Security : Patches : Zero Day : Vulnerabilities
Differentiating Between Higher-Risk Systems and Higher-Risk Compliance
The Role of Security Patch & Vulnerability Management
IT security professionals who are already managing the bottom-line expectations of their boardrooms while guarding their organizations against myriad security threats have a new "C-level" challenge -- measuring network security and demonstrating IT compliance against industry and regulatory requirements. These professionals must now ensure the health of their IT infrastructure while meeting voluntary and mandatory regulations such as Sarbanes-Oxley, among others.
VP of Security Technologies
A critical piece of the compliance puzzle ? and an instrumental component already supporting the enterprise IT security posture ? is patch and vulnerability management. This is quickly becoming a multi-faceted solution that IT security professionals are employing to address this challenge as part of their layered security approach.
The problem lies in determining the exact role of automated patch and remediation policy and how it supports and meets voluntary and regulatory compliance. Moreover, it's important to know that there is an attainable level of compliance for security professionals.
The Dual Dilemma: Security & Compliancy
IT departments need to continually secure their infrastructure against new and emerging threats such as viruses and worms while ensuring business availability. They must also demonstrate to auditors the adequacy of this security through measurement and process. The roadmap to regulatory compliance has three technical competencies ? command and control, threat mitigation, and audit and monitoring ? all of which strongly support the business goals of management, security and availability.
Systems Management Under Security Scrutiny
The most frequent question organizations ask about regulations is how to interpret the laws and apply real-world security solutions to meet compliance. Regulations don't stipulate any specific security tools or products. Instead, they ask each organization to demonstrate how they are protecting the information contained in IT systems to a level commensurate with its value. These protections include:
• Applying adequate security protections for customer data according to stated corporate security and privacy policies,
• Following best practices to secure a network's perimeter and access to systems on the network, and
• Protecting confidential information and limiting access to personally identifiable information.
The lack of specificity in regulations creates uncertainty about what compliance means, what auditors are looking for, and what vulnerabilities are considered unacceptable risks.
The most common missing component is security management. This is a serious issue because it prevents IT personnel from demonstrating and reporting the effectiveness of the security components already in place. For example, a business may have a systems management tool such as Microsoft's SMS and use it for keeping endpoints such as workstations, laptops, and servers updated with the latest patches. However, this tool proves insufficient in providing the necessary reports that give an accurate and timely picture of which systems are missing patches. It's no longer enough for organizations to patch; they must now prove that systems are patched to a reasonable level and measure how effective patching processes are at reducing vulnerabilities on their network.
How Much Patching & Configuration Updating Do Regulations Require?
Regulations like Sarbanes-Oxley have led to public scrutiny of security practices, adding legal burdens and forcing organizations to work harder to ensure the safety of their IT systems. Such regulations have added urgency to the task of keeping up with critical patches and configurations for desktops, servers, and applications. The burning question for many is: given that vendors such as Microsoft are releasing 40-plus critical patches a year, and even more for Office and Internet Explorer, do regulators need to see systems patched or fixed to the highest level at all times?
The answer is no. Regulations call for a demonstrated ability to manage and patch systems according to risk. For patch and vulnerability management, regulations require a business process that takes into account both business and security risks. This means a business process supporting the following risk-based principles:
• Critical patches are applied more quickly than less critical patches.
• Patches and reconfigurations are applied to overexposed or higher-risk systems before they are applied to low risk systems.
• Patches and fixes are only applied to systems when the benefit of the patch or configuration outweighs the associated business disruption.
A process that includes these three principles meets the needs of Sarbanes-Oxley because it treats each patch or configuration fix according to risk. Organizations only need to demonstrate that an effective process is in place to patch or fix systems.
Patch & Vulnerability Management Supports Compliance
Automated patch and vulnerability management provides a high-performance, scalable, enterprise-ready solution to secure systems management in regulated environments. Moreover, agent-based architectures that power many of the leading patch and vulnerability management solutions on the market today automate the discovery and distribution of secure patches and agents on all remote endpoints across multiple operating systems and applications.
Most important to compliance efforts are the management, reporting, and alerting features of these solutions. Patch and vulnerability management technology should not only provide the ability to create and manage arbitrary groups of computers but also the ability to automatically enforce mandatory patches and fix baseline policies on the members of each group so as to provide a patch-and-configuration compliance assurance mechanism. Additionally, custom reports produced by the patch and vulnerability management solution should then be able to identify all the computers that are out of compliance with the corporate policy.
Achieving Compliancy While Instilling Trust & Managing Risk
Effective patch and vulnerability management instills partners and auditors with a feeling of trust that security processes are meeting regulatory and corporate compliance.
This trust permeates the organization as a whole, easing many of the difficulties that arise between business and IT when urgent patching is needed. For IT professionals to balance regulatory security responsibility with pressing business needs, they need a system that differentiates between higher-risk systems and higher risk vulnerabilities. In the end, the real challenge is making the right decisions about when and where to patch or update based on business risk and eliminating the burden of proof that regulations and management impose.
Balance Regulatory Compliance Needs with Secure Systems Management, Yankee Group, January 2005
Sarbanes-Oxley Compliance: Management Technology Controls, WatchIT.com, 2004
VP of Security Technologies
Chris Andrew is VP of Security Technologies at PatchLink