diy patch management
play

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D - PowerPoint PPT Presentation

Jan 09, 2023 •142 likes •635 views

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

  1. DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8

  2. Patching 
 Isn’t that solved?

  3. Nope, it’s not. R E M E M B E R T H O S E R A N S O M WA R E N E W S I N 2 0 1 7 ?

  4. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack 4 SINNERSCHRADER BSides Munich | DIY Patch Management | 2018

  5. Example WannaCry • WannaCry hit the world on May 12 2017 • It spread via a vulnerability called EternalBlue • EternalBlue was fixed by Microsoft on March 14 2017 SINNERSCHRADER

  6. Example WannaCry • WannaCry hit the world on May 12 2017 • It spread via a vulnerability called EternalBlue • EternalBlue was fixed by Microsoft on March 14 2017 SINNERSCHRADER

  7. 2 months between patch and outbreak I . E . YO U CA N WO R RY L E S S A B O U T 0 DAYS : )

  8. Patching is hard AT L E AST I N M A N Y R E A L WO R L D S C E N A R I O S.

  9. But why? I M E A N I T WO R KS O N O U R FA M I LY M E M B E R S C O M P U T E R S, TO O.

  10. Constraints L E GAC Y : E N D O F L I F E O S T H AT I S N OT PATC H A B L E .

  11. Constraints AVA I L A B I L I T Y : H OW TO R E B O OT T H AT H Y P E RV I S O R C L U ST E R ?

  12. Constraints M O N E Y : I T WO R KS W I T H O U T T H E PATC H , D O E S N ’ T I T ?

  13. So what now? L E T ’ S TA K E A G L I M P S E I N TO O U R WO R L D.

  14. SinnerSchrader Ecosystem

  15. In a world where … • N tenants • M tech stacks • N x M requirements SINNERSCHRADER

  16. In a world where … • Heterogenous infrastructure • OS-wise mostly Debian and Ubuntu • Packed into VMs and Containers • Yes, there is also some serverless stuff :) SINNERSCHRADER

  17. In a world where … Inconsistent patch management N E V E R , S O M E T I M E S, R E G U L A R LY.

  18. In a world where … Commercial scanners? N O B U D G E T. W E A R E N OT T H AT E N T E R P R I SY.

  19. Lessons learned … so far • Installation is easy • Patching is hard • Knowing when to patch is even harder SINNERSCHRADER

  20. Not cool S O W E WA N T E D TO C H A N G E T H AT.

  21. Solution - the easy part • Manually scan for all the CVEs • Automate CVE scans (i.e. daily) • Gather all the logs SINNERSCHRADER

  22. Solution - the tricky part • Dashboard everything • Get metrics that CXOs can understand • Take action (i.e. patch) and check the metrics • Lean back … for now SINNERSCHRADER

  23. Building blocks

  24. • CVE scanner to audit VMs • Integration to config management • Central logging and dashboarding SINNERSCHRADER

  25. Spot the vuln - the audit • Vulnerability databases • Vulnerability scanner • Vulnerability subscriptions • Freemium pricing model • Nice people :) SINNERSCHRADER

  26. Spot the vuln - the audit • nmap plugin • Burp plugin • getsploit • API SINNERSCHRADER

  27. Spot the vuln - CVE scanner • Get installed packages • Audit each for CVEs • Get CVSS scores SINNERSCHRADER

  28. Demo V U L N E R S. C O M A P I

  29. Orchestration via config management • Do it! • Our solution: SaltStack • Codify your update strategy https://docs.saltstack.com/en/getstarted/overview.html SINNERSCHRADER

  30. Orchestration • Define systems with formula • Minion matching • Template engine https://docs.saltstack.com/en/getstarted/overview.html SINNERSCHRADER

  31. Three patch management flavours • Unattended upgrades • Orchestrated updates • Patch Day https://en.wikipedia.org/wiki/Neapolitan_ice_cream SINNERSCHRADER

