Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst

Transcription

1 ESG Lab Review Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst Abstract: This ESG Lab Review documents hands-on testing of Shavlik Protect with a focus on simplicity and manageability. The Challenges Security operations in today s data centers are becoming increasingly complex to manage. IT professionals must keep their systems up to date with the ever-increasing release frequency of the latest operating system, application, and database security patches required to ensure a protected and well-performing environment. The process of identifying, downloading, coordinating, implementing, verifying, and troubleshooting patches is time consuming and does not scale well. The process is inefficient, error prone, and often negatively affects the end-user experience of the systems under management. In a recent ESG poll, IT professionals were asked about the challenges they face in securing IT assets in their data centers. Nearly half (46%) of respondents said that keeping up with the latest security threat intelligence is one of the biggest challenges for their organizations (see Figure 1). Other significant challenges included monitoring networks and servers, detecting suspicious security events, and keeping up with patches and configuration changes. 1 Figure 1. Challenges Protecting IT Assets Residing in Data Centers In your opinion, what are the biggest challenges your organization faces with regard to protecting the IT assets residing in its data centers? (Percent of respondents, N=395, multiple responses accepted) Keeping up with the latest security threat intelligence Monitoring network activities 44% 46% Monitoring server activities Patching systems in a timely manner Event detection Keeping up with technology changes Scanning for vulnerabilities on a regular basis 39% 38% 37% 37% 36% 0% 10% 20% 30% 40% 50% Source: Enterprise Strategy Group, Source: ESG Research Brief, Top Security Challenges for IT Assets Residing in Data Centers, May The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to go over some of the more valuable feature/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. This ESG Lab report was sponsored by LANDesk.

2 ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 2 The Solution: Shavlik Protect Shavlik Protect is a multi-function tool that enables organizations to easily perform patch management, threat management, and power management tasks on the physical and virtual machines within a network. By simplifying and automating system management tasks, Shavlik delivers enterprise IT capabilities without the cost and complexity that are commonly associated with today s IT environments. This helps to improve the time-to-value for organizations and IT professionals from months to minutes. Shavlik bundles best-in-class patch management with asset inventory, power management, and antivirus protection in an easy-to-use, centralized console. With agentless asset discovery, update support for a broad range of trusted applications, and a single console, organizations can increase operational efficiency without increasing management overhead and cost. Figure 2. Shavlik Protect Any Patch, Anywhere Technology Scan applications (Microsoft and third party) running on machines within an organization s network, assess the current patch status on those machines, and then, when missing patches are found, deploy them. A custom patch editor is also available that allows IT administrators to create and maintain custom patches on certain machines, enabling any program on the network to be patched. Offline Virtual Machine Patching Ensure offline virtual images are in a constant state of readiness to be deployed. IT administrators can verify that all physical, virtual, and offline machines have received specific critical patches and that all are protected. Agentless and Agent-based Solutions Meet the needs of diverse enterprise applications through a blend of agentless and agent-based operations that provide a highly configurable architecture. A flexible agent can easily be deployed when necessary while an agentless implementation can provide complete coverage and reduce management overhead sometimes related to deploying agents. Antivirus and Antispyware Deliver superior patching plus antivirus in a single agent for the same cost as a normal antivirus-only solution through the Sunbelt VIPRE Enterprise Antivirus and Antispyware engine. Physical and Virtual Asset Management Bring comprehensive asset discovery to any organization with a unique agent-based and agentless architecture. Discover physical and virtual machines previously unknown to be on the network and software previously unknown to be installed on those machines. This allows organizations to address every machine on the network, including servers, laptops, machines in the DMZ, and machines with bandwidth constraints. Cloud Agent Install patches from the cloud through a cloud agent that functions without ever connecting directly to the Shavlik Protect console. Agent policies are uploaded from the console to the cloud where they are available to be downloaded by the agents. Agent results are uploaded to the cloud and then downloaded to the Shavlik Protect console.

3 Simplicity ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 3 In this section of the review, ESG Lab validates the simplicity of using the patch management feature of Shavlik Protect. This includes scanning a machine group for assets and missing patches, reviewing the results, and deploying the missing patches. ESG Lab started at the home screen of Shavlik Protect. The home screen, shown in Figure 3, consisted of four sections that are required to complete a scan. In the top left, ESG Lab created a name for the operation. In the bottom left, ESG Lab selected the desired machine group where the operation would run. In the top right, ESG Lab defined the schedule. And in the bottom right, ESG Lab selected which operation to run, which was a Full Asset Scan. Figure 3. Shavlik Protect Home Page After hitting the Scan Now button, an operations monitor window appeared that automatically stepped through a process including logging on to each machine in the machine group using predefined credentials and scanning the machine registry to pull out all asset information. After completing the asset scan, ESG Lab ran an out-of-the-box Security Patch Scan on the same set of machines. This scan looked at security patches of all levels of criticality for all products found from the asset scan. A view of the operations monitor is shown in Figure 4. Figure 4. Shavlik Protect Operations Monitor

