shavlik patch for microsoft system center. agenda 1 patching, not a solved problem 2 get more from...
TRANSCRIPT
Shavlik Patch for Microsoft System Center
Agenda
1 Patching, Not a Solved Problem
2 Get More From Microsoft System Center
3 Introducing Shavlik Patch for Microsoft System Center
4 Demonstration of Shavlik Patch
Every Day IT Challenges
Patching my systems is taking
way to much time and I need my staff focused on initiatives that
drive business
I currently use SCCM to patch
systems, but unsure how to patch third-party applications
I currently do not have a definable
patching strategy
Security hacks, vulnerabilities, and missing patches cause downtime,
data loss and unemployment
You have less budget and the need to support
more applications
of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching.
CSIShttp://csis.org/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf
“”
75%
“
5
Although patching has been “a solved problem” for many years, even decades, a lot of organizations struggle with it today – and struggle mightily.
…in the darkest woods of IT, patching 3rd party application on a desktop remains a significant challenge for many organizations.
Patch Management – NOT A Solved Problem!Anton Chuvakin - Gartnerhttp://blogs.gartner.com/anton-chuvakin/2013/05/06/patch-management-not-a-solved-problem/
“”
”
6
Vulnerability Attack Vector
86% of reported vulnerabilities come from third party applications - National Vulnerability Database
National Vulnerability Database (NVD)
Vulnerability distribution by product type - 2012
Application
Operating System
Hardware
86%
10%4%
7
Vulnerability Attack Vector
National Vulnerability Database (NVD)
Mozilla Firefox
Google Chrome
Apple Safari
Adobe Flash Player
Apple iTunes
Adobe Air
Oracle Java
Microsoft InternetExplorer
Adobe Shockwave Player
Adobe Reader
Application
# ofvulnerabilities
# of HIGHvulnerabilities
# of MEDIUMvulnerabilities
# of LOWvulnerabilities
2012 2011
159
125
85
66
102
54
58
41
27
25
97
275
45
63
78
27
37
45
38
65
99
68
65
61
51
51
32
34
27
25
66
162
28
57
78
26
23
31
38
54
55
55
20
5
51
3
20
7
0
30
113
16
6
0
1
10
14
0
11
2
0
1
0
0
0
4
0
0
0
5
0
0
0
0
0
6
0
0
0
2012 2011 2012 2011 2012 2011
2
8
Current Percentage of Vulnerabilities
http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_Key_Findings_Summary_English.pdf
• More applications are attacked by malicious s software than the OS.
• Percentage-wise Web-browsers still represent the largest threat.
2,000
1,800
1,600
1,400
1,000
800
1,200
600
400
200
0
2H10 1H11 2H11 1H12 2H12 1H13
Indu
stry
wid
e vu
lner
abili
ty d
iscl
osur
es
Applicationvulnerabilities
Browservulnerabilities
Operating system vulnerabilities
Do you use System Center Configuration Manager (SCCM) to patch software?
2
What about third-party application updates?3
What does your patching process
look like today?