  32. Centralized Logging • E lasticsearch • L ogstash • K ibana figure based on https://www.elastic.co/guide/en/logstash/current/introduction.html SINNERSCHRADER

  33. SINNERSCHRADER

  34. Demo K I B A N A . S Z O P S. D E

  35. The big picture 35 SINNERSCHRADER BSides Munich | DIY Patch Management | 2018

  36. The big picture 36 SINNERSCHRADER BSides Munich | DIY Patch Management | 2018

  37. The big picture 37 SINNERSCHRADER BSides Munich | DIY Patch Management | 2018

  38. Limitations

  39. There are some limitations A K A ST U F F T H AT C O M P L I A N C E FO L KS L I K E LY WO N ’ T F I N D, B U T T H AT YO U K N OW I S T H E R E …

  40. Tales from the kernel • Notice version encoded in package name • This confuses vulners (no CVEs) • As well as unattended upgrades (yep, no upgrades) SINNERSCHRADER

  41. Tales from the kernel - the fix • Install the meta package linux-image-generic SINNERSCHRADER

  42. Reboot hassle • Running old kernel although newer one is installed 42 SINNERSCHRADER BSides Munich | DIY Patch Management | 2018

  43. Reboot hassle - the fix • Monitor uptime of your servers ;-) • The two metrics that matter for host security by Diogo Monica 43 SINNERSCHRADER BSides Munich | DIY Patch Management | 2018

  44. Next steps

  45. Next steps • Fix some quirks ;-) • Container checks with Claire • AWS integration • nsp check SINNERSCHRADER

  46. Alternatives • OpenVAS / vuls • https://github.com/0x4D31/salt-scanner • Your-typical-Enterprise-Distribution-Mgmt-here • Reverse uptime & Golden image freshness SINNERSCHRADER

  47. Kudos • Kirill Ermakov from Vulners.com(@isox_xx) • Christoph Trautwein (@trautw) & the S2 ops crew SINNERSCHRADER

  48. Thanks!

Recommend

Centralised patch management J. Barhorst & M. Pels July 5, 2005 What did we do? Contents

Centralised patch management J. Barhorst & M. Pels July 5, 2005 What did we do? Contents

Centralised patch management J. Barhorst & M. Pels July 5, 2005 What did we do? Contents Activities Comparison Look at client update tools Requirements Create list of research topics Proof of Concept Conclusion

389 views • 16 slides
An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About

PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About

PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About Patchmanager B.V. Software technology company Established in 2002 Based out of Amsterdam, the Netherlands Independent, owner

493 views • 20 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Great Pacific Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas) -1.8 Trillion pieces of microplastic (not biodegradable) -88,000 Tons -Comprised of the Western Garbage Patch (near Japan) and

388 views • 6 slides
Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

COMPOSITE MPOSITE PATCH PATCH REPAIR REPAIR CO OF METALLIC MARINE STRUCTURES OF METALLIC MARINE STRUCTURES Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym: "Co-Patch www.co-patch.com Duration: 36

663 views • 21 slides
PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 03/2013 EX Patch Planer for Excavators EX Patch Planer for Excavators EX Patch Planer for

1.27k views • 80 slides
Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett josh@joshtriplett.org LinuxCon North America 2016 RFC: feature RFC: feature Development git commit git format-patch -3 git format-patch -3 [PATCH 1/3]

1.19k views • 105 slides
0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

BLACKHAT Europe 2008 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch

414 views • 17 slides
A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many Problems are Inherently Multiscale Wu & David (2001) Hierarchical Patch Dynamics (HPD) ( Wu and Loucks 1995) HPD explicitly integrates

188 views • 15 slides
About unchecked management Conclusion Bruno Pujos July 16, 2016 Bruno Pujos 1 / 45 Whoami

About unchecked management Conclusion Bruno Pujos July 16, 2016 Bruno Pujos 1 / 45 Whoami

