2. Agenda
What is Patch Management?
Why is it important?
Which patches are we applying?
How do we manage patches?
When do we patch?
Who is responsible?
Future Plans
2
3. What is Patch Management?
Part of our overall Vulnerability Management strategy
Patches are released by vendors to address issues
identified with their code
Often security related
Sometimes performance or functionality related
Patch Management is the formal program we use to address the
need to apply these patches to our systems
Identify available patches
Select patches to be applied
Ensure they are applied according to our policy
Tested to ensure no negative impact
Validate they have been applied
3
4. Why is Patch Management important?
Patches generally address security issues that if left
unpatched could lead to
Denial of Service
Viruses, Worms, other Malware
Data exfiltration
Other malicious activities
Malicious code is generally available to take advantage of
significant vulnerabilities within two days from patch release
Defense in depth
4
5. Which patches are we applying?
Microsoft
OS patches
Middleware patches
Open Source (AIX, Solaris, Red Hat)
OS patches
Web Servers
Apache, Tomcat and IIS
Databases
Those that can be patched will be when patches are released and
through service packs
Thus far we have had 0 issues caused by a patch pushed by this
program
Rebooting systems has uncovered issues related to the system or the
application
Other underlying conditions are revealed after patches are applied
Good to have happen during patching
During scheduled maintenance window
Teams are already engaged and can diagnose quickly
5
6. How do we manage patches?
All systems (servers and workstations) are subject to monthly patching
Lab systems excluded for now
Leverage existing maintenance windows
Vulnerability Management Team meets monthly to decide which patches
to apply
All servers are assigned to 1 of 4 patch groups
Group 1 intended to be DEV
Group 2 intended to be QAS/INFRA
Group 3 intended to be PROD
Group 4 intended to be for manual patching
Ensure we patch systems in Group 1 or 2 before we get to Group 3 so
we can test patches before they hit production
Adhere to Change Management process
6
7. When do we patch?
2nd
Tuesday of every month is “Patch Tuesday”
Team meets the next day to determine which patches to push
Group 1 patched the following Sunday 00:01 – 11:59
Group 2 patched the following Sunday 00:01 – 11:59
Group 3 patched the following Sunday 00:01 – 11:59
Group 4 patched the following Sunday 00:01 – 11:59
Schedule posted on ITCM Sharepoint site
Quarterly extended maintenance window
7
8. When do we patch?
Exceptions Process
Request should be submitted 5 business days in advance of the
patch window
Open a service desk ticket
Required information
System name(s)
Application(s) impacted
Justification for exception request
Exclusion date requested
Date patches will be applied
Granted by Vulnerability Management Program Manager
Backup is Director Information Security
Only granted for 1 patch cycle
If needed for longer we will discuss alternative solutions
8
9. Who is responsible?
Wintel and Open Source Teams
SME
Apply patches
Contract Team
Middleware
Testing
Security Team
Program oversight and validation
System Owners
Some patching
Some testing
9
10. Future Plans
Citrix systems late 2013
Expect to incorporate more 3rd
party Middleware in 2014
10
12. Appendix A – Patch Schedule
12
Month Security Meeting Group 1 (Dev/Test) Group 2 (Infrastructure/QAS) Group 3 (Production/Network)
1/1/2013 Wednesday, January 09, 2013 Sunday, January 13, 2013 Sunday, January 20, 2013 Saturday, January 26, 2013
2/1/2013 Wednesday, February 13, 2013 Sunday, February 17, 2013 Sunday, February 24, 2013 Sunday, March 03, 2013
3/1/2013 Wednesday, March 13, 2013 Sunday, March 17, 2013 Sunday, March 24, 2013 Sunday, March 31, 2013
4/1/2013 Wednesday, April 10, 2013 Sunday, April 14, 2013 Sunday, April 21, 2013 Saturday, April 27, 2013
5/1/2013 Wednesday, May 15, 2013 Sunday, May 19, 2013 Sunday, May 26, 2013 Sunday, June 02, 2013
6/1/2013 Wednesday, June 12, 2013 Sunday, June 16, 2013 Sunday, June 23, 2013 Sunday, June 30, 2013
7/1/2013 Wednesday, July 10, 2013 Sunday, July 14, 2013 Sunday, July 21, 2013 Saturday, July 27, 2013
8/1/2013 Wednesday, August 14, 2013 Sunday, August 18, 2013 Sunday, August 25, 2013 Sunday, September 01, 2013
9/1/2013 Wednesday, September 11, 2013 Sunday, September 15, 2013 Sunday, September 22, 2013 Sunday, September 29, 2013
10/1/2013 Wednesday, October 09, 2013 Sunday, October 13, 2013 Sunday, October 20, 2013 Saturday, October 26, 2013
11/1/2013 Wednesday, November 13, 2013 Sunday, November 17, 2013 Sunday, November 24, 2013 Sunday, December 01, 2013
12/1/2013 Wednesday, December 11, 2013 Sunday, December 15, 2013 Sunday, December 22, 2013 Sunday, December 29, 2013
Green indicates extended maintenance window
13. Appendix B - Links
Security Policies - Patch Management Policy is IT-AP-SEC-008-01
– http://sharepointportal/Departments/InformationTechnology/ITDL/Adminis
trative%20Policies/Forms/AllItems.aspx
ITCM Site - patch schedule is on the right under Links
– http://sharepointportal/Departments/InformationTechnology/RFC/Default.
aspx
Microsoft Security Bulletins
– http://technet.microsoft.com/en-us/security/bulletin
Information Security Sharepoint site
– http://sharepointportal/Departments/InformationTechnology/InfoSecurity/
default.aspx
13