Third-Party Patching – A Vendor Neutral Framework for Addressing the Other 85% of Vulnerabilities
Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti
If your organization is like most, you likely have clearly defined processes in place for deploying newly released Microsoft security updates each month. If not, you should. We’ve only had 15 years to hone the process, dating back to when Bill Gates dropped the hammer following the massive “Melissa, I Love You” VBScript outbreak. The result of the worm was a halt to all new product development and an immediate review of existing code sets across all Microsoft products. In the following year, this Trustworthy Computing Initiative resulted in the birth of what we have all come to know and love (or hate) as Patch Tuesday. This cyclic schedule of software update releases on the second Tuesday of each month has allowed us to prepare our internal resources to assess applicability, test compatibility and deploy those updates in a structured manner, including obtaining any required change management board approvals.
In short, “We got this!”.
But, do we really got a handle on it? Do you believe your company has a solid grasp on its patch management? Let’s take a look at the facts.
According to data obtained from cvedetails.com, no more than fifteen percent (15%) of all the known vulnerabilities reported over the past three-year period have affected the Microsoft platforms. By that I mean all Microsoft operating systems (both desktop and server versions), Office, Internet Explorer, Skype, Visual Studio, SQL Server, SharePoint, BizTalk, you name it. If it has had the software giant’s name associated with the vulnerable executable, it has only ranged between 9-15% of all the reported vulnerabilities.
So, what about the other 85%? That is where all the third-party applications and non-Microsoft operating systems come into play. In most corporate environments, you’re going to have these applications like PDF readers, Internet browsers, Java-based applications, networking tools, graphic programs and the like. All of these software applications have update releases for new versions or security patches for existing versions. And, as the cloud becomes more and more a part of our daily lives, it becomes increasingly more important that we’re applying these third-party product updates in a timely and consistent manner to protect the attack surfaces that they are introducing as a result of the applications being connected to the Internet.
When I’m giving conference and user group presentations on this topic throughout the country, I tend to ask the audience “Why are you not being as diligent with patching your third-party products as you are your Microsoft updates each month?”, I hear the same reasons over and over again. See if you can relate to them:
- “We don’t have the time”
- “We don’t have the resources”
- “We don’t have the tools available”
This is the recurring theme that I am constantly faced with and I completely understand where they are coming from. In a large-scale enterprise environment with global operations and tens of thousands of endpoints, just handling the Microsoft updates can be a vicious, never-ending cycle requiring at least one full headcount administrator to manage the pilot, user acceptance and production deployments. To illustrate this point, here is a typical approach such an organization might take for patching just Microsoft products each month:
Figure 1 – Patch Release Cycle
As you can see from the figure above, by the time one can get through the deployment cycle of a month’s batch of updates, the next months’ worth is already upon them. It’s a relentless onslaught and quite often a thankless task for the poor soul that is charge with it.
So, what is the solution for our poor SecOps engineer? An integrated solution that can help them with addressing the other 85% percent by utilising the existing investments the organization has made in their patch management framework.
Today, most corporations worldwide are using Microsoft’s Windows Server Update Service component to be able to push out the products from Redmond. Windows Server Update Service (WSUS) is a capable solution but has its limitations. For SMBs, it’s a perfect fit – just synchronise it with WindowsUpdate.com, approve your updates and let it go. Through group policy, the endpoints receive their updates and report back their patch compliance status. Done!
Figure 2 – Windows Server Update Services
For larger, more complex corporate environments requiring more granularity of control, time of deployments, network utilisation and better reporting, WSUS can be integrated into their System Center Configuration Manager (SCCM) product to extend and enhance WSUS. It will use all the existing infrastructure investments in SCCM to improve the scalability of WSUS, provide much more control over to whom and when patches are deployed and much more comprehensive reporting capabilities.
But, back to the point of our poor SecOps guy tasked with also updating Java, Adobe Reader, Chrome, Notepad++ and the like, how is he to integrate these third-party updates into WSUS or SCCM? Thankfully, Microsoft has provided an entry-level solution accelerator named System Center Updates Publisher.
Figure 3 – System Center Updates Publisher
Despite its name, System Center Updates Publisher (SCUP), the product actually first synchronizes its catalogues from the third-party vendor’s website into WSUS, and through WSUS’ native functions, will then synchronize with SCCM.
So, regardless of whether you have SCCM deployed or not, you’re able to use SCUP to integrate the following vendor update catalogues into your WSUS/SCCM environment(s):
- Adobe Acrobat 11
- Adobe Acrobat X
- Adobe Flash Player
- Adobe Reader 11
- Adobe Reader X
- Dell Business Client Updates
- Dell Server Updates
- Fujitsu Technology Solutions
- HP Client Updates
- Hewlett Packard Enterprise
Now as you may have already noticed, the list of available products is pretty slim. The reality is that Microsoft hasn’t really seen the independent software vendor (ISV) support that they had hoped to with SCUP. In fact, Adobe is the only ISV to get on board with it. The other three vendors are all hardware, providing firmware and driver updates.
