeasures for deployment.
Figure 2. The threat management module in McAfee Enterprise Security Manager collects, correlates, prioritizes, and displays
threat and vulnerability information..
Protect Critical Assets with Virtual Patching
6
White Paper
Reducing Malware Risk
for the City of Chicago
The City of Chicago’s new
Information Security Office
(ISO) recently implemented
an integrated set of Intel
Security solutions, including
McAfee Vulnerability
Manager, to secure the city’s
critical IT infrastructure.
“With the improvements
in patch management
and validation provided
by McAfee Vulnerability
Manager, the tuning we’ve
done to [McAfee] VirusScan®
on the endpoints, and
improvements to our
scanning schedule, I can
say that we’ve been able to
reduce identified malware
in our environment by more
than 2,000%,” says Chief
Information Security Officer
Arlen McMillan.
“With McAfee Vulnerability
Manager checking that
patches were deployed
effectively, in addition to
the ad hoc and pinpointed
vulnerability checks it
performs against critical
systems, we’ve been able to
reduce malware incidents
from tens of thousands to
practically none.”3
Deployment options
Deploying the complete virtual patching solution set provides the highest levels of visibility, value,
automation, and protection. We recommend a complete solution deployment as a best practice.
Some customers, however, may choose to build their virtual patching solution in incremental steps:
■■
■■
■■
McAfee Network Security Platform, with its award-winning intrusion protection system,
provides essential baseline coverage for all vulnerable systems on a network segment
Adding McAfee Vulnerability Manager improves your risk posture and operational
efficiency by directing your patching and security efforts at those systems with the
most risk
Completing the solution with McAfee Enterprise Security Manager and McAfee ePO
software technology takes the guesswork completely out of the equation, allowing you
to identify exactly which systems need coverage and which defense mechanisms to put
in place
Improved protection through McAfee Global Threat Intelligence (McAfee GTI)
In addition to signature-based defenses, McAfee Network Security Platform also includes realtime, reputation-based protection. McAfee GTI helps protect users against malware that is often
downloaded by unsuspecting users when they visit compromised websites. With real-time
protection through McAfee GTI, McAfee Network Security Platform protects your networks against
more than 300 million malware samples. Simply turn on McAfee GTI in the McAfee Network
Security Manager console to unlock the power of cloud-based security.
McAfee GTI offers the industry’s most comprehensive, real-time protection against both known
and emerging threats across all key threat vectors—file, web, email, and network. This cloud-based
threat intelligence service spans the Internet, using millions of sensors to continually gather realworld threat information.
McAfee GTI understands the reputation of a file, website, IP address, and sender over time and
correlates this reputation-based information with advanced threat protection techniques for
accurate, real-time insight of both known and emerging electronic threats. This superior threat
intelligence is delivered via the complete suite of Intel Security products, effectively compressing
customers’ protection gaps from days to seconds and often protecting them in a predictive manner.
■■
■■
■■
Comprehensive protection reduces incident probability, lowers costs associated with
incident remediation, and ensures a better security posture.
Real-time collection, analysis, and distribution of threat intelligence compress the
protection window from days and hours to seconds and milliseconds, and, in many
cases, provide predictive protection.
Integration into our products reduces administration overhead while providing
complete, consistent coverage.
By delivering real-time threat insight and superior protection, McAfee GTI allows companies to
adopt innovative patch management strategies such as virtual patching.
Protect Critical Assets with Virtual Patching
7
White Paper
Virtual Patching (A Step-by-Step Guide)
The following process assumes all products in the previous scenario have been deployed.
Step 1: Deploy McAfee Network Security Platform
As stated earlier in this paper, virtual patching hinges on the intrusion prevention capabilities of
the McAfee Network Security Platform. The first step is to strategically deploy network security
to protect critical assets in relevant network segments. Start with network perimeters, data center
edges, and between security enclaves and zones within the data center. This provides baseline
coverage against attacks launched both from external sources as well as within the network.
Additionally, McAfee Network Security Platform supports next-generation network architectures,
including virtualization capabilities that provide flexibility to cover both physical and virtual
network segments with unique policies.
Step 2: Scan your entire network for vulnerabilities
McAfee Vulnerability Manager installs on your physical or virtualized hardware and is also available
as a hardened appliance. Delivering unrivaled scalability, McAfee Vulnerability Manager canvasses
everything on your network—smartphones, printers, rogue devices, forgotten VMware hosts, and
everything in between—including applications, operating systems, and version numbers. If it has
an IP address, McAfee Vulnerability Manager can discover and scan it.
For instance, on Patch Tuesdays, you can quickly decide which machines might be affected by a
new Microsoft Windows or Adobe vulnerability. In minutes, without rescanning your entire network,
McAfee Vulnerability Manager visualizes and ranks the risk potential of new threats based on
existing configuration data and risk scores.
In addition to standards-based scoring, patented McAfee Foundscore® risk assessment technology
uses a unique algorithm to calculate risk. It takes into account asset criticality, risk rating for
discovered vulnerabilities, resource type, and other variables to deliver a usable risk grading. You
can then select assets based on criticality. Just right-click to run an instant targeted scan on each
system. While the scans run, McAfee Vulnerability Manager shows you every system’s software
configuration and confirms whether or not appropriate intrusion prevention is in place.