1
Microsoft System Center Patch Coverage
What about these applications?Microsoft System Center
Patch Coverage
11
SCCM Third-Party Application Patching
Microsoft System Center Patching Hazards
• At least one FTE – no one wants the title “Patch Manager”
• Testing process of test-fix-break-fix-repeat takes many hours
Expensive
• Check for update availability
• Visit each vendor website for patch information
• Some updates could potentially take up to days to research
Get Update Information
• System Center Update Publisher
• Only need to install once
Install SCUP
• Input patch data• Point to vendor
website
Define Update information with SCUP
• Import patch information one patch at a time
Import data into SCCM
Sync SCCM with WSUS
• Force the Sync with WSUS to distribute the patch
• Send to Test group first
• Repeat process for next patch
• Missed or neglected updates
• Untested patches may break critical or large numbers of systems
• Discovery-to-deployment time potentially days, months, years
Dangerous
• Multiply process (above) by number of vendors
• Multiply by number of software titles
• Multiply by number of supported versions
• Multiply by number of update releases
Time Consuming
INTRODUCING SHAVLIK PATCH FOR MICROSOFT SYSTEM CENTER
13
University of Pittsburgh
ORGANIZATION• Financial Information
Systems (FIS) supports 800 employees
• 800 PCs• 200 Servers• Supports payroll,
purchasing, general accounting, housing, food services, parking, and transportation
• Manages all software updates via Microsoft SCCM
PROBLEM• Team had to manually
detected, built, and tested patches before deploying with SCCM
• “For just three to five applications, we could easily log up to 10 hours a week”
SOLUTION• Shavlik Patch for Microsoft
System Center• “Updating all applications
takes about an hour each week—no matter how many applications need patching—instead of being nearly a full-time job.” – Rick McIver
Leverage Shavlik’s “best in class” catalog of patch data
• Includes deployment and detections logic; Shavlik tested
• Covers today’s most attacked applications
Manage third-party updates within SCCM
• Leverages same workflow within SCCM for both OS and application updates
• Automates process of defining, loading, and syncing patch information
• Keeps the SCCM admin in SCCM
Shavlik Patch for Microsoft System Center
Light-weight software/architecture
• Easy plug-in for the SCCM console
• Leverages the scalability of SCCM
Get Value from Shavlik Patch
• Increase security to reduce downtime
• Close the application patching gap
• Patch hundreds of vulnerable applications
• No need for end-user intervention
Reduce application security risks
• Expand Microsoft System Center Configuration Manager (SCCM) to include application patching
• Easy integration into the SCCM console
• Leverage existing SCCM workflows
• Decrease vulnerability to patch windows
Maximize yourMicrosoft System Center investment
• Accelerate patching from months to minutes
• Patch with confidence
• Reduce number of steps creating updates
• No additional consulting required
Significantly reduce IT effort and cost
16
Shavlik Patch Patching Process
SCCM WSUS
WORKSTATIONS/SERVERS
Sync Patch Data from Shavlik Cloud
1
Select Patches from SCCM Plugin2
Use SCCM to Sync WSUS3
Leverage ExistingSCCM Workflows and Infrastructure
4
• Fully integrated into the SCCM UI
• Choose which updates to publish
• Filter the list
• See info about available updates
SCCM Plug-in
17
• Group by vendor to see “tree” view
18
• Allow third-party updates to be published automatically
• Choose how often and when updates are published to WSUS
• Filter down to just the vendors or products you care about
• Optional ability to “set and forget”
Features
19
Certificate Handling
• Setup certificates or trusts to deploy third-party updates
• Identifies WSUS server used to distribute patches
One Product…Two Configurations
20
If SCCM 2007• Catalog of Shavik’s • best-in-class patch information• Automates creation of custom patches within
SCUP• Reduces testing and deployment time• Leverages SCUP’s workflow to publish patches
to WSUS
If SCCM 2012• SCCM add-in; let’s admin do all his/her work
in SCCM UI• Removes need for SCUP• Automates download of the *.cab files• Automates publishing of updates• Robust packaging – Java, Apple
Shavlik Patch for SCCM 2007 – Simple To Use, Easy As 1-2-3
1 Customer Downloads Update Catalog Of Data
2Import Shavlik Catalog Into SCUP | Sync To Configured Update Servers
3 Use your existing SCCM workflows to Detect & Patch MS and 3rd Party Apps
22
Applications Covered by Shavlik Patch• Adobe Acrobat• Adobe Flash• Adobe Reader• Adobe Shockwave• Apple iTunes• Apple QuickTime• Apple Safari• Apple Application Support• Citrix Presentation• Citrix ZenApp• Java JRE• Microsoft Access 2000• Microsoft Excel 2000• ISA Server 2000• Microsoft Office 2000• Microsoft Outlook 2000
• Microsoft PowerPoint 2000• Microsoft Publisher 2000• Microsoft Visual Studio .NET• Microsoft Visual Studio .NET 2003• Visual FoxPro• Microsoft Word 2000• Mozilla Firefox• Mozilla SeaMonkey• Mozilla Thunderbird• Opera• Real Networks Real Playerand many more…
DEMO
Shavlik Patch Review
1 Complete SCCM add-on for third party patch
2 Supports hundreds of commonly vulnerable applications
3 Leverage SCCM workflows and platform for efficiency and scalability
5 Patch with Confidence
4 Decrease vulnerability-to-patch window
Thank You