ZENworks: Meeting the Top Requirements for Automated Patch Management

Transcription

1 Technical White Paper ZENworks ZENworks: Meeting the Top Requirements for Automated Patch Management Table of Contents page Simplifying Patch Management...2 Key Enterprise Patch and Vulnerability Management Requirements...2 Coverage...3 Architecture...3 Ease of Use and Flexibility...4 Discovery...4 Monitoring...5 Analysis...5 Testing...6 Intelligent Deployment...6 Reporting...6 A Proven Solution...7

2 Technical White Paper ZENworks: Meeting the Top Requirements for Automated Patch Management Simplifying Patch Management It happens five, ten, twenty times a month: a hardware or software vendor releases a patch (or a pack of patches) for a business-critical system. Getting these patches tested and installed has never been as important as it is today. Your organization relies on its information systems and has internal and regulatory pressures to keep those systems up to date and secure. When you quickly patch vulnerabilities, you reduce the risk of data being stolen or compromised, of appli cations being slowed or stopped and of a security breach harming your company s reputation or bottom line. But patch management is more complicated than ever. Your organization must determine which of its systems from multiple vendors are eligible for each patch, test the patches to ensure they don t create new problems, find and patch the most critical vulnerabilities first, and then report on the entire process to prove to auditors that the work was done. And, of course, this entire process must be completed as quickly and automatically as possible to minimize IT management costs. The requirements discussed in this white paper were distilled from SP and other resources to provide a comprehensive set of evaluation criteria for administrators seeking to ease their patch management burdens. This paper describes how Micro Focus ZENworks Patch Management meets and surpasses these specific requirements, allowing administrators to patch systems 13 times faster than industry standards and to save more than US$180,000 per year (in an organization with 1,000 computers). Key Enterprise Patch and Vulnerability Management Requirements An automated patch management solution is a significant IT investment, and you want to be sure you re getting top value for the price. A best-of-breed solution should meet these demanding requirements: Coverage. The solution should provide patch management for diverse operating systems and applications, as well as for custom in-house software. Architecture. The solution should be based on open architecture that uses agents to discover and deploy patches to all end points; that is flexible enough for deployment in both centralized and decentralized environments; and that can be customized and integrated with other security products. Ease of use and flexibility. The solution s management interface should be intuitive and easily navigable. It should be adaptable enough to meet the unique needs of an organization s distributed IT infrastructure and its unique policies and processes. Discovery. The solution should establish an inventory of all resources that might be susceptible to vulnerabilities and thus require patching. Monitoring. The solution should continually and accurately monitor patched systems to ensure they remain patched; it should issue alerts if they become unpatched due to restorations of older system images or reinstallation of software. Analysis. The solution should help prioritize patches by analyzing factors such as the severity of the vulnerability associated with the patch, the existence of any threats that exploit the vulnerability and the extent to which the patch has been tested. Testing. The solution vendor should provide install and uninstall scripts and other components needed to effectively deploy the patches and to test these packages before distributing them. Intelligent deployment. The solution should make it easier and less disruptive to deploy upgrades across very large, complex environments with options such as phased rollout, and by giving users control over when to reboot after an upgrade. Reporting. The solution should provide broad and flexible reporting for both operational and executive needs, such as the status of any given patch deployment and the identification of any weaknesses in the organization s patch and vulnerability management program. 2

