Patch Lifecycle Baselines and Traffic Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> I hope it goes without saying
00:00
it is incredibly important to keep
00:00
our systems patched and up-to-date from
00:00
both a performance perspective
00:00
and a security perspective.
00:00
A lot of these attacks we hear
00:00
about often there have been patches to show up
00:00
the vulnerabilities those attacks
00:00
exploit for weeks and sometimes even months.
00:00
It's a difficult process to keep systems
00:00
patched because vendors push out a lot of patches.
00:00
If you're not familiar with Microsoft Patch Tuesday,
00:00
where they roll out their patches
00:00
and all their software products,
00:00
you will become familiar with Patch Tuesday.
00:00
It's important, just like everything else,
00:00
that we have a documented process.
00:00
With patches, we need to document
00:00
patch management and lifecycle of patches.
00:00
At first we go through discovery phase.
00:00
There's a new patch that's been released,
00:00
or more likely lots of
00:00
new patches that have been released.
00:00
We have to categorize and prioritize.
00:00
We certainly want to be able to give priority to
00:00
security patches and those patches that are urgent,
00:00
and we need to develop a policy
00:00
that talks about how we're going to do it.
00:00
We continue to monitor for
00:00
new patches as they're released.
00:00
We may have a centralized
00:00
patch server that keeps the track
00:00
or gets alerts based on these new patches.
00:00
When patches are available we
00:00
generally bring them down and test them.
00:00
We test those patches,
00:00
of course, in non-production environments.
00:00
Maybe on a virtual system or in a lab,
00:00
because we want to make sure that we
00:00
understand any change to
00:00
a baseline configuration of
00:00
the systems may cause the environment to become unstable.
00:00
We want to test those patches.
00:00
Not everything that's released out there
00:00
is going to have a beneficial impact.
00:00
Configuration management.
00:00
We're going to document the changes that have to be made.
00:00
We've rolled out the patches.
00:00
It's best if we can automate that,
00:00
which is exactly what a central patch server will do.
00:00
Windows has a product called
00:00
Windows Software Update Services,
00:00
and that's a central patch server.
00:00
There are lots of other third-party tools
00:00
that will help you manage your patches.
00:00
We want to be able to provide
00:00
reporting so that way we can
00:00
go back and can know that we're
00:00
keeping our systems up to date.
00:00
Then review, optimized, repeat,
00:00
so looks at our reports,
00:00
figure out where we can strengthen
00:00
our processes and start all back over.
00:00
Some of the patches may need to be
00:00
rolled back at any point in time.
00:00
Usually vendors provide the information
00:00
on how to roll back those patches.
00:00
If at any point in time we're coming into
00:00
difficulty during the testing period or after rollout,
00:00
we should be able to go back
00:00
a step before the patches were installed.
00:00
At the very least, we can go back to
00:00
an earlier snapshot or a resort point.
00:00
But we have to be able to determine
00:00
between that patch rollout and
00:00
the recording capabilities to determine
00:00
if there's an issue that the patch has caused.
00:00
Baseline configuration. Like I said,
00:00
baseline configuration is essential
00:00
because how am I going to
00:00
know when things are out of
00:00
the norm if I don't know what the norm is?
00:00
When we're talking about baseline performance we're
00:00
talking about compliance with
00:00
security goals and policies.
00:00
Whatever we're talking about,
00:00
baseline is the standard that we want to adhere to.
00:00
We'll have a baseline security configuration,
00:00
and we want to adhere to that baseline.
00:00
It's the point that's fixed in
00:00
time that's tied to what our goals are.
00:00
We document baseline performance
00:00
and then we monitor when we
00:00
see that in order to detect
00:00
things outside of the baseline.
00:00
Packet and traffic analysis.
00:00
Sniffer perform the service for us.
00:00
We capture packets on
00:00
the network so that way we can analyze them.
00:00
We might be interested in
00:00
determining what type of traffic is on the network,
00:00
what protocols that are in use,
00:00
when information is going
00:00
across the network in plain text.
00:00
Just like an attacker uses a sniffer,
00:00
so can administrator to learn more about the network.
00:00
Whether we're looking at passive or active,
00:00
passive is just monitoring.
00:00
Active would mean we're injecting data into
00:00
the data stream just to determine results.
00:00
Also, I'll mention that sometimes you don't even
00:00
have to capture the data to get what you need.
00:00
Sometimes you can simply analyze the flow of traffic.
00:00
For instance, if I know and I see a ton of
00:00
traffic is going to a particular server at 8:00 AM,
00:00
that may tell me that's a domain controller.
00:00
Sometimes just watching where traffic is going,
00:00
is going to give me some information.
00:00
Also, the fact that traffic is
00:00
encrypted tells me that something is insensitive.
00:00
That sometimes is referred to as a side channel attack,
00:00
where you're learning about the network without
00:00
really capturing the actual information.
00:00
But you're looking through other pathways.
00:00
To wrap up this last section,
00:00
we talked about the patching
00:00
lifecycle and how we go through
00:00
a process where we have to have
00:00
our policies and procedures in place.
00:00
We have to discover that patches have been released.
00:00
We have to have some means of prioritizing them,
00:00
testing them, and then
00:00
rolling them out in an orderly fashion.
00:00
We continue to monitor those patches
00:00
and we're looking for any evidence that we
00:00
might need to roll patches back in order
00:00
to maintain smooth operations.
00:00
We also talked about the importance
00:00
of baseline configuration,
00:00
and we talked about how our baselines must be set and
00:00
documented so that way we can detail any changes.
00:00
Really, this whole section focus on
00:00
the importance of knowing
00:00
your network and monitoring your network,
00:00
looking for vulnerabilities, reviewing log files,
00:00
but staying on top of things because
00:00
things can change very quickly in the network.
00:00
I want to make sure that I have
00:00
the tools at my disposal and
00:00
the knowledge of how to use
00:00
those tools and interpret the results.
Up Next