So, how is one to go about fully addressing the problem at hand with the other 85%? That is a void Microsoft has intentionally left to the partner community to fill. Over the past several years a few key players have emerged to help organizations patch third-party applications by natively integrating into WSUS, SCCM or both.
DISCLAIMER: I am employed by one such partner company, but for the purposes of this article I will refrain from calling out any specific vendor, but instead speak to what you should be looking for in any solution that addresses third-party patching – my company’s product aside.
What should an organization look for in a third-party patch management solution? The following table includes a list of items that I would include in any assessment or proof-of-value project for third-party patch management. I hope it will be of use to you during your evaluation process.
Table 1 – Patch Management Solution Selection Criteria
|Third-Party Patching Solution Selection Criteria||Critical||Optional||
|The solution is dedicated and specialized for patching the 3rd-party applications via Microsoft WSUS/SCCM.|
|It is scalable and can grow with Microsoft WSUS/SCCM without restrictions.|
|True plugin-based and seamlessly integrated into Microsoft SCCM environment without requiring additional software components or separate agents to be installed.|
|Provides automation of recurring administrative tasks, including automatic import, download, publishing and synchronization of patch catalogs/contents.|
|Leverages WSUS/SCCM deployment features (including interfaces, mechanisms, wizards, etc.) and doesn’t change the administrator experience or require additional training.|
|Also leverages WSUS/SCCM reporting engine and templates thus providing consistent compliance reporting across all content.|
|The solution provides ‘normalized’ content where different content from various vendors as well as the native content provided by WSUS/SCCM itself are all treated in the same way, and don’t require custom modification or scripting. This results in all content to be viewed, deployed and reported on in a consistent fashion.|
|It covers patch content of the most vulnerable/targeted and most common 3rd-party applications in corporate networks. This includes (but not limited to) content from Adobe, Apple, Citrix, Oracle, VMware, Google, Mozilla, etc.|
|Provides enhanced content with powerful applicability detection rulesets.|
|Includes enhanced security metadata with detailed description of content.|
|Provides enhanced content with information about what updates are superseded by any particular package.|
|The solution provides enhanced content with the vendor security identifier information (vendor convention of content bulletin IDs, labelling and serialization)|
|Provides enhanced content with reference information about any industry-standard CVE metadata associated with any particular package (i.e. MITRE, NIST, etc.)|
|It includes a user-friendly configuration wizard that helps administrators configure the solution as well as select the desired patch content.|
|The solution provides flexible controls for synchronization scheduling.|
|Provides the ability for automatic subscriptions on product level, where any new content for the selected product(s) is automatically retrieved once released by the vendor(s).|
|Includes access to multiple versions of software update content (not only the latest version) for more convenience and meeting corporate/enterprise needs. This also avoids unintended version upgrades that can result in unwanted or negative outcomes.|
|Incorporates alerting templates to notify on common events (including new updates availability, failed synchronization, license issues, etc.).|
|Provides mechanisms for admins to subscribe to alerts so they will receive emails when a selected alert has been triggered.|
|Retrieves the content in protected manner via secure and validated communication channels.|
|The solution uses native role-based access controls and security scopes to define whom can push security updates to which systems.|
|The solution can seamlessly integrate into Automatic Deployment Rules (ADRs) to enhance process automation as it relates to establishing a patch management framework.|
|The solution can quickly and easily be utilized for creating security-centric configuration baselines for compliance reporting and alerting.|
Have I missed something? Let me know. I love hearing from my readers. Otherwise, happy patching!
(Thank you to Andrew H. Bradley III for his assistance with reviewing this article.)
About the Author
As a nearly 20-year veteran of Information Technology with a laser focus on Systems & Security Management, Duncan McAlynn, is a driven and passionate IT professional. He is a contributing author/editor to several books, magazine publications, and websites as well as a popular presenter at many Microsoft events. These activities have led to him receiving the Microsoft Most Valuable Professional award for six consecutive years and being named a member of the FBI InfraGard division.
Duncan has held a number of certifications and awards including 6x Microsoft MVP, MCITP, MCSA, MCSE, & CISSP.
Today, Duncan is a Principal Security Engineer & Evangelist for Ivanti, ISSA Gulf Coast TX chapter president & author of Advanced Windows Security.
Duncan can be reached on Twitter at @infosecwar and his website http://windowssecurity.tips.