3 Coverage Most organizations today run a diverse mix of applications, operating systems and net working devices, any of which can contain security vulnerabilities and thus become the target of hackers. In fact, the National Vulnerability Database found that 37 percent of threats target popular applications other than Microsoft s and that almost 50 percent of these are critical vulnerabilities. 1 In addi tion, many organizations run custom in-house software that must be updated and patched over its lifecycle. Without patch and vulnerability management for all of these platforms and applications, an organization will continually be at the mercy of new threats, unable to meet regulatory and internal security requirements. ZENworks Patch Management meets this requirement with the industry s largest repository of patches for all major operating systems and applications. This repository includes more than 10,000 multi-language patches for all major operating systems and more than 40 of the most common third-party applications such as Adobe Acrobat, Macromedia Flash, Internet Explorer, MSN Messenger, SharePoint, RealPlayer and more. We also support older operating systems and applications for protection of legacy end points. And, with the ZENworks Patch Management Patch Developers Kit, your organization can develop, test, deploy and monitor custom patch and remediation in your ZENworks Patch Management environment. An agent-based architecture to protect all end points, including laptops. Automated agent distribution to locate unmanaged network end points and deploy the patching agent to them, ensuring maximum coverage and protection. Support for standard communication protocols such as TCP/IP, HTTP and HTTPS. Highly scalable product architecture to ensure fast, complete coverage for even the largest worldwide networks. Efficient bandwidth utilization through optimization of network traffic with server- and client-side bandwidth throttling options and efficient network-bandwidth utilization. Secure content delivery via a 128-bit SSL-encrypted and VeriSign-trusted connection, along with RSA BSAFE encryption for best-of-breed data encryption 1 More than 10,000 multi-language patches and updates. Support for all major platforms, including Microsoft Windows OS, Microsoft 64-bit OS, Mac OS X, Mac on Intel, NetWare, HP-UX, IBM AIX, Sun Solaris, Red Hat Linux. More than 40 third-party application patches, including patches for Adobe Acrobat, Macromedia Flash, Internet Explorer, MSN Messenger, SharePoint, RealPlayer and more. The ZENworks Patch Management Patch Developers Kit, a security-patch creation tool that enables you to develop, test, deploy, and monitor custom patch and remediation in your ZENworks Patch Management environment. Support for legacy operating systems, including Windows 98, Windows NT and older versions of Sun Solaris. Older applications are supported as well, including older versions of Exchange Server and Microsoft Office. Architecture Organizations today are more geographically dispersed than ever before, with IT staffs supporting highly mobile workforces and both managed and unmanaged end points that might be spread across multiple time zones and continents. IT architectures are often highly complex, including both centralized and distributed architectures as well as existing security products to which a patch and vulnerability management solution must connect. ZENworks Patch Management is built on a scalable architecture that speeds and automates the patch management process. Automated agent distribution locates unmanaged network end points, including laptops, and then deploys patching agents to them. You can implement ZENworks Patch Management servers in either a centralized or distributed architecture to assure speedy deployment, even in widely dispersed and complex environments. By using the optional Micro Focus Distribution Point, you can cache patches on any network computer and then distribute them over low-bandwidth networks or connections to remote offices. Due to its open architecture, you can customize and integrate ZENworks Patch Management with other security products, such as third-party access control systems and leading commercial vulnerability-scanning products. 3

4 Technical White Paper ZENworks: Meeting the Top Requirements for Automated Patch Management Ease of Use and Flexibility Security patches are of limited use if you can t deploy them quickly, easily and in accordance with your company s unique security policies. A patch management solution that s easy to use will help accelerate the patch process and reduce security management costs. Flexibility in a patch management solution is also crucial so you can decide which patches are deployed to which systems, and when. ZENworks Patch Management accel erates patch management with an intuitive web-based interface and full flexibility in patch deployment, including extensive system grouping capabilities. Using the role-based administration feature, you can delegate activities with more than 45 individual access rights, improving your overall productivity while maintaining security. Integrated console and agent. Now use the same console and agent to manage more than just patching, including endpoint security, configuration management, asset management and more. Extensive grouping capabilities. Your organization can define patching policies with grouping based on a wide variety of system- or administrator-designated attributes for easy management. There is no limit to the number of groups in which a resource can be included. Role-based administration. You can delegate activities with more than 45 individual access rights to improvemanagement productivity while maintaining security. Flexible deployment options. Wizard-based multi-patch deployments, support for phased rollouts and deployment within narrow installation windows gives you control over deployment based on your organization s unique security policies. Policy-based administration. Ensures that all systems meet a mandatory baseline policy, automatically remediating end points that don t meet defined patch levels a key aspect of regulatory compliance. Inventory assessment. Automatic identification of and reporting on all software, hardware and services establishes an accurate inventory of all resources that might be susceptible to vulnerabilities. Discovery of applicable updates. Scan the devices on your network to determine exactly which systems need to be patched. Extensive grouping capabilities. Organizations can define patching policies using a wide variety of system- or administrator-designated attributes. There is no limit to the number of groups in which a resource can be included. Discovery As an administrator, you cannot patch systems and software if you don t know their names, their network locations and whether they actually require patching. You need a patch and vulnerability solution that is highly accurate in discovering and remediating unpatched end points. This discovery process is vital not only to eliminate vulnerabilities, but also to comply with regulations such as Sarbanes-Oxley, FISMA, HIPAA and the European Privacy Directive. ZENworks Patch Management addresses discovery needs with patented Digital Fingerprinting Technology. It provides a highly accurate patch and vulnerability process that includes automatic assessment, remediation and continuous monitoring to ensure all systems are protected against attacks. Extensive grouping capabilities allow administrators to define patch policies with automatic grouping based on a wide variety of system or administrator-designated attributes including criticality, location and function. You need a patch and vulnerability solution that is highly accurate in discovering and remediating unpatched end points. 4

