Managing software patch installations

US 9,069,969 B2
Filed: 06/13/2012
Issued: 06/30/2015
Est. Priority Date: 06/13/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A computer hardware-implemented method of managing software patches, the computer hardware-implemented method comprising:

receiving, by a computer monitoring hardware system, a notification of a new release of a software patch;

scoring, by the computer monitoring hardware system, a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, wherein the set of computer system parameters is described by a set of binary data, wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system, and wherein said scoring is performed by the computer monitoring hardware system utilizing the set of binary data as inputs to a patch control logic within the computer monitoring hardware system;

determining, by the patch control logic within the computer monitoring hardware system, whether the monitored computer system is authorized to install the software patch;

determining, by the patch control logic within the computer monitoring hardware system, whether the security posture value exceeds a predetermined value;

in response to the patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch, and in response to the patch control logic within the computer monitoring hardware system determining that the security posture value exceeds the predetermined value, retrieving and installing the software patch into the monitored computer system;

determining, by the computer monitoring hardware system, a level of integrity and trustworthiness of data stored on a first computer system and a second computer system, wherein trusted data is deemed to have a high level of integrity and trustworthiness is determined to be accurate by a data audit, wherein accurate data correctly represent facts as ascertained by the data audit, and wherein untrusted data is deemed to have a low level of integrity and trustworthiness if coming from data that have not been formally audited; and

scheduling, by the computer monitoring hardware system, installation of the software patch in a computer system that holds the trusted data before installing the software patch in a computer system that holds the untrusted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer hardware-implemented method, system, and/or computer program product manages software patches. A computer monitoring hardware system receives a notification of a new release of a software patch. The computer monitoring hardware system scores a security posture of a monitored computer system to generate a security posture value based on a set of computer system parameters for the monitored computer system. In response to patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch and that the security posture value exceeds the predetermined value, the computer monitoring hardware system retrieves and installs the software patch in the monitored computer system.

25 Citations

View as Search Results

19 Claims

1. A computer hardware-implemented method of managing software patches, the computer hardware-implemented method comprising:
- receiving, by a computer monitoring hardware system, a notification of a new release of a software patch;
  
  scoring, by the computer monitoring hardware system, a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, wherein the set of computer system parameters is described by a set of binary data, wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system, and wherein said scoring is performed by the computer monitoring hardware system utilizing the set of binary data as inputs to a patch control logic within the computer monitoring hardware system;
  
  determining, by the patch control logic within the computer monitoring hardware system, whether the monitored computer system is authorized to install the software patch;
  
  determining, by the patch control logic within the computer monitoring hardware system, whether the security posture value exceeds a predetermined value;
  
  in response to the patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch, and in response to the patch control logic within the computer monitoring hardware system determining that the security posture value exceeds the predetermined value, retrieving and installing the software patch into the monitored computer system;
  
  determining, by the computer monitoring hardware system, a level of integrity and trustworthiness of data stored on a first computer system and a second computer system, wherein trusted data is deemed to have a high level of integrity and trustworthiness is determined to be accurate by a data audit, wherein accurate data correctly represent facts as ascertained by the data audit, and wherein untrusted data is deemed to have a low level of integrity and trustworthiness if coming from data that have not been formally audited; and
  
  scheduling, by the computer monitoring hardware system, installation of the software patch in a computer system that holds the trusted data before installing the software patch in a computer system that holds the untrusted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a predetermined level of exposure of the monitored computer system to other computer systems, wherein the predetermined level of exposure is based on whether a computer system is behind a firewall, and wherein the computer hardware-implemented method further comprises:
    - determining, by the computer monitoring hardware system, that the first computer system is behind the firewall;
      
      determining, by the computer monitoring hardware system, that the second computer system is not behind the firewall; and
      
      scheduling, by the computer monitoring hardware system, installation of the software patch on the first computer system that is behind the firewall before installing the software patch on the second computer system that is not behind the firewall.
  - 3. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises an amount of time that the monitored computer system will be unavailable for use while the software patch is being installed on the monitored computer system, wherein the first computer will be unavailable for use for a first length of time, wherein the second computer will be unavailable for use for a second length of time, wherein the first length of time is longer than the second length of time, and wherein the computer hardware-implemented method further comprises:
    - scheduling, by the computer monitoring hardware system, installation of the software patch in the second computer before installing the software patch in the first computer.
  - 4. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a quantity of steps required to access the monitored computer system, wherein the software patch is installed in a computer requiring more steps of a user to be accessed before being installed in a computer that requires relatively fewer steps of the user to be accessed.
  - 5. The computer hardware-implemented method of claim 1, wherein the set of computer system parameters further comprises a quantity of remote databases that are accessible by the monitored computer system, wherein the first computer has access to a first quantity of remote databases, wherein the second computer has access to a second quantity of remote databases, wherein the first quantity is less than the second quantity, and wherein the computer hardware-implemented method further comprises:
    - scheduling, by the computer monitoring hardware system, installation of the software patch in the second computer before installing the software patch in the first computer.
  - 6. The computer hardware-implemented method of claim 1, wherein each parameter from the set of computer system parameters is individually weighted to generate a weighted security posture value, and wherein each parameter is weighted according to a predetermined importance of said each parameter.
  - 7. The computer hardware-implemented method of claim 1, further comprising:
    - assigning the monitored computer system to a group of computer systems, wherein each computer system in the group of computer systems has a same scored security posture as the monitored computer system; and
      
