With the sophistication and sheer volume of exploits targeting major applications and operating systems, the speed of assessment and deployment of security patches across your complex IT infrastructure is key to mitigating risks and remediating vulnerabilities. Here are the Lumension-recommended steps to cure your patch management headache. Lumension ® Guide to Patch Management Best Practices WP-EN-04-17-12 April 2012
29
Embed
Lumension Guide to Patch Management Best Practices€¦ · responsible for deploying Patch updates need to be trained in the Patch and Remediation application. As a best practice,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
With the sophistication and sheer volume of exploits targeting
major applications and operating systems, the speed of
assessment and deployment of security patches across
your complex IT infrastructure is key to mitigating
risks and remediating vulnerabilities. Here are the
Lumension-recommended steps to cure your
patch management headache.
Lumension® Guide toPatch Management Best Practices
WP-EN-04-17-12
April 2012
Lumension® Guide to Patch Management Best Practices
2
Introduction
Laying the Groundwork1. Discover Assets 3
2. Agent Maintenance 4
3. Classify Value and Risk 8
4. Establish Workflow and Groups 8
5. Identify Test Groups 12
6. Staff Training 14
Before Patch Tuesday7. Schedule Resources 15
8. Reserve Down-Time for Servers 15
9. Watch for Pre-Announcements 15
10. Confirm Reporting Up-to-Date 16
11. Deploy missing updates and prerequisites 17
On Patch Tuesday12. Study Vendor Information and Patch Tuesday Security Briefings 19
13. Prioritize Potential Patches 19
14. Change Control 20
15. Staged Testing 21
16. Installation of the Patches 22
After Patch Tuesday 17. Deployment History 24
18. Calculate Time to Deploy 25
19. Monitor for Compliance 26
20. Checks and Balances 27
21. Metrics Improvement 28
Lumension® Guide to Patch Management Best Practices
3
IntroductionPatch and vulnerability management is a core component of your risk mitigation strategy. It is the first and
last line of defense against existing and new exploits – laying the foundation from which your AV and other
security technologies work. As the sophistication and sheer volume of exploits targeting operating systems
and major applications increases, the speed of assessment and deployment of security patches is key to
mitigating risks and remediating vulnerabilities – and reducing costs.
In this best practice guide, we are going to take a deep dive into a best practice process for patch and vul-
nerability management, developed by Lumension over thousands of customer engagements. This process
– which is flexible and simple enough to be adapted into your environment – revolves around the well-known
monthly release of security updates from Microsoft known as Patch Tuesday, and includes:
» Laying the Groundwork for a Successful Patch Process
» Before Patch Tuesday
» On Patch Tuesday
» After Patch Tuesday
Every company’s Patch Management process is going to be a little bit different, but what’s important about these
best practices are: It’s a repeatable cycle. It’s based on calendar events – in this case Microsoft’s Patch Tuesday.
It’s iterative – it can be tweaked based on what’s learned from previous patch cycles. It’s measureable.
Documenting a process for the organization is really the best way to communicate the importance of patch-
ing your environment to the rest of the organization. In this best practice guide we chose to base the process
on the well-known Patch Tuesday event, but you can align your patch process with other recurring IT tasks
– with equally effective results – that works best for your organization.
Laying the GroundworkThis section is about gaining an understanding of the machines under management and preparing the Patch
and Remediation process. At a high level, this means identifying the systems to be managed, defining the
patch-roll out plan, and training the organization on the Patch and Remediation process.
1. Discover Assets Within Lumension® Endpoint Management and Security Suite (L.E.M.S.S.), identify all hardware
and sof tware on the network and categorize them
by plat form, applications, depar tment, etc.
Practical Steps: » In L.E.M.S.S., navigate to Discover > Assets
Lumension® Guide to Patch Management Best Practices
16
10. Confirm Reporting Up-to-Date Review last deployment reports via Lumension Reporting Services (LRS) and make sure all computers
are being regularly scanned. Validate the L.E.M.S.S. application server is actively communicating with the
global subscription service (GSS).
Practical Steps: » To confirm recent deployments and ongoing scanning in LRS:
• Run the operational report “Deployment Detail”
• Select the group(s) that you are monitoring
• Review success/failure results (Patched and Complete %)
» To confirm communication with GSS in L.E.M.S.S.:
Lumension® Guide to Patch Management Best Practices
17
• Go to the Tools > Subscription Updates page.
• Confirm that the “Successful” column shows “true”, indicating successful replication.
• If “false” is shown in any of the rows, troubleshoot to ensure replication.
11. Deploy missing updates and prerequisites Determine if your software is fully updated or if there are any missing Service Packs, hotfixes or rollups
from prior months that are still outstanding. Remember that some patches won’t install if you have miss-
ing prerequisites. Check that each machine in the defined group has received the latest Service Pack
or update needed.
Practical Steps: » To verify if your software is fully
updated:
• In L.E.M.S.S., go to the Review
> Software > Service Packs
(Software Installers / Updates)
page and investigate any
missing service packs, hotfixes
or rollups from prior months that
Lumension® Guide to Patch Management Best Practices
18
are still outstanding.
» Deploy missing updates:
• Deploy any missing updates directly from the page above by selecting the missing patches and
clicking on Deploy.
Lumension® Guide to Patch Management Best Practices
19
On Patch TuesdayThis section outlines the steps to prioritize the Security Patches released by Microsoft and other application
vendors and to deploy those patches out to the machines managed in your environment.
12. Study Vendor Information and Patch Tuesday Security Briefings Microsoft and other vendors provide webinars, email alerts and comprehensive online information on all new Patch
Tuesday updates.
Lumension offers a monthly Patch Tuesday Security Briefing as well as other patching guidance on the
Lumension® Optimal Security Blog, the Lumension® Patch Tuesday Alerts webpage and in the Patch Tuesday
newsletter.
Important information to consider when understanding the impact of Patch Tuesday on your environment includes:
» What is the bulletin severity rating?
» Is the vulnerability known / publicly disclosed at the time of release?
» Does the vendor know of any active exploits at the time of release?
» How easily can the vulnerability be exploited once the bulletin is been released?
13. Prioritize Potential Patches With the vendor information gathered in step 12 (Study Vendor Information and Patch Tuesday Security Brief-
ings), use patch impact (Critical, Important, etc.), asset risk and value to prioritize your systems for patch testing
and deployment. Understand the applicability and impact of deploying these patches to your environment, espe-
cially critical machines. When making this assessment, consider: