Patching is a hot topic in security breach after security breach. Patch management is likely the most well established security control out there, so why do so many companies struggle to achieve a good patch management strategy? Join us as we discuss the pitfalls of patching, the complications that still plague us, and best practices to help you fine tune your process—with a dash of just plain common sense thrown in. We will also look at ways Ivanti can help you get a handle on patch management using our latest security innovation, Patch Intelligence.
4. Never Heard of That App Before
• Little known apps are vulnerable
• Software alternatives are vulnerable
• All software is inherently vulnerable 357 CVEs
Resolved in 2017
ImageMagick
286 CVEs
Resolved in 2018
Adobe Reader
187 CVEs
Resolved in 2018
Foxit Reader
vs
5. What You Don’t Know
• A single system is all it takes to gain
a foothold
• A compliant environment can be
compromised from a non-compliant
system
How a fish tank helped hack a casin
6. DevOps, Development Binaries, and Platforms
US government releases post-mortem
report on Equifax hack • Apache Struts
• .Net Core
• Chakra Core
• Java 11
• SAP
• Development Environments
7. Prioritizing Vulnerabilities to Resolve
Rated 6.3 and 7.7 by CVSSv3
Researchers slap SAP CRM with vuln
combo for massive damage
Zero Day in Windows 7, Server 2008, Server
2008 R2 from November (CVE-2018-8589)
rated as Important (CVSSv3 7.8)
• By Vendor Severity?
• By CVSS score?
• Just deploying OS updates?
Zero Day DoubleKill (CVE-2018-8174, Critical,
CVSSv3 7.5) and Elevation of Privilege exploit
from May (CVE-2018-8120, Important, CVSSv3 7)
8. Vendor Release Frequency and Cadence
• Patch Tuesday (Microsoft, Adobe)
• Continuous Delivery (most vendors)
• Security Updates release weekly and
many are reactive not predictable
Week 4 of 2019
Apple iCloud and iTunes
14 CVEs 3 at CVSS 9.8
Week 8 of 2019
Microsoft IIS ADV190005
AcrobatReader Bypass
Week 5 of 2019
Chrome 58 CVEs
Firefox 7 CVEs
Week 9 of 2019
WinRAR Active Malspam
Week 6 of 2019
“PrivExchange” ADV190007
Week 10 of 2019
Chrome Zero Day
9. People are your weakest link
90+%of security incidents /
breaches involve phishing.
4%
of recipients in any
phishing campaign
will click.
All it takes is one person.
49%of malware is installed
via email.
11. Discovery and Asset Management
CIS CSC #1 Inventory and control of hardware assets
What is your
Source of
Truth?
Coming Soon:
Ivanti Cloud
Device
Reconciliation
12. Bridging the Gap Between Security and Operations
CIS CSC #3 Continuous Vulnerability Management
Vulnerability
Assessment
Patch
Management
Each vulnerability
assessment could
contain 10s or even
100s of thousands of
detected CVEs.
De-duplicating and
researching the list of
detected CVEs can take
5-8 hours or more with
each pass.
New Feature:
CVE Import:
• Patch for SCCM
• Security Controls
• Patch for EPM
13. More Sources of Prioritization
What’s Next?
Ivanti Cloud
Patch Intelligence
14. Stay Informed - Patch Content Announcement System
Announcements Posted on Community Pages
https://community.ivanti.com/community/other/bulletins/patch-content-
notifications
Subscribe to receive email or RSS notifications for desired product(s)
15. Time to Patch
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
• Shorten Time to Patch
• IdentifyAutomate the bottlenecks
• Shorter Test Cycles – Clearly Communicated Stages
• More User Participation – Pilot Groups for Critical Apps
• Classify Applications that need to be done more frequently
16. Internal Communication and Education
• Defined Policy
• SLA
• Exceptions
• Notifications
• ResponsibilityAccountability
17. Defense In Depth
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days
#1 Application Control
#2 Privilege Management
#1 Patch Management to reduce Attack Surface
#2 Application Control to block malware and untrusted payloads
#3 Privilege Management to prevent lateral movement pivot
18. Managing Exceptions and End of Life’d SystemsSoftware
• Mitigation for legacy systems
• Remove Direct Access
• Virtualize Workloads
• Segregate from other systems
• Remove Direct Internet Access
• Application Containerization
• Reduce User AccessPrivileges
• Exceptions Clearly Accountable
• Who is accountable
• When will the Exception be resolved
• Does it require vendor update
• Is it due to a shift in schedule
• Is there a defect or bug to resolve
20. Windows 10 Lifecycle Awareness
Windows 10 Branch Support
Complete Lifecycle Fact Sheet
https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Source: Microsoft
21. Automation
Systems with dependencies:
Clusters
Load balanced servers
Tiered applications
Integrate with DevOps process
Ivanti Automation Standard
Free with Ivanti products
APIs
22. May 30 | 11am ET | Free Event
WINDOWS 10
SUMMIT VIRTUAL
EVENT
The Ivanti DNA… what makes us what we are, and unique in the industry, is the result of the organic work we’ve done over the years, as well as the strategic acquisitions we have made, each of which added capabilities in our 5 areas of focus:
IT Asset Management
IT Service Management
Operational Security
Unified Endpoint Management
Supply Chain enablement
Our strategy is to become one of the top 1-3 of the market leaders in each area where we compete, and we are well on our way.
