Transcript patching
Shavlik Patch for Microsoft System Center
Agenda
1
Patching, Not a Solved Problem
2
Get More From Microsoft System Center
3
Introducing Shavlik Patch for Microsoft System Center
4
Demonstration of Shavlik Patch
Every Day IT Challenges
You have less
budget and the
need to support
more applications
I currently do not
have a definable
patching
strategy
Security hacks,
vulnerabilities, and
missing patches
cause downtime,
data loss and
unemployment
I currently use
SCCM to patch
systems, but unsure
how to patch thirdparty applications
Patching my systems
is taking way to
much time and I
need my staff
focused on initiatives
that drive business
“ 75%
of attacks use publicly known
vulnerabilities in commercial
software that could be prevented
by regular patching.
”
CSIS
http://csis.org/files/publication/130212_Lewis_
BarCybersecurity.pdf
“
Although patching has been
“a solved problem” for many
years, even decades, a lot of
organizations struggle with
it today – and struggle
mightily. ”
“
Patch Management – NOT A Solved Problem!
Anton Chuvakin - Gartner
http://blogs.gartner.com/anton-chuvakin/2013/05/06/patch-management-not-a-solved-problem/
5
…in the darkest woods of IT,
patching 3rd party application
on a desktop remains a
significant challenge for many
organizations. ”
Vulnerability Attack Vector
4%
10%
Application
86% of reported vulnerabilities come from
third party applications - National
Vulnerability Database
Operating System
86%
Hardware
Vulnerability distribution by product type - 2012
National Vulnerability Database (NVD)
6
Vulnerability Attack Vector
Application
# of HIGH
vulnerabilities
# of MEDIUM
vulnerabilities
# of LOW
vulnerabilities
2012
2012
2012
2012
2011
2011
2011
2011
Mozilla Firefox
159
97
99
66
55
30
5
2
Google Chrome
125
275
68
162
55
113
2
0
Apple Safari
85
45
65
28
20
16
0
1
Adobe Flash Player
66
63
61
57
5
6
0
0
Apple iTunes
102
78
51
78
51
0
0
0
Adobe Air
54
27
51
26
3
1
0
0
Oracle Java
58
37
32
23
20
10
6
4
Microsoft Internet
Explorer
41
45
34
31
7
14
0
0
Adobe Shockwave Player
27
38
27
38
0
0
0
0
Adobe Reader
25
65
25
54
0
11
0
0
National Vulnerability Database (NVD)
7
# of
vulnerabilities
Current Percentage of Vulnerabilities
2,000
1,800
Industry wide vulnerability disclosures
1,600
Application
vulnerabilities
1,400
• More applications are attacked
by malicious s software than
the OS.
1,200
1,000
800
600
Operating system
vulnerabilities
• Percentage-wise Webbrowsers still represent the
largest threat.
400
Browser
vulnerabilities
200
0
2H10
1H11
2H11
1H12
2H12
1H13
http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_Key_Findings_Summary_English.pdf
8
1
What does your patching process
look like today?
2
Do you use System Center Configuration Manager
(SCCM) to patch software?
3
What about third-party application updates?
Microsoft System Center Patch Coverage
Microsoft System Center
Patch Coverage
What about these applications?