Conclusive evidence—such as expected and actual scan results, any systems not scanned, and
any failed scans—documents that specific systems are “not vulnerable,” which is an increasingly
common audit requirement these days.
Step 3: Assess your organization’s risk posture based on vulnerability scans and deployed
countermeasures
The threat management module in McAfee Enterprise Security Manager correlates threat feeds
from McAfee GTI with your vulnerability and countermeasure information. By doing so, it delivers
an immediate assessment of the assets that are at risk within your organization as well as
recommended remediation and subsequent patching steps. You instantly get details about a threat,
its severity, and the risk it presents, allowing you to prioritize your remediation efforts according to
an asset’s value.
McAfee Enterprise Security Manager also delivers a quantifiable risk score, allowing an organization
to determine and chart the level of risk over time. It enables you to chart your vulnerability profile
and pinpoint where to focus your security efforts. It displays “At risk” and “Not at risk” summaries,
then allows you to drill into specific details.
Once all vulnerabilities, threats, and countermeasures have been identified and prioritized, the
McAfee ePO console can be used to push out any required .DAT or other files to out-of-date
systems.
Protect Critical Assets with Virtual Patching
8
White Paper
Figure 3. The threat management module in McAfee Enterprise Security Manager shows you exactly which assets in your
environment are most at risk.
Step 4: Enable additional vulnerability protections in McAfee Security Platform
Out of the box, McAfee Network Security Platform offers better protection levels than most vendors’
“tuned” protection levels. In fact, in an NSS Labs Data Center IPS report, McAfee Network Security
Platform blocked 99.2% of threats using its out-of-the-box “Recommended” policy settings, and
99.6% of threat after minimal tuning.4
With the help of McAfee Vulnerability Manager and McAfee Enterprise Security Manager,
organizations can easily and quickly identify any gaps in vulnerability coverage and recommend the
appropriate countermeasures. For example, they can activate the appropriate vulnerability-based
signatures to protect against the latest vulnerabilities and threats, and eliminate the risk exposure
until IT can appropriately patch the systems during the next regularly scheduled patch cycle. By
using McAfee Network Security Platform, organizations are typically covered within hours of (if not
prior to) vulnerability announcements through predictive threat coverage and McAfee Labs rapid
release of vulnerability signatures.
To simplify this process, the threat management module in McAfee Enterprise Security Manager
indicates which signatures are required to ensure protection and whether you have them in place.
If you don’t have a required signature, you can always download it through the McAfee Network
Security Platform console with a simple right-click function.
Note, however, that deploying every conceivable signature can reduce network performance and
result in false positives (blocking legitimate network traffic). That’s why it’s best practice to only
deploy the optimal collection of signatures, which McAfee Enterprise Security Manager helps you
identify.
Protect Critical Assets with Virtual Patching
9
White Paper
Trust Intel Security
Intel Security provides a robust portfolio of security products that work together via seamless
integrations. As such, it offers the industry’s most comprehensive security management platform,
delivering proactive risk management, integration with business operations, and coordinated
security defenses.
When you deploy Intel Security solutions in your IT infrastructure, you gain:
■■
■■
■■
■■
Situational awareness: Monitor, manage, and report on risk management metrics to
reduce threat detection and response times, focus security efforts and investments, and
reduce costs.
Shared intelligence: Coordinate defenses across your security layers, so that endpoints,
networks, email, web, and data layers all work together to minimize or eliminate security
attacks.
Global heterogeneous protection: Manage security of any device, data, network,
application, or database across hosted, cloud, SaaS, and on-premises as well as virtual
or physical environments.
Open platform: Integrate security into existing business processes by tying systems and
change management frameworks into a centralized security operation.
Ready for More?
For more information on how the Intel Security products in this paper can improve your change
management process, see the following product pages:
McAfee Network Security Platform: Control your vulnerability risk by locking down the perimeter.
Visit www.mcafee.com/NSP.
McAfee Vulnerability Manager: Get the visibility you need to find and prioritize endpoint
vulnerability­. Visit www.mcafee.com/VM.
McAfee Enterprise Security Manager: Assess risk and threats across the organization with
enterprise-wide correlation. Visit www.mcafee.com/ESM.
About Intel Security
McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach
to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely
focused on developing proactive, proven security solutions and services that protect systems,
networks, and mobile devices for business and personal use around the world. Intel Security
combines the experience and expertise of McAfee with the innovation and proven performance of
Intel to make security an essential ingredient in every architecture and on every computing platform.
Intel Security’s mission is to give everyone the confidence to live and work safely and securely in the
digital world. www.intelsecurity.com.
1. Source: http://www.zdnet.com/article/confickers-estimated-economic-cost-9-1-billion/
2. Source: Avoid these “Dirty Dozen” network security worst practices. http://www.gartner.com/technology/reprints.do?id=127EEZRI&ct=150113&st=sb
3. Source: http://www.mcafee.com/us/resources/case-studies/cs-city-of-chicago.pdf
4. http://www.mcafee.com/us/resources/reports/rp-nss-ips-svm-ns9300.pdf
McAfee. Part of Intel Security.
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.intelsecurity.com
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered
trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property
of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are
provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc. 61919wp_virtual-patching_0415