As many of you may know, the Verizon Data Breach Investigations Report (DBIR) is one of the most respected annual reports in the security industry.
Last year the Verizon RISK team found phishing is used in more than 90 percent of security incidents and breaches. (Source: Verizon 2017 DBIR)
Similarly, in 2018 they found email continues to be the most common vector for breaches—walking away with a staggering 96 percent of the blame. And 49 percent of malware gets installed via email! (Source: Verizon 2018 DBIR)
Here’s a quick overview of a three-pronged phishing attack:
The user receives a phishing email with a malicious attachment or a link pointing to a malicious website.
That user clicks and downloads malware, which targets known software vulnerabilities attackers can use to look for secrets and internal information, steal credentials to multiple applications, and/or encrypt files for ransom, for example.
The attackers can also use stolen credentials for further attacks: for example, to log into third-party websites like banking or retail sites.
According to the Verizon RISK team, 4 percent of recipients in any phishing campaign will click on the malicious link or attachment. (Source: Verizon 2018 DBIR)
All it takes is one person.
Given all of this, is it any wonder phishing plays such a prominent role in attacks?
The Ivanti DNA… what makes us what we are, and unique in the industry, is the result of the organic work we’ve done over the years, as well as the strategic acquisitions we have made, each of which added capabilities in our 5 areas of focus:
IT Asset Management
IT Service Management
Operational Security
Unified Endpoint Management
Supply Chain enablement
Our strategy is to become one of the top 1-3 of the market leaders in each area where we compete, and we are well on our way.
Lets return to our vulnerability lifecycle model.
(Click) Patching is the greatest reducer in attack surface, but patching alone will not stop everything.
(Click) The CIS framework and many other security frameworks agree that Application control is one of the most effective compliments to patching. It can block file based malware and untrusted payloads that prevent many attacks from gaining a foothold even if an software vulnerability was exploited.
(Click) Privilege Management is also necessary to reclaim administrative rights which can help to limit lateral movement throughout an environment if a threat actor gains a foothold.
(Click) Application control and Privilege Management also protect systems before an update is available or in the case you have an exception and an update cannot be pushed.
References:
CVE Data taken from CVE Details. This is the number of vulnerabilities reported and confirmed by MITRE. This does filter out contended CVEs, duplicates, and revoked.
Average time to patch in 2016 taken from Verizon Data Breach Investigations Report.
Average Time to Patch in 2018 taken from a report by Tcell that found patching critical CVEs took an average of 34 days https://blog.tcell.io/whats-going-on-appliation-security-report-2018
Lets return to our vulnerability lifecycle model.
(Click) Patching is the greatest reducer in attack surface, but patching alone will not stop everything.
(Click) The CIS framework and many other security frameworks agree that Application control is one of the most effective compliments to patching. It can block file based malware and untrusted payloads that prevent many attacks from gaining a foothold even if an software vulnerability was exploited.
(Click) Privilege Management is also necessary to reclaim administrative rights which can help to limit lateral movement throughout an environment if a threat actor gains a foothold.
(Click) Application control and Privilege Management also protect systems before an update is available or in the case you have an exception and an update cannot be pushed.
References:
CVE Data taken from CVE Details. This is the number of vulnerabilities reported and confirmed by MITRE. This does filter out contended CVEs, duplicates, and revoked.
Average time to patch in 2016 taken from Verizon Data Breach Investigations Report.
Average Time to Patch in 2018 taken from a report by Tcell that found patching critical CVEs took an average of 34 days https://blog.tcell.io/whats-going-on-appliation-security-report-2018