Microsoft Patch Management

guideflannelΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 11 μήνες)

97 εμφανίσεις

Microsoft Patch Management

Eamon Breen

Partner Technical Specialist

Microsoft Ireland

Agenda


Situation


Commitments


Progress


Challenges ahead

Most attacks
occur here

Situation

Process, Guidance, Tools Critical

Product
ship

Vulnerability

discovered

Component

modified

Patch
released

Patch deployed

at customer
site

Why does this
gap exist?

Exploit Timeline


Days From Patch to Exploit


The average is now nine days
for a patch to be reverse
-
engineered


As this cycle keeps getting
shorter, patching is a less
effective defense in large
organizations

Why does this
gap exist?

151

180

331

Blaster

Welchia/
Nachi

Nimda

25

SQL
Slammer

exploit

code

patch

Days between patch and exploit

Secure by Default


60% less attack surface
area by default compared
to Windows NT 4.0 SP3


Services off by default


Services run at lower
privilege

Secure by Design


Code reviews


IIS re
-
architecture


Threat models


$200M investment

Secure by Design


Code reviews


IIS re
-
architecture


Threat models


$200M investment

Communications

Secure by Design


Code reviews


IIS re
-
architecture


Threat models


$200M investment

Secure in Deployment


Configuration automation


Identity management


Monitoring infrastructure


Prescriptive guidance


Community investment


Architecture webcasts


Writing Secure

Code 2.0

Trustworthy Computing Initiative

5

6

…180 days

270 days

Critical

or
important

vulnerabilities after launch…

21

36

TwC
release?

Yes

No

For some widely
-
deployed, existing products:

Bulletins since

TwC release

Shipped July 2002, 19 months ago

1

Bulletins in 19
months period prior
to TwC release

6

Service Pack 3

Improving Quality:
TwC Scorecard

Bulletins since

TwC release

Shipped Jan. 2003, 13 months ago

Service Pack
3

Bulletins in

13 months period
prior to TwC release

13

3

Microsoft Commitment

Build software and services that will help
better protect our customers and the
industry.



People


Guidance and training for our customers



http://www.microsoft.com/ireland/security


Process


Better processes and tools



Technology


Technology innovation


Trustworthy Computing quality improvements

Training & Guidance: IT Pros


IT Pros: 500K customers to be trained by the end of
2004


Monthly Webcasts and Seminars



http://www.microsoft.com/seminar/events/security.mspx


New guidance on Microsoft.com


http://www.microsoft.com/guidance


Security Guidance Kit CD


New monthly newsletter


http://www.microsoft.com/technet/security/secnews/newsletter.htm


Proactive communications


Using Virus Information Alliance

collective data for better threat response


KB articles outline

application security enhancements


Global training with more guidance and best
practices for securing systems and infrastructure

Training & Guidance: Consumers


Consumers


Protect Your PC education


Syndicating content on
retailer, OEM sites


New bimonthly newsletter


Ongoing outreach via
consumer advocacy groups


Blaster removal tool



Build awareness to help develop a “maintenance
mindset” and encourage best practices and make
protections easier to enable

Local Security Training Sessions
for IT Professionals


30 Free Security Training Sessions &
Webcasts


Dublin, Galway, Cork, Limerick & Belfast


8 Security Modules:


Essentials of Security


Implementing Security Patch Management


Implementing Server Security


Implementing Client Security


Implementing Network Security


Implementing Application and Data Security


Advanced Server and Client Security


Applied Security Strategies


Register at
www.microsoft.com/ireland/security




Processes & Tools

Patch Quality & Process


Monthly patch releases since Oct, 2003, 2
nd

Tues of Month


Operation guidance for SUS SP1, SMS 2.0, SMS 2003 released Nov, 2003


Patch size reduced by 35% or more from 2002 vs. 2003


Reduce patch size by 80%
-

Mid 2004


Downtime reduced through 10% fewer reboots

Tools


MBSA 1.2 released Jan 19, 2004


Streamlined tool for identifying common security misconfigurations


SMS 2003 launched in November 2003


Comprehensive patch and software management/distribution solution


SUS 2.0 technical beta Q104


Expanded support for Office, SQL Server, Exchange, and hardware drivers


Improved administrative and reporting capabilities

http://www.microsoft.com/technet/security/topics/patch



Improve our processes & quality, and provide
better infrastructure management tools

Technology


Windows XP SP2


Easier, effective management of PC

security that puts the customer in control


Network protection, s
afer e
-
mail and Web

browsing, memory protection


Beta 1 released on December 19, 2003


Availability: target RTM H1 CY04

New security technologies for Windows XP to make
systems more resilient against attack

Technology


Windows Server 2003 SP1


Role
-
based security configuration


Network client and remote VPN inspection


Network quarantine


Availability: RTM H2 CY04

Commitment: Update Windows Server 2003 and
improve edge protection with technologies that enable
a more secure infrastructure

Summary

Get Secure


Stay Secure


People


Engage a Microsoft Certified Partner


Get Technical Staff Trained


Process


Create an Incident Response Process


Microsoft Operations Framework based on ITIL


Security best practices from TechNet


Technology


Microsoft Baseline Security Analyser


Software Update Services


Updated Anti Virus Software


Updated Firewall


Updated Anti Spam Solution

Resources


Patch Management

http://www.microsoft.com/technet/security/topi
cs/patch


Best Practices for Defense in Depth

http://www.microsoft.com/security/guidance


How Microsoft Secures Microsoft

http://www.microsoft.com/technet/itsolutions/
msit/ security/mssecbp.asp


MSDN Security Development Tools

http://msdn.microsoft.com/security/downloads
/tools/ default.aspx

© 2003 Microsoft Corporation. All rights reserved.

This
presentation

is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.


many eyes make all bugs shallow”


Eric Raymond


Free Software Foundation

“only if you know what to look for”


Mike Howard


Author of Writing Secure Code

0
10
20
30
40
50
60
70
80
Microsoft
SuSE
Sun
RedHat
Mandrake
Debian
Apr-02
Apr-03
Source


Mitre cve.mitre.org and vendor security websites

Source


Mitre cve.mitre.org and vendor security websites

Slight update to last slide

0
10
20
30
40
50
60
70
80
90
100
Windows XP
Windows 2000
Windows 2003
SuSE
Redhat 7.2
Redhat 8.0
Redhat 9.0
Mandrake 8.2
Mandrake9.0
Mandrake 9.1
Sep-02
Sep-03