4 ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 4 Once the patch scan was completed, ESG Lab viewed a summary of the completed results, which broke down the results in a much more granular level. This interface is used to provide all the details to IT administrators so they can figure out which machines they should or shouldn t patch based on the needs of the system. From here, ESG Lab viewed how many patches were missing both collectively and individually for the group of machines. When all four machines were selected, ESG Lab saw that 84 patches were missing. Then by clicking on an individual machine, ESG Lab saw the patches that were missing for that particular machine with information like whether a patch can be uninstalled once it s already been installed or whether the patch has already been downloaded in a previous process. Finally, using the same interface, ESG Lab selected a missing patch and deployed it using an easy-to-follow deployment configuration window, which required information about a deployment time frame and reboot options. The patch deployment selection and deployment configuration windows are shown in Figure 5. Figure 5. Deploying a Patch As shown in Figure 6, ESG Lab followed along in Operations Monitor and was able to watch in real time as the patch was downloaded, verified, built to deploy, and deployed. By clicking the View in Tracker link, ESG Lab watched as the state of the deployment was executing on the selected machine. Figure 6. Shavlik Protect Deployment Tracker

5 ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 5 Why This Matters Organizations continue to struggle with patch management for physical and virtual machines within their networks. Though Microsoft has helped solve the problem for Windows users, keeping third-party applications up to date is still a complex task. Many organizations still rely heavily on manual processes that take time and fail to meet the needs of ever-growing data center requirements, which eventually can lead to operational inefficiency and security falling further behind. ESG Lab validated that Shavlik Protect simplified the patching of systems by providing a centralized patch management, asset inventory, and legacy physical system integrated solution. ESG Lab quickly scanned a group of agentless computers to identify their application assets, learned what patches were missing from those machines based on their assets, and successfully deployed a specific patch to an individual machine. The entire process was completed from a single interface and although a low-level of granularity was available, ESG Lab was impressed with the intuitiveness of every step. It was quite apparent to ESG Lab that with the level of simplicity offered from Shavlik Protect, IT professionals could radically reduce an organization s timeto-value from months to minutes. Manageability In this section of the review, ESG Lab validates the ease of management offered by Shavlik Protect. This includes the ability to easily manage a large number of unique physical and virtual machines, and meet the flexibility requirements of machines running a Shavlik agent. ESG Lab began this phase of testing by identifying a group of servers and creating a machine group. This process can be done in multiple ways, including specifying a machine name, scanning a domain, scanning Active Directory, or selecting a hosted virtual machine with correctly supplied credentials. ESG Lab quickly and easily grouped a large number of machines together with the same patch and security requirements into a single machine group. As shown in Figure 7, ESG Lab was able to select entire virtual environments with just a few mouse clicks. Figure 7. Creating a Machine Group

6 ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 6 After creating the large-encompassing machine group, ESG Lab created a custom template that could be used on that machine group. The template was assigned the name Show All Effectively Installed Patches. ESG Lab selected Scan All, which will scan all of the available products on each machine in the machine group for every security patch, security tool, and non-security patch at all levels of criticality. Alternately, the Shavlik software offers the flexibility to scan a machine for specific products and/or updates. This fine level of granularity was particularly impressive to ESG Lab. A view from the custom Patch Scan Template is shown in Figure 8. Figure 8. Custom Patch Scan Templates Next, ESG Lab learned about Shavlik s ability to control power management by scheduling shutdowns and wake ups of machines. Using standard magic packet technology, ESG Lab used the wake-up LAN tool, which automatically turns on a system when the command is issued. This feature is commonly used prior to patching or doing any other maintenance to a machine group in the middle of the night when workers aren t around. Similarly, ESG Lab also saw how to schedule shutdowns for a group of machines. The power management options are shown in Figure 9. Figure 9. Power Management

