Implementing and Managing Patch and Configuration Management: Introduction
Endpoint devices have been the bane of security practitioners for as long as we can remember. Whether it’s unknowing users who click anything, folks who don’t think the rules apply to them, or the forgetful sorts who just leave their devices anywhere and everywhere, keeping control over endpoints causes heartburn at many organizations. To address these concerns, Securosis recently published our Endpoint Security Management Buyer’s Guide, which began with a list of the key issues complicating endpoint security management, including:
- Emerging Attack Vectors: Everyone wants to talk about advanced attacks because they are exciting and sexy, but many successful attacks stem from simple operational failures. Whether it’s an inability to patch in a timely fashion, or to maintain secure configurations, far too many people leave the proverbial barn doors open on their devices. Or attackers target users via sleight-of-hand and social engineering. Employees unknowingly open the doors for attackers – and enable data compromise. That doesn’t mean you don’t have to worry about advanced malware or persistent attackers, but if your operational house isn’t in order yet it would be premature.
- Device Sprawl: A typical organization has a variety of PC variants running numerous operating systems. Those PCs may be virtualized and may connect in from anywhere in the world – including networks you do not control. Even better, many employees carry smartphones in their pockets and tablets in their backpacks, but those devices are all just more computers. Any endpoint security management controls and processes you implement need to be consistently enforced across the sprawl of all your devices.
- BYOD: Mobile devices are the tip of the iceberg – many organizations are increasingly supporting BYOD (bring your own device) policies, which means you need to protect not only corporate computer assets but employees’ personal devices as well. So you need to support any variety of PC, Mac, smartphone, or tablet any employee wants to use. This requires the ability to granularly manage device policies. Additionally, patching an app on an employee device might break a device capability which the user/owner relies on.
To provide this more strategic view of endpoint security management, we identified 4 specific controls typically used to manage the security of endpoints, and broke them up into periodic and ongoing controls, depicted below.
To refresh your memory, here is a quick description of both patch and configuration management:
- Patch Management: Patch managers install fixes from software vendors to address vulnerabilities. The best known patching process comes from Microsoft on a monthly schedule. On Patch Tuesday, Microsoft issues a variety of software fixes to address defects that could result in exploitation of their systems. Once a patch is issued your organization needs to assess it, figure out which devices need to be patched, and ultimately install the patch within the window specified by policy – typically a few days. A patch management product scans devices, installs patches, and reports on the success and failure of the process.
- Configuration Management: Configuration management enables an organization to define an authorized set of configurations for devices in use within the environment. These configurations govern the applications installed, device settings, services running, and security controls in place. This is important because a changing configuration might indicate malware manipulation or an operational error. Additionally, configuration management can help ease the provisioning burden of setting up and reimaging devices. Configuration management enables your organization to define what should be running on each device based on entitlements, and to identify non-compliant devices.
You bought the technology – what now? It’s time to implement and manage your new toys, so we are starting a new series entitled “Deploying and Managing Patch and Configuration Management” to document our research. As we mentioned in the Endpoint Security Management Buyer’s Guide, there is tremendous leverage between patch and configuration management offerings, so we will cover both controls in this series. Let’s dig a bit into the two deployment models to cover, and how we will work through the implementation and management processes.
Quick Wins for long term success
One of the main challenges in implementing any security technology is to show immediate value to justify the investment. Of course you can install patches and manage configurations manually, or using built-in and/or free utilities for the endpoints you manage. When spending money on patch and configuration management you need to focus on value – above and beyond what you already had – so we will break the implementation process into two phases, described below:
- The Quick Wins process is for initial deployments. Its focus is on rapid deployment on critical devices with access to sensitive data. You will take this opportunity to fine-tune the deployment and policies, which streamlines the path to full deployment later.
- The Full Deployment process is for the long haul. It’s a methodical series of steps to full enforcement of enterprise patch and/or configuration policies. The goal of both controls is to minimize exposure, which means ensuring patches are applied as quickly as practical, and monitoring configurations to ensure malware hasn’t made unauthorized configuration changes.
The key difference is that the Quick Wins process doesn’t cover every endpoint – just the most important ones. It’s about getting up and running quickly, and helping set the stage for full deployment. Full Deployment is where you dig in, spend more time, and implement long-term policies across all devices. Full coverage is critical because today’s attackers often do not go directly after sensitive data stores. They tend to start slowly, gaining presence via known vulnerabilities and configuration mistakes, patiently moving laterally through the environment until they access their target.
So we designed these processes to complement each other. If you start with Quick Wins, all your work feeds directly into Full Deployment. If you already know where you want to focus and have a mature endpoint management infrastructure, you can jump right into Full Deployment. Either way, our process guides you around common problems and should help speed implementation.
No matter whether you choose Quick Wins or Full Deployment, we break the implementation process into four major steps:
- Prepare: Determine which process you will use, define priorities among users and devices, and gain consensus on the processes to be used. You will also need to ensure all parties involved understand their roles and will be accountable for results – including not just security scanning and monitoring functions, but also the operations folks in charge of remediating any issues.
- Integrate and Deploy Technology: Next you will determine your deployment architecture and integrate with your existing infrastructure. We cover most integration options – even if you only plan on a limited deployment (and no, you don’t have to do everything at once). This involves not just setting up the endpoint security management platform, but also deploying any required agents to manage devices.
- Configure and Deploy Policies: Once the pieces are integrated you can configure initial settings and start policy deployment. Patch and configuration management policies are fundamentally different, so we will address them separately.
- Ongoing Management: At this point you should be up and running. Managing is all about handling incidents, deploying new policies, tuning and removing old ones, and system maintenance.
This paper will go into depth on each step, focusing on what you need to know to get the job done. Implementing and managing patch and configuration management doesn’t need to be intimidating. So we have focused on ensuring you know what needs to get done to achieve quick value within a sustainable process.