Patch Lifecycle, Baseline, and Traffic Analysis
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> I hope it goes without
00:00
saying it is incredibly important to keep
00:00
our systems patched and up-to-date from
00:00
both a performance perspective
00:00
and a security perspective.
00:00
A lot of these attacks we hear
00:00
about often there have been patches to shore up
00:00
the vulnerabilities those attacks
00:00
exploit for weeks and sometimes even months.
00:00
It's a difficult process to keep systems
00:00
patched because vendors push out a lot of patches.
00:00
If you're not familiar with Microsoft Patch Tuesday,
00:00
where they roll out their patches
00:00
in all their software products,
00:00
you will become familiar with Patch Tuesday.
00:00
It's important just like everything
00:00
else that we have a documented process.
00:00
With patches, we need to document
00:00
patch management and life cycle of patches.
00:00
At first, we go through discovery phase.
00:00
There's a new patch has been released,
00:00
or more likely lots of
00:00
new patches that have been released.
00:00
We have to categorize and prioritize.
00:00
We certainly want to be able to give priority to
00:00
security patches and those patches that
00:00
are urgent and we need to develop
00:00
a policy that talks about how we're going to do it.
00:00
We continue to monitor for
00:00
new patches as they're released.
00:00
We may have a centralized patch server that keeps
00:00
the truck or that gets alerts based on these new patches.
00:00
When patches are available,
00:00
we generally bring them down and test them.
00:00
We test those patches,
00:00
of course, in non-production environments.
00:00
Maybe on a virtual system or
00:00
in our lab because we want to make sure that we
00:00
understand any change to a baseline configuration
00:00
of the systems might
00:00
cause the environment to become unstable.
00:00
We want to test those patches.
00:00
Not everything that's released out there
00:00
is going to have a beneficial impact.
00:00
Configuration management, so we're
00:00
going to document the changes that have to be made.
00:00
We roll out the patches,
00:00
it's best if we can automate that,
00:00
which is exactly what a central patch server will do.
00:00
Windows has a product called
00:00
Windows software updates services,
00:00
and that's a central patch server.
00:00
There are lots of other third-party tools
00:00
that will help you manage your patches.
00:00
We want to be able to provide
00:00
reporting so that way we can
00:00
go back and can know that we're
00:00
keeping our systems up to date.
00:00
Then review, optimize, repeat.
00:00
Look at our reports,
00:00
figure out where we can strengthen
00:00
our processes and start all back over.
00:00
Some of the patches may need to be
00:00
rolled back at any point in time.
00:00
Usually vendors provide the information
00:00
on how to roll back those patches.
00:00
If at any point in time we're coming into
00:00
difficulty during the testing period or after rollout,
00:00
we should be able to go back
00:00
a step before the patches were installed.
00:00
At the very least, we can go back to
00:00
an earlier snapshot or a restore point.
00:00
But we have to be able to determine
00:00
between that patch rollout in
00:00
the recording capabilities to determine
00:00
if there's an issue that the patch has caused.
00:00
Baseline configuration. Like I said,
00:00
baseline configuration is essential
00:00
because how am I going to
00:00
know when things are out of
00:00
the norm if I don't know what the norm is?
00:00
When we're talking about baseline performance,
00:00
we're talking about compliance
00:00
with security goals and policies.
00:00
Whatever we're talking about,
00:00
baseline is the standard that we want to adhere to.
00:00
We'll have a baseline security configuration
00:00
and we want to adhere to that baseline.
00:00
It's the point that's fixed in
00:00
time that's tied to what our goals are.
00:00
We document baseline performance
00:00
and then we monitor when we
00:00
see that in order to detect
00:00
things outside of the baseline.
00:00
Packet and traffic analysis.
00:00
Sniffer perform the service for us.
00:00
We catch our packets on
00:00
the network so that way we can analyze them.
00:00
We might be interested in
00:00
determining what type of traffic is on the network,
00:00
what protocols that are in use,
00:00
when information is going
00:00
across the network in plain text.
00:00
Just like an attacker uses a sniffer
00:00
so can an administrator to learn more about the network.
00:00
Whether we're looking at passive or active,
00:00
passive is just monitoring.
00:00
Active would mean we're injecting data into
00:00
the data stream just to determine results.
00:00
Also, I'll mention that sometimes you don't even
00:00
have to capture the data to get what you need.
00:00
Sometimes you can simply analyze the flow of traffic.
00:00
For instance, if I know and I see a ton of
00:00
traffic is going to a particular server
00:00
at eight o'clock AM,
00:00
that may tell me that's a domain controller.
00:00
Sometimes just watching where traffic is
00:00
going to give me some information.
00:00
Also, the fact that traffic is
00:00
encrypted tells me that something insensitive.
00:00
That sometimes is referred to as a side channel talk,
00:00
where you're learning about the network without
00:00
really capturing the actual information,
00:00
but you're looking through other pathways.
00:00
To wrap up this last section,
00:00
we talked about the patching
00:00
life cycle and how we go through
00:00
a process where we have to have
00:00
our policies and procedures in place.
00:00
We have to discover that patches have been released.
00:00
We have to have some means of prioritizing them,
00:00
testing them, and then
00:00
rolling them out in an orderly fashion.
00:00
We continue to monitor those patches
00:00
and we're looking for any evidence that we
00:00
might need to roll patches back in order
00:00
to maintain smooth operations.
00:00
We also talked about the importance of
00:00
baseline configuration and we talked about how
00:00
our baselines must be set and documented so
00:00
that way we can detail any changes.
00:00
Really, this whole section focus on the importance
00:00
of knowing your network and monitoring your network.
00:00
Looking for vulnerabilities, reviewing log files,
00:00
but staying on top of things because
00:00
things can change very quickly in the network.
00:00
I want to make sure that I have
00:00
the tools at my disposal and
00:00
the knowledge of how to use those tools
00:00
and interpret the results.
Up Next
Similar Content
