Musings on Patch Management

 

Image result for back to basics picture

 

Denim Group is best known in the marketplace as an application security solution provider. With our ThreadFix vulnerability resolution platform we know a thing or two about identifying, mitigating, and remediating vulnerable applications. We are less well known for network security services, although we’ve built a world-class consulting team that I’d put up against any others in the information security realm.

As luck would have it, our network security team knows a bit about network vulnerability management and related patch management technologies. This has come in handy over the past couple of weeks as we’ve received a stream of inbound calls from senior security leaders looking to conduct gap analyses to identify issues with their patch management programs. Three weeks ago, patch management was a yawner for most – basic blocking and tackling for security professionals.

But, thanks to Equifax, interest and concern over patch management and network vulnerability management has blossomed. If the stream of inbound calls is reflective of the larger industry out there, security leaders in organizations across the US and the rest of the world are looking inward and asking, “could this happen to us?” Given the constantly changing nature of enterprise security, and the heterogeneous operating systems and applications that live in our environments, what might have been adequate years back when a patch management program was being stood up, might, and probably is, now out of date.

Prompted by Equifax or not, now is a good time to review your vulnerability management program to identify any gaps that might exist as your organization has grown and adapted to the breathtaking changes in technology that have taken place. Since we’ve been asked so many times in the last two weeks by clients and prospects, we compiled high-level steps you can take to assess the coverage and efficacy of your vulnerability management program.

These steps include doing the following activities.

  • Quickly review and update your asset inventory to capture every computing device hanging off your network. Find the one guy (or gal) in your organization, bribe him with doughnuts, and beg him to give you his inventory information on every server, router, wireless access point, printer, etc. in the organization. Run tools that capture this information if, heaven forbid, he doesn’t have it.
  • Run network and application vulnerability scans for externally-facing devices and internal servers and workstations to identify obvious vulnerabilities that might point to a larger patching problem.
  • Review any recent risk assessments of your most critical networking and computing assets. Reaffirm where your most critical customer data lives and understand any gaps that might exists between your last risk assessment and today.
  • Conduct a risk assessment of the components that have been introduced between the last assessment and today. Identify unknowns and major risks factors. Discover if these assets are part of any formal patching program already in place.
  • Confirm operating systems that exist in your environment – all of them. Understand the management processes of each and how long it’s been since a security architect has updated these processes. Confirm the tools and platforms that provide updates for all.
  • Revisit your patch management risk decision-making process to make sure it has been regularly exercised and is judged as effective by internal stakeholders. How regularly has this process been used? Has the process identified updates to not take forward to production? Identify any process improvement ideas that might be applicable.
  • Review your vulnerability management processes in comparison to configuration management and change control processes in your organization. Are they compatible? Do they view updates through a similar risk perspective? Is this an opportunity to streamline or update both for alignment purposes?
  • Understand which groups in your organization are responsible for network, host, and application vulnerability management. Who has responsibility for different aspects of vulnerability management and how do they interact? What is the division of labor between security and ops? Is there an opportunity for improving interaction?
  • Review your written patch management policies. If you don’t have them, write them and use this exercise to further define roles, responsibilities, and decision-making criteria. Revisit how you communicate vulnerability management issues to key management and stakeholders and reevaluate your reporting assumptions.
  • Don’t forget about the applications! If you build custom applications you must have a process in place to remediate vulnerabilities created by your internal development teams. And don’t equate a sophisticated network vulnerability process with an application vulnerability process. They are two entirely separate beasts run typically by different teams.

This by no means is an exhaustive list of vulnerability management program facets to assess, but I hope it’s a great starting point as you ask the hard questions about where your program is in a post-Equifax world. I’d also recommend you review the numerous resources that exist including from organizations such as NIST and SANS. If you’ve never done this before (or as we say in Texas, “if this is your first rodeo”), it’s an opportune time to engage an outside party who has.

Contact us if you would like to talk more about patch management strategies.

 

About John Dickson

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson

Leave a Reply

Your email address will not be published. Required fields are marked *