Patching is a hot topic in security breach after security breach. Patch management is likely the most well established security control out there, so why do so many companies struggle to achieve a good patch management strategy? Join us as we discuss the pitfalls of patching, the complications that still plague us, and best practices to help you fine tune your process—with a dash of just plain common sense thrown in. We will also look at ways Ivanti can help you get a handle on patch management using our latest security innovation, Patch Intelligence.

1. SCB210 - Patch Management Best
Practices 2019
Chris Goettl
Director of Product management, Security

2. Patch Management
Trends and Pitfalls

3. Increase in Vulnerabilities
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2010 2011 2012 2013 2014 2015 2016 2017 1018
CVE Count by Year

4. Never Heard of That App Before
• Little known apps are vulnerable
• Software alternatives are vulnerable
• All software is inherently vulnerable 357 CVEs
Resolved in 2017
ImageMagick
286 CVEs
Resolved in 2018
Adobe Reader
187 CVEs
Resolved in 2018
Foxit Reader
vs

5. What You Don’t Know
• A single system is all it takes to gain
a foothold
• A compliant environment can be
compromised from a non-compliant
system
How a fish tank helped hack a casin

6. DevOps, Development Binaries, and Platforms
US government releases post-mortem
report on Equifax hack • Apache Struts
• .Net Core
• Chakra Core
• Java 11
• SAP
• Development Environments

7. Prioritizing Vulnerabilities to Resolve
Rated 6.3 and 7.7 by CVSSv3
Researchers slap SAP CRM with vuln
combo for massive damage
Zero Day in Windows 7, Server 2008, Server
2008 R2 from November (CVE-2018-8589)
rated as Important (CVSSv3 7.8)
• By Vendor Severity?
• By CVSS score?
• Just deploying OS updates?
Zero Day DoubleKill (CVE-2018-8174, Critical,
CVSSv3 7.5) and Elevation of Privilege exploit
from May (CVE-2018-8120, Important, CVSSv3 7)

8. Vendor Release Frequency and Cadence
• Patch Tuesday (Microsoft, Adobe)
• Continuous Delivery (most vendors)
• Security Updates release weekly and
many are reactive not predictable
Week 4 of 2019
Apple iCloud and iTunes
14 CVEs 3 at CVSS 9.8
Week 8 of 2019
Microsoft IIS ADV190005
AcrobatReader Bypass
Week 5 of 2019
Chrome 58 CVEs
Firefox 7 CVEs
Week 9 of 2019
WinRAR Active Malspam
Week 6 of 2019
“PrivExchange” ADV190007
Week 10 of 2019
Chrome Zero Day

9. People are your weakest link
90+%of security incidents /
breaches involve phishing.
4%
of recipients in any
phishing campaign
will click.
All it takes is one person.
49%of malware is installed
via email.

10. Patch Management
Best Practices

11. Discovery and Asset Management
CIS CSC #1 Inventory and control of hardware assets
What is your
Source of
Truth?
Coming Soon:
Ivanti Cloud
Device
Reconciliation

12. Bridging the Gap Between Security and Operations
CIS CSC #3 Continuous Vulnerability Management
Vulnerability
Assessment
Patch
Management
Each vulnerability
assessment could
contain 10s or even
100s of thousands of
detected CVEs.
De-duplicating and
researching the list of
detected CVEs can take
5-8 hours or more with
each pass.
New Feature:
CVE Import:
• Patch for SCCM
• Security Controls
• Patch for EPM

13. More Sources of Prioritization
What’s Next?
Ivanti Cloud
Patch Intelligence

14. Stay Informed - Patch Content Announcement System
Announcements Posted on Community Pages
 https://community.ivanti.com/community/other/bulletins/patch-content-
notifications
 Subscribe to receive email or RSS notifications for desired product(s)

15. Time to Patch
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
• Shorten Time to Patch
• IdentifyAutomate the bottlenecks
• Shorter Test Cycles – Clearly Communicated Stages
• More User Participation – Pilot Groups for Critical Apps
• Classify Applications that need to be done more frequently

16. Internal Communication and Education
• Defined Policy
• SLA
• Exceptions
• Notifications
• ResponsibilityAccountability

17. Defense In Depth
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days
#1 Application Control
#2 Privilege Management
#1 Patch Management to reduce Attack Surface
#2 Application Control to block malware and untrusted payloads
#3 Privilege Management to prevent lateral movement pivot

18. Managing Exceptions and End of Life’d SystemsSoftware
• Mitigation for legacy systems
• Remove Direct Access
• Virtualize Workloads
• Segregate from other systems
• Remove Direct Internet Access
• Application Containerization
• Reduce User AccessPrivileges
• Exceptions Clearly Accountable
• Who is accountable
• When will the Exception be resolved
• Does it require vendor update
• Is it due to a shift in schedule
• Is there a defect or bug to resolve

19. Follow the User

20. Windows 10 Lifecycle Awareness
 Windows 10 Branch Support
 Complete Lifecycle Fact Sheet
 https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Source: Microsoft

21. Automation
 Systems with dependencies:
 Clusters
 Load balanced servers
 Tiered applications
 Integrate with DevOps process
 Ivanti Automation Standard
 Free with Ivanti products
 APIs

22. May 30 | 11am ET | Free Event
WINDOWS 10
SUMMIT VIRTUAL
EVENT

23. Thank you