      installing the software patch in each computer system in the group of computer systems.
  - 8. The computer hardware-implemented method of claim 7, wherein each computer system in the group of computer systems uses a same type of processor.
  - 9. The computer hardware-implemented method of claim 7, wherein each computer system in the group of computer systems uses a same operating system.
  - 10. The computer hardware-implemented method of claim 7, wherein the software patch is for a specific operating system, and wherein each computer system in the group of computer systems uses a same application program that runs under the specific operating system.
  - 11. The computer hardware-implemented method of claim 1, further comprising:
    - classifying the software patch as being part of a particular class of software patches; and
      
      transmitting the notification of the new release of the software patch only to a user group of persons that has been assigned to handle the particular class of software patches.
  - 12. The computer hardware-implemented method of claim 11, wherein the particular class of software patches is defined as patches designated for use in a specific hardware system that is running a particular application under a predetermined operating system.
  - 13. The computer hardware-implemented method of claim 1, further comprising:
    - receiving notification of additional software patches for the monitored computer system;
      
      comparing a criticality level of the software patch to a criticality level of the additional software patches, wherein each said criticality level has been predetermined according to how critical the software patch and the additional software patches are to enabling a target software to continue to function within predefined parameters; and
      
      prioritizing installation of the software patch and the additional software patches based on the criticality level of the software patch as compared to the criticality level of the additional software patches.
  - 14. The computer hardware-implemented method of claim 13, wherein the criticality level is further based on a predetermined level of exploitability of the monitored computer system, and wherein the predetermined level of exploitability is based on an amount of time required to access the monitored computer system without authorization.
  - 15. The computer hardware-implemented method of claim 1, wherein the software patch is designed to repair a first software component, and wherein the computer hardware-implemented method further comprises:
    - determining that the software patch affects an operation of a second software component; and
      
      in response to determining that installing the software patch on the monitored computer system causes the second software component to malfunction, uninstalling the software patch.
  - 16. The computer hardware-implemented method of claim 15, wherein the first software component is an operating system and the second software component is an application program.
  - 17. The computer hardware-implemented method of claim 15, wherein the first software component is a first type of application program and the second software component is a second type of application program.

18. A computer program product for managing software patches, wherein the computer program product comprises:
- a non-transitory computer readable storage media;
  
  first program instructions receive a notification of a new release of a software patch;
  
  second program instructions to score a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, and wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system;
  
  third program instructions to determine whether the monitored computer system is authorized to install the software patch;
  
  fourth program instructions to determine whether the security posture value exceeds a predetermined value;
  
  fifth program instructions to, in response to determining that the monitored computer system is authorized to install the software patch, and in response to determining that the security posture value exceeds the predetermined value, retrieve and install the software patch into the monitored computer system;
  
  sixth program instructions to determine a level of integrity and trustworthiness of data stored on a first computer system and a second computer system, wherein trusted data is deemed to have a high level of integrity and trustworthiness if determined to be accurate by a data audit, and wherein untrusted data is deemed to have a low level of integrity and trustworthiness if coming from data that have not been formally audited; and
  
  seventh program instructions to schedule installation of the software patch in a computer system that holds the trusted data before installing the software patch in a computer system that holds the untrusted data; and
  
  whereinthe first, second, third, fourth, fifth, sixth, and seventh program instructions are stored on the non-transitory computer readable storage media.

19. A system comprising:
- a processor, a computer readable memory, and a non-transitory computer readable storage media;
  
  first program instructions to receive a notification of a new release of a software patch;
  
  second program instructions to score a security posture of a monitored computer system, wherein said scoring generates a security posture value based on a set of computer system parameters for the monitored computer system, and wherein the set of computer system parameters comprises a past history of attacks on the monitored computer system;
  
  third program instructions to determine whether the monitored computer system is authorized to install the software patch;
  
  fourth program instructions to determine whether the security posture value exceeds a predetermined value;
  
  fifth program instructions to, in response to determining that the monitored computer system is authorized to install the software patch, and in response to determining that the security posture value exceeds the predetermined value, retrieve and install the software patch into the monitored computer system;
  
  sixth program instructions to determine a level of integrity and trustworthiness of data stored on a first computer system and a second computer system, wherein trusted data is deemed to have a high level of integrity and trustworthiness if determined to be accurate by a data audit, and wherein untrusted data is deemed to have a low level of integrity and trustworthiness if coming from data that have not been formally audited; and
  
  seventh program instructions to schedule installation of the software patch in a computer system that holds the trusted data before installing the software patch in a computer system that holds the untrusted data; and
  
  whereinthe first, second, third, fourth, fifth, sixth, and seventh program instructions are stored on the non-transitory computer readable storage media for execution by the processor via the computer readable memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ayachitula, Naga A., Lemke, William A., Puri, Rajeev
Primary Examiner(s)
Su, Sarah

Application Number

US13/495,504
Publication Number

US 20130340074A1
Time in Patent Office

1,112 Days
Field of Search

726/22, 726/23, 726/25, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Managing software patch installations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Managing software patch installations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links