5 Monitoring Over the course of a year, approximately 20 percent of all previously patched systems will become unpatched due to the installation of new patches, applications or system rebuilds that replace newer, secure components with older, insecure components. Without continuous monitoring, IT managers can have a false sense of security believing their systems to be effectively patched and compliant when they are not. The patented Digital Fingerprinting Technology in ZENworks Patch Management ensures that your organization s end points get patched and stay patched. It creates a Patch Fingerprint Profile that includes all software, hardware, drivers and existing and missing patches for your machines. ZENworks Patch Management then continually monitors all end points to ensure they stay patched. Policy-based administration allows you to establish a mandatory baseline; if end points do not meet these defined patch levels, ZENworks Patch Management automatically updates them with the patches they need to meet the baseline a key aspect of regulatory compliance. Automatic identification of patch prerequisites. ZENworks Patch Management automatically identifies which existing patches must be present to install new patches, as well as the order in which multiple patches should be installed. It then presents you with the applicable patches for review and action. Rapid verification of successful (and failed) installations. You will receive automatic alerts for failed installations, along with successful installation indicators that appear on the ZENworks Patch Management Administrative Console. This feature helps you perform proactive troubleshooting and management. Patch fingerprints. ZENworks Patch Management establishes a Patch Fingerprint Profile for each machine. The profile includes all of the machine s software, hardware, drivers, and existing and missing patches. ZENworks Patch Management then continually monitors each end point to ensure it remains patched. Policy-based administration. ZENworks Patch Management ensures that all systems meet a mandatory baseline policy, automatically updating end points that don t meet defined patch levels a key aspect of regulatory compliance. Patch compliance alerts. ZENworks Patch Management automatically notifies you via when a patch is removed or dropped (e.g., during the restoration of a system image or the installation of a new application). Analysis To maintain security without overrunning your budget, your IT staff must be able to quickly determine which patches affect which critical systems, the severity of the threat if the patch is not applied and whether the patch has been tested for both safety and effectiveness. For each patch it distributes, ZENworks Patch Management uses information about patch interdependency (which other patches must be present before a new patch can be installed) and patch precedence (the order in which patches must be installed). It then presents only the patches that need to be applied to each system. By reducing the need for manual analysis of such factors, ZENworks Patch Management helps you more quickly and easily prioritize patch deployments. You can minimize disruption to users and ensure patches are deployed in accordance with corporate and regulatory security policies. You can minimize disruption to users and ensure patches are deployed in accordance with corporate and regulatory security policies. 5

