Thoughts on Patching

As I continue through my list of security notes, I thought I would share a few ideas here. I recorded these while seeing Ron Gula discuss vulnerability management at RMISC.

Many people recommend automated patching, at least for desktops. In the enterprise, some people believe patches should be tested prior to rollout. This sounds like automated patching must be disabled. I'm wondering if anyoen has implemented delayed automated patching. In other words, automatic updates are enabled, but with a two or three day delay.

Those two or three days give the enterprise security group time to test the patch. If everything is ok, they let the automated patch proceed. If the patch breaks something critical, they instruct the desktops to not install the patch until further orders. I think this approach strikes a good balance since I would prefer to have automated patch installation be the default tactic, not manual installation.

Determining which systems are vulnerable results in imagining a continuum of assessment tactics.

  • At the most unobtrusive level we have a "paper review" of an inventory of systems and their reported patch levels.

  • Next comes passive assessment of traffic to and from clients and servers.

  • Traditional vulnerability scanning, without logging in to the target, is the next least obtrusive way to assess hosts.

  • Logging in to a host with credentials is another option.

  • Installing an agent on the host is a medium-impact approach.

  • Exploiting the host is the final way to definitively see if a host is vulnerable.


On a related note, Ron mentioned that the costs of demonstrating compliance far exceed those of maintaining compliance. This is sad. Ron also noted he believes auditors should work for the CFO and not the CIO. I agree.

Comments

Richard Bejtlich said…
foQ: that is cool, but I mean patching happens automatically unless someone intervenes -- not patches are downloaded and then told to be applied. I want the default to be patch application, albeit with a small window to stop automatic application if necessary.
11:53 AM
Ryan Russell said…
Note: I work for BigFix (who sells a patch management product) and co-moderate the patchmanagement.org mailing list. So, I've thought about the topic a bit.

What you're proposing a deadman's switch, which I'm a fan of, for unmanaged (usually home) computers.

There are plenty of good reasons for not forcing patches on people, and 2-3 days is WAY too short for the majority of enterprises. Some of the biggest patches, such as XP SP2, are often held for a year. You can get away with that, since you have hotfixes to SP1 still, mitigating methods, etc..

Any decent patch management product lets you flip a switch and deploy to all clients on-command, so there's really no need for a drop-dead date. There are many admins as most companies, so it's not like it will just get forgotten. Again, this is obviously for managed computers.

Remember, we just had a MS Patch Tuesday where the patches broke many things. That sort of thing is why businesses wait and do testing.
5:41 PM
jbmoore said…
TI has a group which tests Microsoft patches and decides whether to include them in SMS rollouts and internal Windows Update Servers. They omit certain patches if the patch breaks particular apps. I know this because a good friend is a testing administrator. TI has its own version of SP2 with some MS hotfixes omitted because of software incompatabilities with in-house applications and such. Many of their helpdesk calls are from TI employees who go to the MS Windows Update Website and patch their laptops and then wonder why their applications suddenly don't work.
8:57 PM
Anonymous said…
Yes. But unfortunately, not in an automated way.

For quite some time, my patch strategy has been, essentially: 'Apply the patches 3-5 days after release, unless there's a big uproar in the mailinglists and blogs I subscribe to'.

Basically, I'm letting everyone else do my testing for me. Why reinvent the wheel?
2:26 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more