DHS pitches patch program
With free service gone, agencies turn to commercial solutions
- By Brad Grimes
- Feb 19, 2004
Steve Morton of Altiris said that for effective patch management, an agency has to know what systems it has and at what level they're deployed.
Henrik G. de Gyor
Listen closely. That's the sound of the Homeland Security Department powering down its $10 million Patch Authentication and Dissemination Capability program.
Forty-seven government agencies subscribed to the free service, which launched a year ago to test and distribute software patches that fix vulnerabilities in operating systems and programs. It's being discontinued because officials believe private companies would be better at administering patches.
So what's that other sound? It's the murmur of 47 government agencies that now will turn to IT management and network security companies to protect their infrastructures from hackers and worm authors, who seek to exploit holes in software such as Microsoft Windows.
Acquiring and applying software patches can be cumbersome. By some estimates, enterprises, including government agencies, spend more than $2 billion a year patching systems.
Although the Homeland Security Department provided a valuable service by collecting patches in a central place and validating that they worked, that job is the tip of the iceberg. Going forward, experts said automated patch management systems can simplify the process of plugging holes in agency systems. But even those solutions may not be enough. Ultimately, systems integrators may play an important role in protecting networks from themselves.
"We see ourselves as a component of a larger security contract," said Ned Miller, chief executive officer of Secure Elements Inc., a Herndon, Va.-based startup that provides vulnerability management solutions. "When you start talking about security policy and the ability to enforce security policy, incident response and remediation capabilities clearly create opportunities for the systems integration community."
The question becomes which technologies for fixing vulnerabilities should integrators be installing. Although interest in patch management is high, solutions differ, and some experts wonder if the latest, greatest products are adequate to keep systems safe.
USE IT -- OR LOSE IT
Analysts call 2003 the Year of the Worm, during which malicious software sent over the Internet exploited vulnerabilities and brought down servers. Mark Nicolett, vice president at Stamford, Conn.-based Gartner Research, said interest in patch management increased after the SQL Slammer worm in January 2003 and shot up dramatically after the Blaster worm in August.
In the case of SQL Slammer, which targeted Microsoft's popular database, a patch was available almost six months before the worm attacked. IT managers either didn't know or didn't bother to install it.
"Spending on patch management didn't come from formal budget dollars," Nicolett said. "People were making tactical purchases, point solutions that would fix holes for the least cost."
In the future, Nicolett said he expects larger IT management and software distribution suites to do the job of patching systems.
Altiris Inc. of Lindon, Utah, is one of several technology vendors that sell a suite of products to manage systems. One component is patch management.
"To do effective patch management, an agency has to know what systems it has and at what level they're deployed," said Steve Morton, Altiris' vice president of product management and marketing. "We've been to agencies that don't even have a list of their IT assets."
An IT management suite such as Altiris 6, or a software distribution solution such as the products from Mountain View, Calif.-based Marimba Inc., does more than just patch management. It can handle everything from application deployment and configuration to license management. Even Microsoft has a product called Systems Management Server 2003 that can deploy applications, manage assets and patch holes.
In the case of Marimba, the company's software can monitor systems across a variety of platforms, something few other patch management solutions can do.
"Patch management can be equally painful on Unix, AIX and Solaris," said Purnima Padmanabhan, Marimba's director of product management.
For small offices, these suites may be overkill. In those situations, software that only does patch management may be all that's needed. Companies such as BigFix Inc., PatchLink Corp., Shavlik Technologies LLC and St. Bernard Software Inc. sell software specifically for patch management.
Either way, effective patch management solutions perform several core functions. They identify the software running on an agency's machines and whether it has the latest patches. This can be accomplished in one of two ways: agent or agentless scanning.
Simply put, an agent-based system monitors computers through a program that runs on each system; an agentless system runs from a server and periodically scans the computers on a network.
Each has pros and cons. Agent scanning is usually more thorough, especially when it comes to mobile computers that aren't always connected to a network.
Agentless scanning is easier to deploy because it doesn't have to load software on every computer, which could conflict with other programs and could be turned off by users.
Patch management solutions also have features that allow IT departments to test a patch on a subset of the network to ensure it works. They also are able to undo patches in case they cause conflicts or other problems on the computers they mean to fix.
Microsoft's Software Update Services provides patches for Microsoft products and even allows IT managers to control their distribution. But it only works on systems with Windows 2000, 2003 Server and XP and doesn't include other important functionality.
"The question isn't always whether a patch is available, it's whether you'll screw something up if you install it," Morton said.
VULNERABLE, YET SMART
Perhaps the most important component of a patch management solution, and something experts point to as a reason not to become too reliant on any one technology, is human intelligence.
Agencies need to incorporate information about the nature of vulnerabilities and the patches that fix them, as well as common-sense best practices.
Security professionals said this is because not every hole needs to be patched, and because patches aren't the only way to protect vulnerable systems.
"The biggest risk is relying too much on patch management," said Russ Cooper, a security expert at Herndon, Va.-based TruSecure Corp. "The best way to minimize risk is to be proactive."
Companies such as TruSecure and iDefense Inc., Reston, Va., monitor known vulnerabilities and other security risks and provide their clients with actionable intelligence, including recommendations about which patches are critical and which are not.
"If you think about the ports that the Blaster worm attacked, there was no reason for those ports to be open," Cooper said.
Last year, TruSecure identified three out of 51 patches that it considered critical, Cooper said. But it issued roughly 15 best-practice alerts that advised clients how to configure their network systems to minimize vulnerabilities regardless of potential holes in their software.
John Watters, chief executive officer at iDefense, said it's also important that agencies take security measures in the event there's a known vulnerability but no available patch. For example, on Feb. 10 Microsoft issued a critical software patch that took the company 200 days to create. That's 200 days when even the best patch management solution could do little to protect government systems if hackers decided to exploit the holes in Microsoft products.
Despite the capabilities of patch management solutions, "people must still manually implement work-around strategies, such as blocking ports in their firewalls," Watters said.
Secure Elements is partnering with iDefense to incorporate intelligence into its new Class 5 AVR software. In addition to patch management, Class 5 AVR will monitor systems for vulnerabilities and help configure them to minimize attacks.
Los Angeles-based Northrop Grumman Corp. uses Altiris software to help manage its 100,000 Microsoft-based client systems.
But Barbara Ronzetti, director of platform engineering, said the IT staff has its own internal information assurance group that monitors vulnerabilities and evaluates patches.
"If it's critical, we'll use our tool set to roll it out to 90 percent of our infrastructure within 72 hours," Ronzetti said.
But not all patches are critical. Of several patches that Microsoft has released so far this year, Ronzetti said Northrop Grumman has implemented just one.
"We don't have a lot of entry points into our system, and we use a lot of other technologies, including firewalls where we block ports," Ronzetti said.
Northrop Grumman has also adopted a spam-blocking appliance from Atlanta-based CipherTrust the helps protect its network. CipherTrust's IronMail e-mail gateway can help keep out spam that often carries worms.
"There will always be some reactive element to securing our systems," said Ronzetti referring to patch management solutions. "But we can also control what's coming in."
Staff Writer Brad Grimes can be reached at firstname.lastname@example.org.