SCCM Third-Party Application Patching
Get Update
Information
Define Update
information with SCUP
Check for update
availability
Visit each vendor
website for patch
information
Some updates
could potentially
take up to days to
research
•
•
Install SCUP
•
System Center
Update
Publisher
Only need to
install once
•
•
•
•
Input patch data
Point to vendor
website
Microsoft System
Center Patching Hazards
•
•
•
11
Multiply process (above)
by number of vendors
Multiply by number of
software titles
Multiply by number of
supported versions
Multiply by number of
update releases
•
Import patch
information one
patch at a time
Sync SCCM with
WSUS
•
•
•
Expensive
Time Consuming
•
Import data into
SCCM
•
•
At least one FTE – no one
wants the title “Patch
Manager”
Testing process of test-fixbreak-fix-repeat takes
many hours
Dangerous
•
•
•
Missed or neglected
updates
Untested patches may
break critical or large
numbers of systems
Discovery-to-deployment
time potentially days,
months, years
Force the Sync
with WSUS to
distribute the
patch
Send to Test
group first
Repeat process
for next patch
INTRODUCING SHAVLIK PATCH FOR
MICROSOFT SYSTEM CENTER
University of Pittsburgh
ORGANIZATION
• Financial Information
Systems (FIS) supports
800 employees
• 800 PCs
• 200 Servers
• Supports payroll,
purchasing, general
accounting, housing,
food services, parking,
and transportation
• Manages all software
updates via Microsoft
SCCM
13
PROBLEM
SOLUTION
• Team had to manually
detected, built, and tested
patches before deploying
with SCCM
• “For just three to five
applications, we could
easily log up to 10 hours a
week”
• Shavlik Patch for Microsoft
System Center
• “Updating all applications
takes about an hour each
week—no matter how
many applications need
patching—instead of being
nearly a full-time job.” –
Rick McIver
Shavlik Patch for Microsoft System Center
Manage third-party
updates within SCCM
•
•
•
Leverages same
workflow within
SCCM for both OS
and application
updates
Automates process
of defining,
loading, and
syncing patch
information
Keeps the SCCM
admin in SCCM
Leverage Shavlik’s “best in
class” catalog of patch data
•
•
Includes
deployment and
detections logic;
Shavlik tested
Covers today’s
most attacked
applications
Light-weight
software/architecture
•
•
Easy plug-in for the
SCCM console
Leverages the
scalability of SCCM
Get Value from Shavlik Patch
Maximize your
Microsoft System
Center investment
Reduce application
security risks
•
•
•
•
Increase security to reduce
downtime
Close the application
patching gap
Patch hundreds of
vulnerable applications
No need for end-user
intervention
•
•
•
•
Expand Microsoft System
Center Configuration
Manager (SCCM) to
include application
patching
Easy integration into the
SCCM console
Leverage existing SCCM
workflows
Decrease vulnerability to
patch windows
Significantly reduce
IT effort and cost
•
•
•
•
Accelerate patching
from months to
minutes
Patch with
confidence
Reduce number of
steps creating
updates
No additional
consulting required
Shavlik Patch Patching Process
1
Sync Patch Data from
Shavlik Cloud
2
Select Patches from
SCCM Plugin
3
Use SCCM to Sync WSUS
4
Leverage Existing
SCCM Workflows and
Infrastructure
SCCM
WORKSTATIONS/SERVERS
16
WSUS
SCCM Plug-in
•
Fully integrated
into the SCCM UI
•
Choose which
updates to publish
•
See info about
available updates
•
Filter the list
•
17
Group by vendor to
see “tree” view
Features
•
Allow third-party updates to
be published automatically
•
Choose how often and
when updates are
published to WSUS
•
Filter down to just the
vendors or products you
care about
•
18
Optional ability to
“set and forget”
Certificate Handling
19
•
Identifies WSUS server
used to distribute patches
•
Setup certificates or trusts to
deploy third-party updates
One Product…Two Configurations
If SCCM 2012
•
•
•
•
•
20
SCCM add-in; let’s admin do all his/her work
in SCCM UI
Removes need for SCUP
Automates download of the *.cab files
Automates publishing of updates
Robust packaging – Java, Apple
If SCCM 2007
•
•
•
•
•
Catalog of Shavik’s
best-in-class patch information
Automates creation of custom patches within
SCUP
Reduces testing and deployment time
Leverages SCUP’s workflow to publish
patches to WSUS
Shavlik Patch for SCCM 2007 – Simple To Use, Easy As 1-2-3
1
Customer Downloads Update Catalog Of Data
2
Import Shavlik Catalog Into SCUP | Sync To
Configured Update Servers
3
Use your existing SCCM workflows to Detect &
Patch MS and 3rd Party Apps
Applications Covered by Shavlik Patch
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
22
Adobe Acrobat
Adobe Flash
Adobe Reader
Adobe Shockwave
Apple iTunes
Apple QuickTime
Apple Safari
Apple Application Support
Citrix Presentation
Citrix ZenApp
Java JRE
Microsoft Access 2000
Microsoft Excel 2000
ISA Server 2000
Microsoft Office 2000
Microsoft Outlook 2000
•
•
•
•
•
•
•
•
•
•
•
Microsoft PowerPoint 2000
Microsoft Publisher 2000
Microsoft Visual Studio .NET
Microsoft Visual Studio .NET 2003
Visual FoxPro
Microsoft Word 2000
Mozilla Firefox
Mozilla SeaMonkey
Mozilla Thunderbird
Opera
Real Networks Real Player
and many more…
DEMO
Shavlik Patch Review
1
Complete SCCM add-on for third party patch
2
Supports hundreds of commonly vulnerable applications
3
Leverage SCCM workflows and platform for
efficiency and scalability
4
Decrease vulnerability-to-patch window
5
Patch with Confidence
Thank You