About unchecked management SMM & UEFI Vulnerability Patch About unchecked management Conclusion Bruno Pujos July 16, 2016 Bruno Pujos 1 / 45 Whoami About unchecked management SMM & UEFI Vulnerability Patch Conclusion Bruno

1.03k views • 45 slides
Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Brookings-Harbor School District 17C School-based Businesses Bruin Patch & Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for success OSU Extension Office Local School District 4H Youth Bruin Patch &

612 views • 12 slides
Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018

Review of Patch Reviewing Stephen Frost Crunchy Data stephen@crunchydata.com PGConf.EU 2018 October 24, 2018 Introduction About Patches Commitfests Reviewing a Patch Committing Patches Committers Stephen Frost Chief Technology Officer @

637 views • 25 slides
Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and

Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and

Ordinance Slide PHOTO 1: Deteriorated brownstone unit. PHOTO 2: Loose brownstone, pointing, and patch material. PHOTO 4: Deteriorated patch repair after manual removal. PHOTO 3: Deteriorated patch repairs and vertical cracks in brownstone.

554 views • 26 slides
Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR

Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR

Composer: good practices Kuba Weros Semantic Versioning MAJOR.MINOR.PATCH 1. MAJOR incompatible (breaking) API changes, 2. MINOR add functionality in a backwards-compatible manner, 3. PATCH backwards-compatible bug fixes.

578 views • 42 slides
Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari,

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari,

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi $whoami Stefano

788 views • 49 slides
1 Bilinear Patch Bicubic Bezier Patch Editing Bicubic Bezier Patches Curve Basis Functions

1 Bilinear Patch Bicubic Bezier Patch Editing Bicubic Bezier Patches Curve Basis Functions

Bzier Surfaces http://www.ibiblio.org/e-notes/Splines/fig/surf2.gif Bezier Surfaces Introduction Constructing a surface relies very much on the ideas behind constructing curves Surfaces can be thought of as Bezier curves in all

290 views • 5 slides
Our story At Gemtree we have been gifted the opportunity to work a unique patch of the earth in

Our story At Gemtree we have been gifted the opportunity to work a unique patch of the earth in

Our story At Gemtree we have been gifted the opportunity to work a unique patch of the earth in South Australias McLaren Vale. By respecting and nurturing this land we harvest high quality, flavourful grapes each and every vintage from

371 views • 9 slides
PlaneMatch: Patch Coplanarity Prediction for Robust RGB-D Reconstruction Yifei Shi, Kai Xu,

PlaneMatch: Patch Coplanarity Prediction for Robust RGB-D Reconstruction Yifei Shi, Kai Xu,

PlaneMatch: Patch Coplanarity Prediction for Robust RGB-D Reconstruction Yifei Shi, Kai Xu, Matthias Niessner, Szymon Rusinkiewicz, Thomas Funkhouser Princeton University National University of Defense Technology Technical University of Munich

417 views • 38 slides
High order multi- block/patch evolutions of Einsteins equations: an update or From

High order multi- block/patch evolutions of Einsteins equations: an update or From

High order multi- block/patch evolutions of Einsteins equations: an update or From differential geometry to multiple blocks or From energy estimates to numerical stability Manuel Tiglio Department of Physics & Astronomy and Center for

518 views • 23 slides
Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By:

Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By:

Fac acial ial Ex Expression ression Det etecti ection on using ng Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By: Sohini Roychowdhury, Assistant Professor, Department of Electrical and

951 views • 17 slides
From Derricks to Desktops litigation in the oil patch David Kirk, CPA, ABV, CFF Forensics

From Derricks to Desktops litigation in the oil patch David Kirk, CPA, ABV, CFF Forensics

From Derricks to Desktops litigation in the oil patch David Kirk, CPA, ABV, CFF Forensics and Litigation Services Setting the Stage Why are we seeing an increase in litigation in the Oil and Gas Industry? 1. Market Volatility - Most

469 views • 34 slides

More recommend