Vulnerability Intelligence versus Vulnerability Management

Monday, July 30, 2012

Richard Stiennon


Ten years ago I was one of those ivory-tower analysts that would issue warnings to  enterprise clients to patch their servers whenever a new critical vulnerability in Microsoft was announced.

Bear in mind that this was before Microsoft consolidated all of their patch announcements into one big blast on the second Tuesday of every month (patch Tuesday).

Patching was an almost impossible task, as was made clear to me by CIOs who would tell me “Do you realize what you are saying? We have 2,000 Windows servers in our environment. Patching even one of those means scheduling down time on a weekend, taking it offline for hours, installing a patch, fixing anything that breaks, and then bringing it online again.

By the time we are done there is another emergency patch to install!” I learned my lesson and you may have noticed that I do not warn people to patch, patch, patch every month.

Microsoft addressed their patch management issues with Systems Management Server (SMS), or the newer Windows Server Update Services (WSUS). The process is still remarkably cumbersome. Microsoft’s own advice for maintaining security patches is

  • Detect. Use tools to scan your systems for missing security patches. The detection should be automated and will trigger the patch management process.
  • Assess. If necessary updates are not installed, determine the severity of the issue(s) addressed by the patch and the mitigating factors that may influence your decision. By balancing the severity of the issue and mitigating factors, you can determine if the vulnerabilities are a threat to your current environment.
  • Acquire. If the vulnerability is not addressed by the security measures already in place, download the patch for testing.
  • Test. Install the patch on a test system to verify the ramifications of the update against your production configuration.
  • Deploy. Deploy the patch to production computers. Make sure your applications are not affected. Employ your rollback or backup restore plan if needed.
  • Maintain. Subscribe to notifications that alert you to vulnerabilities as they are reported. Begin the patch management process again.

They suggest using Microsoft Baseline Security Analyzer (MBSA) for vulnerability scanning but of course there are many options from free to expensive. The trouble with using MBSA is that most organizations have many products that are not from Microsoft; Oracle, SAP, Adobe, Cisco, to name a few.

Despite the fact that every security framework from Cobit to ITIL to ISO calls for vulnerability scanning, and PCI DSS requires it,  most organizations are still doing it on an ad-hoc basis, if at all. My friend Aviram Jenik at Beyond Security tells me that over half the enterprises his sales team approaches are unaware of the need for vulnerability management!

There is even the idea that you do not need to patch, you just need to protect vulnerable systems with IPS and firewalls. Nice idea, but in this day of sophisticated attacks you can be sure that hackers are already inside the network behind the firewall.

Secunia is a Copenhagen based company that has pioneered the vulnerability intelligence space. If you watch my interview with its founder, Niels Henrik Rasmussen, you will learn that Secunia maintains and licenses a comprehensive vulnerability data base of all (well, a lot of) products, not just Microsoft.

Enterprises can license the vulnerability feed or use Secunia’s own vulnerability scanner. They have even introduced a patch management tool:

For more of the product details watch this video of Morten Rinder Stengaard, Director of Product Management at Secunia:

Hardening  systems is one of the most important things you can do counter targeted attacks, yet most organizations have yet to operationalize the process. I understand how hard -and expensive- it is. And it is easy for an analyst to wave the flag of “Patch now!” So forgive me for giving hard advice.

Possibly Related Articles:
Information Security
Firewalls Patching Testing Network Security Servers IDS/IPS Vulnerability Management WSUS MBSA
Post Rating I Like this!
Marc Quibell Grrr I want my 5 mins back...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.