Patch use cases

Example 1: Automatically deploy key 2016 patches

You can create a patch list that identifies all important and critical 2016 patches. A patch list like this is useful for targeting groups of endpoints even if you have already achieved a high level of patch compliance. Many organizations want newly added endpoints in an enterprise network to automatically receive patches. This helps achieve patch security compliance automatically and avoids compliance issues caused by out-of-date endpoints that appear on the network between patch audit reporting cycles.

  1. Create a patch list with these settings:
    1. In the Rules section, create two rules with these conditions:
      • 2016 Critical Patches conditions
        • Release Date, On or After, 01/01/2016
        • Release Date, On or Before, 12/31/2016
        • Severity, Contains, critical
      • 2016 Important Patches conditions
        • Release Date, On or After, 01/01/2016
        • Release Date, On or Before, 12/31/2016
        • Severity, Contains, important

    2. Target the applicable computer groups.
  2. Install the patches with an ongoing deployment using the Patch List.

Any patches matching rule 1 or 2 are applied to the targeted computer groups. A catch-all patch list for previously released important and critical patches ensures that if a machine is brought online, even after a period of inactivity, that the policy is automatically applied.

For detailed steps, see Create a patch list and Create a deployment to install patches.

Example 2: Create a blacklist that excludes .NET patches

Assume you have several servers in a computer group of application servers that run business critical applications. Since .NET patches can change the underlying framework of an endpoint, you want to make sure these servers do not receive a patch that could adversely affect the running applications.

Create a blacklist for .NET patches with these settings:

  1. Create a rule with the conditions of Patch Title, Contains, .NET.
  2. Target the computer group that contains the application servers.

For detailed steps, see Exclude patches with blacklists.

Example 3: Stagger patch deployment to a worldwide network

Assume that you have a network that spans multiple time zones and you can only patch endpoints during certain times to avoid interfering with core work hours.

  1. If you want to monitor the results by time zone, create a computer group for each time zone.

    For example, you can use the question: Time Zone containing "EST" to create a dynamic computer group.

  2. Create one maintenance window. Set it to Tanium Client local time, such as 1-4 A.M. and how often it should repeat.
  3. Add the computer groups you want to target.
  4. Create a deployment to install the patches and target the same computer groups.

The endpoints install the patches at the designated times when employees are not working. The deployment results are split out by time zone to get a global view of the installation success.

For detailed steps, see Tanium Core Platform User Guide: Managing computer groups, Create a maintenance window, and Create a deployment to install patches.

Example 4: Address the Wanna Cry vulnerability

As one of the known leverage points of the Wanna Cry (wcry) ransomware, the Microsoft SMBv1 legacy protocol vulnerability was addressed in the Microsoft Security Bulletin MS17-010. Typically, a recent scan with the latest CAB file should indicate the need for any additional patches. You can use Patch to verify which endpoints are missing these critical patches by creating a patch list and deploying it where needed.

  1. (Optional) To get a count of affected endpoints in Interact, ask Get Online from all machines with Applicable Patches matching "(.*4012598.*|.*4012212.*|.*4012215.*|.*4012213.*|.*4012216.*|.*4012214.*|.*4012217.*|.*4012606.*|.*4013198.*|.*4013429.*)".

    This question provides a list of endpoints that are vulnerable to the MS17-010 Security Bulletin.

  2. If installation is needed, create a Patch list with one rule for each KB number using the conditions KB Articles, Contains, and these KB numbers as the expression:
    OS versionDescriptionPatches to check
    • Windows 10
    • Windows 2016
    Windows 10 and Windows 2016 use the latest cumulative update process. Deploying the March 2017 or later cumulative update should apply all necessary patches.Windows 10
    • KB4012606
    • KB4013198
    • KB4013429
    Windows 2016 - KB4013429
    • Windows 7
    • Windows 8.1
    • Windows 2008
    • Windows 2008R2
    • Windows 2012
    • Windows 2012R2
    There are two methods available to update vulnerable systems.
    • Method 1: Deploy the March 2017 Security Only Quality Updates
    • Method 2: Deploy the March 2017 (or later) Security Monthly Quality Rollup
    Windows Server 2008R2, Windows 7
    • Method 1 – KB4012212
    • Method 2 – KB4012215
    Windows Server 2012R2, Windows 8.1
    • Method 1 – KB4012213
    • Method 2 – KB4012216
    Windows 2012
    • Method 1 – KB4012214
    • Method 2 – KB4012217
    Windows Server 2008 SP2 - KB4012598 (Method 1 only)
    • Windows XP
    • Windows 2003
    Contact your TAM for assistance. 

    These must be individual rules so that they use the OR operand. We recommend using computer groups divided by operating system.

  3. (Optional) Review the applicability counts for each computer group.
  4. Install the patch lists with a deployment that includes restarting the endpoints.

    Consider making this an ongoing deployment to address endpoints that are currently offline.

  5. When the deployment is done, go to the Deployments > Installs page and select your deployment.
  6. Review the deployment status, expanding any section to display the count by sub-status.
  7. If you need to drill down further, you can click the Interact icon to see the results by computer name.

For more information on using other Tanium Modules to mitigate WannaCry, see the Tanium Tech Blog: “WannaCry” / “wcry” Ransomware Outbreak: How Tanium Can Help.