[ISN] Microsoft program: 'You patch, we pay'

[InfoSec News]

http://www.nwfusion.com/news/2004/0325mspatch.html

By Paul Roberts
IDG News Service
03/25/04

Under a new program, Microsoft is paying for security assessments of
its customers' networks to help improve policies in areas such as
software patch management and assuage fears about the security risks
posed by Microsoft products.

The Microsoft Patch Assurance Security Service was started in late
2003. As part of the program, Microsoft is offering free security
audits to all of its enterprise customers and paying for the services
of third party security consultants, including Internet Security
Systems Inc., to do the audits, according to interviews with those
involved in the program.

In many cases, Microsoft's patch management products and services,
including Systems Management Server (SMS) and Software Update Services
(SUS), are recommended to customers as part of the audit, interviewees
said.

Figures on the total cost of the Patch Assurance Security Service were
not available, but it is an extensive program to reach out to
Microsoft's entire enterprise customer base, defined as customers with
500 or more Windows desktops, said Peter Noelle, a partner account
manager at Microsoft in Atlanta.

Microsoft has contacted around 75% of the 200 enterprise customers in
the district that includes Atlanta regarding the program and the "vast
majority," more than 90% of those companies, have signed up for the
free service. The company hopes to contact all its enterprise
customers by the end of its fiscal year in June 2004, he said.

Microsoft is offering the same service in each of 17 regional
districts in the U.S., using local and national consulting partners to
perform the assessments, he said.

In the southeast district, Microsoft is working through Blackstone &
Cullen, an Atlanta IT consulting company and Microsoft Gold Certified
Partner, said David Sie, security practice manager and Blackstone &
Cullen.

"We're an extension of Microsoft. Microsoft lets us know which of
their customers they'd like us to help them perform the services...  
then they decide what the priority (of the customer) and the scope (of
the security assessment) is for the customer," he said.

In turn, Blackstone & Cullen has contracted with Internet Security
Systems (ISS), also of Atlanta, to conduct vulnerability assessments
for the Microsoft customers, Sie said.

Microsoft pays for the services of both companies on behalf of its
customers, which are typically Microsoft-centric organizations using a
"significant amount" of Microsoft technology, Sie said.

The purpose of the program is to reduce the number of Microsoft
customers who do not apply software updates from the Redmond, Wash.,
company by promoting patch management best practices. Secondarily,
Microsoft is hoping to boost its credibility in the enterprise space
on issues of security, Noelle said.

Assessments can last from days to weeks and range from "best
practices" cases where few recommendations are needed to "dark
pictures" where a "very significant" amount of work is required, he
said.

Typically, the assessment concludes with a set of recommendations and
"actionable steps" that companies should take to improve their patch
management processes, Noelle and Sie said.

Microsoft's sales organization follows up on the recommendations with
the customer. In addition, Microsoft's partner companies often land
contract work stemming from the assessments they perform, Noelle said.

When patch management technology is needed, Blackstone & Cullen
recommend Microsoft's SMS change and configuration management
technology, Sie said.

"Naturally, Microsoft is recommending the use of their SMS, but its up
to the customer to decide," he said.

That limited product focus could be a problem for Microsoft customers,
said John Pescatore, vice president at Gartner. "The problem is that
SMS is not a strong product... When people ask us about (patch
management), we talk about SMS but we don't consider it a leader," he
said. Products from Novadigm, Altiris and others outperform SMS, and
an independent assessment would mention such products in its findings,
Pescatore said.

Microsoft is not the only company hoping to cash in on the
recommendations that follow the assessments.

ISS is planning on Monday to formally announce a range of security
assessment, remediation and management services for Microsoft
customers.

ISS will offer a program to perform "deep assessments" of Microsoft
customer networks with the goal of improving software patching
processes and systems, said Kerry Armistead , product manager for
professional security services and education at ISS.

The ISS program will offer its customers three levels of assessment,
"basic," "gold" and "platinum," that couple vulnerability assessments
with patch management plans. The company will add services such as
system policy design and best-practices recommendations for customers
that select the higher-level offerings, Armistead said.

"The goal is to leave you with a system in place to keep up with
patches -- give you change- and release-management processes so that
as new patches roll out, you have a well-oiled machine to distribute
them before malicious code is released," he said.

At CareGroup Healthcare System in Boston, consultants from Microsoft's
Services group did a free security assessment at Beth Israel Deaconess
Medical Center (BIDMC) in late 2003, said John Halamka, CareGroup's
chief information officer.

That followed a series of critical security alerts and Internet worms
concerning Microsoft products at that time, he said. "When Microsoft
had all those security issues, we decided that we needed an enterprise
view of things. It was getting too hard to deal with the daily patch
routine," Halamka said.

Following the assessment, CareGroup launched a "hardening project"  
with Microsoft Services consultants to move the nonprofit health care
organization to the latest generation of Redmond's products including
Microsoft Exchange 2003 and the latest versions of Windows XP and
Microsoft Office. CareGroup will use SMS 2003 to apply patches and
remotely manage 4,500 Windows desktops, he said.

That project will be done by the end of 2004 and is going "very well,"  
he said. However, not all customers have been receptive to the free
offer, Noelle said. "We get all kinds of responses, some do it. Some
just don't like Microsoft. There's all kinds of feedback," he said.

Microsoft's free patch assessment program is similar to previous
Redmond efforts to smooth over big technology shifts by giving away
consulting services, Pescatore said, citing programs linked to the
introduction of Active Directory and the Kerberos authentication
protocol. The program might succeed in improving patching procedures
at some organizations. However, for most companies, faster patching
will not solve the problem of insecure products, he said.

Most enterprises still need a month to fully test Microsoft patches,
distribute them to their user desktops and servers, and troubleshoot
following deployment. In the meantime, software exploit and virus
writers have shortened the length of time between disclosure of a
vulnerability and the release of malicious code that takes advantage
of that hole to just a few days, he said.

"You can't just say 'Here's a new patch. Quick, push it out.' If it
breaks an application, they're worse off than when they were
unpatched," he said.