6 Technical White Paper ZENworks: Meeting the Top Requirements for Automated Patch Management Testing When a vendor releases a patch, it typically includes only the patch itself. But you also need a package or wrapper for each patch with information about applicable operating systems and languages, along with install and uninstall scripts. Before deployment, you also need to test this package to verify it works correctly. Because we provide and test such patch packages, 78 percent 2 of our customers spend less than one day testing patches before deployment. Our extensive quality assurance process ensures that each patch package is tested on all applicable operating systems and languages. Patch package development. We develop complete patch packages including install and uninstall scripts, patch fingerprints and patch applicability information. Patch quality assurance process. We spend hundreds of hours ensuring that each patch package is pre-tesed in all necessary environments, saving you valuable testing time. Patch pre-approval. We make it easy to deploy patches on a QA server before moving them to production servers for easy deployment management. Comprehensive reporting. Twenty-one standard reports document changes and demonstrate steady progress toward internal and external audit and compliance requirements. Intuitive web-based interface. Now it s easy to take control of your patch management and keep up to date on patching needs and results. Reporting Your organization not only needs to properly patch its systems, but it must also produce reports that prove its patching compliance in the event of an IT or regulatory audit. These reports, produced for both operations staff and management, must include the status on any given patch deployment and illuminate failures or exceptions that require troubleshooting. Such reporting is also critical to identify any weaknesses in your organization s ongoing vulnerability and patch management process, and to quantify the effort and results associated with the patch and vulnerability program. ZENworks Patch Management addresses a full range of both operational and management reporting needs with 21 standard reports. These reports document changes and demonstrate steady progress toward internal and external audit and compliance requirements. More reporting options are available via Micro Focus Enterprise Reporting, which provides additional options via an open data warehouse for powerful security reporting. 2 Customer Survey based on responses from 350 CIOs, CSOs, IT managers and network administrators worldwide. Industry average based on NIST. Intelligent Deployment Simply rolling out every available patch to every applicable system can cause chaos as users interrupt work to reboot their systems or call the helpdesk for assistance. To automatically distribute and install patches across dozens, hundreds, or even thousands of systems, a patch management and vulnerability solution must provide phased rollout, settings that allow users to control possibly disruptive actions such as system reboot and automatic verification of proper patch installation. Because ZENworks Patch Management provides these features, you can patch your systems many times faster than industry standards. 2 Wizard-based multi-patch deployments. You can use ZENworks Patch Management to deliver multiple patches to multiple computers in one distribution, thereby increasing IT productivity. Support for phased rollouts. You can define rollout groups from test to final deployment, controlling which patches are rolled out to which systems and when. Deployment within narrow installation windows. You can define patch deployment windows and give end users control over patch activities to minimize disruptions to their work. Automatic initiation of prerequisite activities. ZENworks Patch Management accurately defines patch precedence and interdependence to ensure only applicable patches are deployed to various systems. Rapid verification of successful (and failed) installations. You will receive automatic alerts for failed installations, along with successful installation indicators that appear on the ZENworks Patch Management Administrative Console. This feature helps you perform proactive troubleshooting and management. 6

7 A Proven Solution Faced with ever-increasing security requirements, your IT organization needs a better way to patch the many different hardware and software platforms that comprise your systems. As you evaluate and choose an auto mated vulnerability and patch management solution, it should meet key requirements, ranging from support for multivendor envi ronments to ease of use; from flexibility to ongoing systems monitoring; from an open architecture to robust testing and reporting capabilities. ZENworks Patch Management delivers industry-leading capabilities in each of these critical areas. Its patented Digital Fingerprinting Technology provides accurate discovery and ongoing monitoring of the patch state of vulnerable systems. Its flexible options for policy-based patch deployment give your organization the flexibility to work within its unique needs. And rigorous testing and quality assurance provides you with not only raw patches but also with the patch intelligence needed to quickly and efficiently patch even the largest and most complex environments. You can also rely on its comprehensive reporting capabilities to ensure your organization meets ongoing reporting and regulatory requirements. 3 Customer Survey based on responses from 350 CIOs, CSOs, IT managers and network administrators worldwide. Industry average based on NIST. Using ZENworks Patch Management, customers can patch their systems many times faster than industry standards4, with 78 percent spending less than one day testing patches before deployment. ZENworks Patch Management also provides an expected savings of more than US$180,000 per year over manual patch processes at an organization with 1,000 computers. It reduces the amount of administrative time spent on patching by 90 percent, from 4,447 hours to 393 hours. Given such improvements, it s little surprise that more than 90 percent of customers feel they are more secure now than they were a year ago. In a world in which software patching is more important and more complex than ever, your organization needs a solution that meets the top requirements for enterprise vulnerability and patch management. That solution is ZENworks Patch Management. About Micro Focus Since 1976, Micro Focus has helped more than 20,000 customers unlock the value of their business logic by creating enabling solutions that bridge the gap from well-established technologies to modern functionality. The two portfolios work to a single, clear vision to deliver innovative products supported by exceptional customer service. 7

8 Micro Focus UK Headquarters United Kingdom +44 (0) U.S. Headquarters Provo, Utah Additional contact information and office locations: N 08/ Micro Focus. All rights reserved. Micro Focus, the Micro Focus logo, NetWare, and ZENworks, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.