7 ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 7 Up to this point, ESG Lab had focused primarily on Shavlik s agentless technology. ESG Lab also tested Shavlik Protect with the use of an agent, which can provide some flexibility and meet the demands of a mobile workforce constantly on the go. Creating a template for systems running an agent, for example a laptop, gave the same level of granularity as the agentless interface. The only difference was a checkbox that allowed a scan to be run on boot if the scan schedule was missed. In other words, if a laptop is powered off in a bag somewhere, then the next time it boots, a scan will run. After learning how to create a machine group, configure custom scan templates, run scans, and patch agentless and agent-based machines. ESG Lab moved to the reporting aspect. After a particular scan was run on the large machine group, ESG Lab was able to customize and generate a report that can be used to help IT administrators understand what has been completed from the perspective of scanning and patching. A view of the report generation interface is showing in Figure 10. Figure 10. Custom Reporting Up to this point, ESG Lab had tested scenarios where Shavlik Protect users always had access to a corporate network, whether on premise behind a corporate firewall or off premise with access to the corporate network through a VPN. The final piece of testing looked at protecting machines that were off premise and unable to connect to the Shavlik Protect console within a corporate network. This scenario required the use of the new Shavlik Protect Cloud. With the Protect Cloud, as long as an agent machine has access to the internet, the machine will be able to get updates and send results using the cloud. First, ESG Lab registered a Shavlik Protect Console with the Protect Cloud service. From the main Shavlik Interface, ESG Lab navigated to the Operations interface and selected the Protect Cloud Sync tab, as shown in Figure 11. ESG Lab selected the proper credentials for the account and then clicked the Register this console button to register the console with the cloud. After the console was registered, existing agent policies could be edited to sync with the Protect Cloud. For already deployed agents that used the old agent policy, the next time they check in with the Shavlik Protect console they will receive the updated policy that allows them to use the Protect Cloud as a backup source for receiving policy updates and reporting information. For newly installed agents, the policy will immediately provide access to the Protect Cloud.

8 Figure 11. Protect Cloud ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 8 Why This Matters When it comes to the administration of patch management, many organizations rely heavily on manual processes for a multitude of critical tasks. This methodology is no longer adequate to meet data center scaling requirements, especially with the increased number of virtual environments, the globalization of data centers, and the growing mobile workforce. There is a clear necessity for increased automation and simplified monitoring and management to properly administer the complex IT system patch management process. ESG Lab confirmed that Shavlik Protect can easily meet the management and scalability requirements of an enterprise organization. Using Active Directory, ESG Lab quickly identified a group of machines with the same protection requirements, grouped them together, and created a custom scan template for the large machine group. Then ESG Lab witnessed the power management capabilities of Shavlik Protect by scheduling wake-up LAN requests to power on machines during non-work hours for patching and shutting down the machines when unused. After looking entirely at the agentless technology, ESG Lab learned about the solution s flexibility for the employees constantly on the go by configuring agent-based protection for a laptop the exact same way agentless technology was configured. ESG Lab also saw how the new Protect Cloud could easily be configured to maintain the protection and control needed for the off premise employees without access to the corporate network. Finally, everything was completed from a single interface, including configuration, monitoring, execution, and reporting, truly highlighting the manageability and flexibility of the solution.

9 The Bigger Truth ESG Lab Review: Shavlik Protect: Simplifying Patch, Threat, and Power Management 9 What is your organization doing in regards to patch management today? The most common response is Windows Update. Though Windows Update is freely available and comes standard in Windows environments, it manages Microsoft applications only. When it comes to patching third-party applications, IT end-users usually rely on either manual patching, automatic updates for individual applications, or in the worst case, nothing at all. This is unacceptable for applications that are being used on private corporate networks that require high levels of security. Every organization needs to have a plan for managing IT and at a high level, there are five main areas to concentrate on: a way to inventory all software and hardware assets, a way to enforce configurations and compliance across all of those assets, a way to protect those assets, a way to patch those assets, and a way to control the powering on and off of those assets based on their usage needs. Shavlik Protect addresses all of these concerns and more by helping to centrally manage and control diverse IT environments through an easy-to-use interface that provides value in minutes after install. ESG Lab validated that Shavlik Protect helped reduce the complexity of managing IT by easily meeting the needs of anysized organization. Through centralized management and agentless technology, ESG Lab quickly scanned an organizations physical and virtual assets within a machine group, identified all pieces of software, found missing patches, and deployed new patches. Using the operations monitor, ESG Lab followed along in real time as each stage of the process completed. To meet the scalability needs of a growing, mobile organization, ESG Lab learned how to create custom templates and larger machine groups using Active Directory. Then, using the power management capabilities of the software, ESG Lab was able to send wake-up LAN functions to machines that were turned off or shut down machines that were unnecessarily powered on. The flexibility of the solution was witnessed when seeing how an organization s mobile workforce could remain up to date and protected by using agent-based technology on a laptop that provided the same capabilities as the agentless technology. Whether accessing the Shavlik Protect console through VPN or leveraging the new Protect Cloud capabilities, off premise protection can be easily managed and monitored. Finally, ESG Lab saw how the automatic report generation was used to constantly manage what had been completed and on which machine group. Shavlik Protect can easily improve an organization s time-to-value from months to minutes. This is done by simplifying the most important systems management challenges in today s IT environments by enabling organizations to manage both physical and virtual machines, deploy software updates, discover assets, and ensure endpoint security. If your organization is looking for an IT system management solution, look no further than Shavlik Protect. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at