Patch management process
Does anyone that deals with patch management have any input on solutions or services or subscriptions that notify you when a release of a patch is announced? As an example, i just looked at our java version and it is outdated but never got notified of a new patch release. So id like to know what others are using for notifications. Do you subscribe to a service or just to the solutions or products you use? Maybe a site or something similiar.
Comments
-
scaredoftests Mod Posts: 2,780 ModWe run a ACAS scan that gets all security/patch alerts. We then incorporate these into our patch schedule.Never let your fear decide your fate....
-
scaredoftests Mod Posts: 2,780 ModYes, the Nessus scans as well. Very helpful.Never let your fear decide your fate....
-
kiki162 Member Posts: 635 ■■■■■□□□□□Monthly....LOL
Yeah Nessus Manager will help you in monitoring patches on your network. Other PM solutions can get pretty heavy as far as downloading and storing updates. Are you a few versions behind on your Java? -
tedjames Member Posts: 1,182 ■■■■■■■■□□US-CERT sends periodic updates. If you're not subscribed to their list, you should get on that. You can find more info here:
https://www.us-cert.gov/ncas -
gespenstern Member Posts: 1,243 ■■■■■■■■□□It is patch Tuesday on the second week of each month. Other vendors have aligned their patch release cycles to the MS one.
So patches get applied each month, that's a general schedule. Usually test/dev, then qa, then prod. In some critical environment it takes days before prod gets updated, in some lousy it can take more than a month since the release date. PCI DSS prescribes 30 days limit for critical patches application (doesn't matter much as critical patches get released almost each month). HITRUST says "in a timely manner" AFAIR, HIPAA doesn't care about specifics.
There should be two schedules, one for regular security patches (99%+) and another for out-of-band (doesn't happen often) supercritical patches.
Nessus and other tools (Qualys, OpenVAS etc) suck as they can't measure a patch level of a software program that doesn't have a service exposed, such as Java, browsers, Flash, MS Office, firmware, drivers etc. They are okay as complementary tools, but you shouldn't rely on them in your decision making process.
What you should rely on are SCCM/Secunia/MBSA reports, choose two of them for second opinion and proceed. It's nice to use SCCM/Secunia or Secunia integrated to SCCM as they report missing patches and you can deploy only the ones that are missing, selectively. SCCM can't deal with 3rd party software (unless it's Flash for IE) so another solution should be in place that integrates with it, usually it is Secunia or Shavlik, Secunia is better but more expensive. This way you can patch thousands or tens of thousands of machines with relatively small amount of admin effort, it's like ~120 hours of skilled engineer/month for patching, administrative work and compliance/reporting, provided that the environment is standardized. If not -- standardize it and save on efforts later on. That's for MS.
For IBM Power Systems (Power, IBM i, Linux on Power) there's PowerSC with a similar feature set, but less advanced. Doesn't matter much though as it's a rare case when you have at least a hundred of them, so it's manageable.
Can't tell for RedHat or Debian based distribs, haven't dealt with patch management there firsthand, but there should be something however, I imagine it's Ansible or Puppet.