Security Company: Microsoft Patching Updates Are 'Changing the Model'
Shavlik recommends rolling out patching pilot programs.
Windows-as-a-Service has arrived. What does it mean? Security company and "Patch Tuesday" specialist Shavlik had some thoughts and advice to offer about the big changes.
Shavlik makes patch management and endpoint security solutions, and is also known for its Patchmangement.org list-serve discussion forum for IT pros. The company also publishes Patch Tuesday infographic analyses.
On Oct. 11, Microsoft fully initiated its "Windows as a service" cumulative update model. It's currently in place for Windows 10, but Microsoft will be extending it to all other supported Windows operating systems, too, such as Windows 7/8 and Windows Server 2012/R2, starting on Oct. 11.
Going forward, on each patch Tuesday, Microsoft plans to release two updates. There will be a "security-only" update consisting of security fixes only. There also will be a "monthly rollup" that will include those same security fixes combined nonsecurity updates. Microsoft just explained these new patch terms on Friday. The shift to the new patch model was announced back in August.
Shavlik has heard plenty of questions about the coming changes, but it won't affect support on Shavlik products.
"This won't break our ability to support our customers," said Chris Goettl, a product manager at Shavlik, in a phone interview today. "It's just changing the model for how we deliver things."
Those solutions include the Shavlik Protect product line, a proprietary patch management solution that does not require System Center Configuration Manager (SCCM) or Windows Server Update Services. Protect supports Windows and Mac OSes, and Linux support is planned for next year, Goettl said. In addition, Shavlik makes a plug-in for SCCM, which also delivers updates from vendors such as Adobe, Oracle, Google, Mozilla and Apple.
There's also an Application Manager for SCCM product. It provides "better privilege management and better whitelisting capabilities than what you get out of the box with the Windows platforms," Goettl explained. The whitelisting function takes the burden off IT because they can "make broad decisions and fine tune it," he added.
A third product, Xtraction, adds visibility into where problems are occurring. It has connectors that can take data from SCCM and serve it up through a dashboard to aid in making the right decisions.
Goettl previously served 15 years in IT management before joining Shavlik in 2004. He had some quick rule-of-thumb advice for IT pros preparing for Microsoft's patch Tuesday event. The idea is to apply Microsoft's security-only patches to existing systems on Oct. 11. The "monthly rollup," on the other hand, can be applied to new systems.
"Basically, the security bundle [security only] is the way you want to go with the new Microsoft model," Goettl said. "Start there for existing systems. As you roll out new systems, try to start with the cumulative update [monthly rollup] and downgrade to the month-to-month bundle if the rollup runs into issues. Long term, you'll be more effective if you take that route."
One catch, though, is that the Window Server Update Services (WSUS) management solution can't distinguish between the two updates without setting up PowerShell customizations.
"Unfortunately, there's no easy way [to apply the security-only update] if they are using WSUS," Goettl clarified, via an e-mail. "Microsoft even described this in their blog post last week. If they set up the Security Updates option it includes both. We have broken this out in our catalog so that the Security Only update is under our Security patch type and the Security Rollup, which includes the nonsecurity updates as well, is under our nonsecurity patch type."
He also recommended setting up patch piloting programs that include the right people in an organization. The IT department should bring the applications power users into the patch testing process to discover any compatibility issues. They will most likely be able to spot any problems.
Microsoft has explained that it will take until "early 2017" for its patches to become fully cumulative updates under this new model. But this new cumulative model approach for all supported Windows OSes ultimately will preclude the ability of IT to simply roll back an individual patch when things go bad. They'll instead have to roll back the whole cumulative update for the month.
This circumstance could lead some organizations to skip an update because of a single problematic patch. However, the update could also contain a fix for a critical zero-day security vulnerability. That's a problem, and the new patch approach could also impose greater time demands on IT, too, Goettl suggested.
"The time to get a patch in place is probably going to take longer," Goettl said. "As this stretches out, you're going to see the average time for an enterprise to get a patch in place is going to take additional time. The number of exceptions is going to become problematic. One exception -- in September, in the earlier terms -- means a potential important CVE not being put in place. One exception -- in the new model -- could mean a public exploit and potential disclosures that could lead to an exploit, a higher probability of leading to an exploit, in the near future. So that's going to be the reality."
Microsoft has already suggested that organizations should look to application solution vendors if they experience compatibility problems under the new Microsoft patch model. But Goettl explained that solution vendor responses can vary within the industry. For instance, in the healthcare industry, a medical vendor could just tell a hospital experiencing problems after a Windows update that the device just isn't on the right version.
"However, you can't just tell a hospital, 'Sorry, you have to update tens of millions of dollars of equipment so you can support this new patching model,'" Goettl said. He added that there could be "a whole bunch of additional backlash on this."
Likely, the industry discussion will get broadened because of it.
"Patch management has always been a basic operation in its function, but the security implications of it have often been swept under the rug," Goettl said. "People don't think of patching as a security operation. They think of it as just monthly maintenance that has to be done. The implications of this change really are going to bring this back out into the larger discussion. It's not just a conversation around patch remediation anymore. It's a conversation about application compatibility. It's a conversation about my partnership or my relationship with my ISVs. My software vendors are going to have to be responsive or I'm going to have to walk away from them."
The patching model, as represented by Windows 10, hasn't been without flaws, Goettl noted.
"With the [Windows 10] anniversary release, there were several things that broke," he said. "They [Microsoft] broke their own PowerShell platform. They broke the ability to use Webcams."
When a Microsoft January update broke the Citrix XenDesktop client, the two software giants worked together and had a solution in place within a week. That was a good example, Goettl noted, but other software vendors might not so easily turn on a dime, he added.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.