MANAGING SOFTWARE PATCH INSTALLATIONS

US 20130340074A1
Filed: 06/13/2012
Published: 12/19/2013
Est. Priority Date: 06/13/2012
Status: Active Grant

First Claim

Patent Images

1. A computer hardware-implemented method of managing software patches, the computer hardware-implemented method comprising:

receiving, by a computer monitoring hardware system, a notification of a new release of a software patch;

scoring, by the computer monitoring hardware system, a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, wherein the set of computer system parameters is described by a set of binary data, wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system, and wherein said scoring is performed by the computer monitoring hardware system utilizing the set of binary data as inputs to a patch control logic within the computer monitoring hardware system;

determining, by the patch control logic within the computer monitoring hardware system, whether the monitored computer system is authorized to install the software patch;

determining, by the patch control logic within the computer monitoring hardware system, whether the security posture value exceeds a predetermined value; and

in response to the patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch, and in response to the patch control logic within the computer monitoring hardware system determining that the security posture value exceeds the predetermined value, retrieving and installing the software patch into the monitored computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer hardware-implemented method, system, and/or computer program product manages software patches. A computer monitoring hardware system receives a notification of a new release of a software patch. The computer monitoring hardware system scores a security posture of a monitored computer system to generate a security posture value based on a set of computer system parameters for the monitored computer system. In response to patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch and that the security posture value exceeds the predetermined value, the computer monitoring hardware system retrieves and installs the software patch in the monitored computer system.

25 Citations

View as Search Results

20 Claims

1. A computer hardware-implemented method of managing software patches, the computer hardware-implemented method comprising:
- receiving, by a computer monitoring hardware system, a notification of a new release of a software patch;
  
  scoring, by the computer monitoring hardware system, a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, wherein the set of computer system parameters is described by a set of binary data, wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system, and wherein said scoring is performed by the computer monitoring hardware system utilizing the set of binary data as inputs to a patch control logic within the computer monitoring hardware system;
  
  determining, by the patch control logic within the computer monitoring hardware system, whether the monitored computer system is authorized to install the software patch;
  
  determining, by the patch control logic within the computer monitoring hardware system, whether the security posture value exceeds a predetermined value; and
  
  in response to the patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch, and in response to the patch control logic within the computer monitoring hardware system determining that the security posture value exceeds the predetermined value, retrieving and installing the software patch into the monitored computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a predetermined level of exposure of the monitored computer system to other computer systems.
  - 3. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a predetermined level of integrity and trustworthiness of data stored on the monitored computer system.
  - 4. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises an amount of time that the monitored computer system will be unavailable for use while the software patch is installed on the monitored computer system.
  - 5. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a quantity of steps required to access the monitored computer system.
  - 6. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a quantity of remote databases that are accessible by the monitored computer system.
  - 7. The computer hardware-implemented method of claim 1, wherein each parameter from the set of computer system parameters is individually weighted to generate a weighted security posture value, and wherein each parameter is weighted according to a predetermined importance of said each parameter.
  - 8. The computer hardware-implemented method of claim 1, further comprising:
    - assigning the monitored computer system to a group of computer systems, wherein each computer system in the group of computer systems has a same scored security posture as the monitored computer system; and
      
      installing the software patch in each computer system in the group of computer systems.
  - 9. The computer hardware-implemented method of claim 8, wherein each computer system in the group of computer systems uses a same type of processor.
  - 10. The computer hardware-implemented method of claim 8, wherein each computer system in the group of computer systems uses a same operating system.
  - 11. The computer hardware-implemented method of claim 8, wherein the software patch is for a specific operating system, and wherein each computer system in the group of computer systems uses a same application program that runs under the specific operating system.
  - 12. The computer hardware-implemented method of claim 1, further comprising:
    - classifying the software patch as being part of a particular class of software patches; and
      
      transmitting the notification of the new release of the software patch only to a user group of persons that has been assigned to handle the particular class of software patches.
  - 13. The computer hardware-implemented method of claim 12, wherein the particular class of software patches is defined as patches designated for use in a specific hardware system that is running a particular application under a predetermined operating system.
  - 14. The computer hardware-implemented method of claim 1, further comprising:
    - receiving notification of additional software patches for the monitored computer system;
      
      comparing a criticality level of the software patch to a criticality level of the additional software patches, wherein each said criticality level has been predetermined according to how critical the software patch and the additional software patches are to enabling a target software to continue to function within predefined parameters; and
      
      prioritizing installation of the software patch and the additional software patches based on the criticality level of the software patch as compared to the criticality level of the additional software patches.
  - 15. The computer hardware-implemented method of claim 14, wherein the criticality level is further based on a predetermined level of exploitability of the monitored computer system, and wherein the predetermined level of exploitability is based on an amount of time required to access the monitored computer system without authorization.
  - 16. The computer hardware-implemented method of claim 1, wherein the software patch is designed to repair a first software component, and wherein the computer hardware-implemented method further comprises:
    - determining that the software patch affects an operation of a second software component; and
      
      in response to determining that installing the software patch on the monitored computer system causes the second software component to malfunction, uninstalling the software patch.
  - 17. The computer hardware-implemented method of claim 16, wherein the first software component is an operating system and the second software component is an application program.
  - 18. The computer hardware-implemented method of claim 16, wherein the first software component is a first type of application program and the second software component is a second type of application program.

19. A computer program product for managing software patches, wherein the computer program product comprises:
- a computer readable storage media;
  
  first program instructions receive a notification of a new release of a software patch;
  
  second program instructions to score a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, and wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system;
  
  third program instructions to determine whether the monitored computer system is authorized to install the software patch;
  
  fourth program instructions to determine whether the security posture value exceeds a predetermined value; and
  
  fifth program instructions to, in response to determining that the monitored computer system is authorized to install the software patch, and in response to determining that the security posture value exceeds the predetermined value, retrieve and install the software patch into the monitored computer system; and
  
  whereinthe first, second, third, fourth, and fifth program instructions are stored on the computer readable storage media.

20. A system comprising:
- a processor, a computer readable memory, and a computer readable storage media;
  
  first program instructions to receive a notification of a new release of a software patch;
  
  second program instructions to score a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, and wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system;
  
  third program instructions to determine whether the monitored computer system is authorized to install the software patch;
  
  fourth program instructions to determine whether the security posture value exceeds a predetermined value; and
  
  fifth program instructions to, in response to determining that the monitored computer system is authorized to install the software patch, and in response to determining that the security posture value exceeds the predetermined value, retrieve and install the software patch into the monitored computer system; and
  
  whereinthe first, second, third, fourth, and fifth program instructions are stored on the computer readable storage media for execution by the processor via the computer readable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
AYACHITULA, Naga A., LEMKE, William A., PURI, Rajeev

Granted Patent

US 9,069,969 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

MANAGING SOFTWARE PATCH INSTALLATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING SOFTWARE PATCH INSTALLATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links