Practical Patch Compliance

Similar documents
7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

8 Must Have. Features for Risk-Based Vulnerability Management and More

IBM Internet Security Systems Proventia Management SiteProtector

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

IBM Proventia Management SiteProtector Sample Reports

McAfee epolicy Orchestrator

ZENworks: Meeting the Top Requirements for Automated Patch Management

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Endpoint Security. powered by HEAT Software. Patch and Remediation Best Practice Guide. Version 8.5 Update 2

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Managing Patches Using SanerNow. 4.0 User Guide

Security Challenges: Integrating Apple Computers into Windows Environments

Comodo Certificate Manager

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Symantec Network Access Control Starter Edition

SIEM: Five Requirements that Solve the Bigger Business Issues

Best Practices in Securing a Multicloud World

PATCH MANAGER AUTOMATED PATCHING OF MICROSOFT SERVERS AND 3RD-PARTY APPS

Industrial Defender ASM. for Automation Systems Management

Continuously Discover and Eliminate Security Risk in Production Apps

Transforming Security Part 2: From the Device to the Data Center

The 2017 State of Endpoint Security Risk

Six Sigma in the datacenter drives a zero-defects culture

Tips for Effective Patch Management. A Wanstor Guide

Survey Results: Virtual Insecurity

IBM Exam 00M-662 Security Systems Sales Mastery Test v2 Version: 7.1 [ Total Questions: 72 ]

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

Realizing the Value of Standardized and Automated Database Management SOLUTION WHITE PAPER

Vulnerability Management

Micro Focus Desktop Containers

SMARTCRYPT CONTENTS POLICY MANAGEMENT DISCOVERY CLASSIFICATION DATA PROTECTION REPORTING COMPANIES USE SMARTCRYPT TO. Where does Smartcrypt Work?

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

Veritas Provisioning Manager

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Novell ZENworks 7.2 Linux Management

Everything visible. Everything secure.

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Xerox and Cisco Identity Services Engine (ISE) White Paper

Symantec Network Access Control Starter Edition

IBM Security Guardium Analyzer

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

Providing a Rapid Response to Meltdown and Spectre for Hybrid IT. Industry: Computer Security and Operations Date: February 2018

ADVANCED THREAT HUNTING

Total Protection for Compliance: Unified IT Policy Auditing

IPLocks Vulnerability Assessment: A Database Assessment Solution

Windows 7 Deployment Key Milestones

CA Client Automation. Supported Content for CA Patch Manager and Supported Application Signature Content

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Chapter 5: Vulnerability Analysis

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Welcome to IBM Security Guardium Analyzer!

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

2 The IBM Data Governance Unified Process

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Symantec Network Access Control Starter Edition

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

EMC Ionix IT Compliance Analyzer Application Edition

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

RSA IT Security Risk Management

THE STATE OF ENDPOINT PROTECTION & MANAGEMENT WHY SELF-HEALING IS THE NEW MANDATE

MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT

Defend Against the Unknown

Course 10747D: Administering System Center 2012 Configuration Manager Exam Code:

Evolved Backup and Recovery for the Enterprise

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Help Your Security Team Sleep at Night

Getting Hybrid IT Right. A Softchoice Guide to Hybrid Cloud Adoption

Sustainable Security Operations

ORACLE DATABASE LIFECYCLE MANAGEMENT PACK

Maximizing IT Security with Configuration Management WHITE PAPER

Vulnerability Management

10 FOCUS AREAS FOR BREACH PREVENTION

White Paper Server. Five Reasons for Choosing SUSE Manager

Archiving. Services. Optimize the management of information by defining a lifecycle strategy for data. Archiving. ediscovery. Data Loss Prevention

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

ForeScout ControlFabric TM Architecture

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

INTELLIGENCE DRIVEN GRC FOR SECURITY

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Ensure Virtualization Security and Improve Business Productivity with Kaspersky

the SWIFT Customer Security

SDN HAS ARRIVED, BUT NEEDS COMPLEMENTARY MANAGEMENT TOOLS

2016 Survey: A Pulse on Mobility in Healthcare

SYMANTEC DATA CENTER SECURITY

IBM Tivoli Monitoring (ITM) And AIX. Andre Metelo IBM SWG Competitive Project Office

7 Reasons to Worry About Your Current Archiving Strategy

McAfee Database Security

THE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec

Hyper-Converged Infrastructure: Providing New Opportunities for Improved Availability

Transcription:

Practical Patch Compliance Relieving IT Security Audit Pain, From the Data Center to the Desktop Microsoft s System Center Configuration Manager doesn t handle every aspect of Linux/UNIX and third-party application security. Here s how to augment and leverage SCCM to close the gaps. September 2015

If your organization is like most, you rely on Microsoft s System Center and its various modules to handle many aspects of security for your Windows servers and your Windows desktops. And if your enterprise is like the vast majority, you also have Linux/ UNIX boxes in your data center, plus a trove of third-party applications installed on your desktops popular software such as Oracle s Java and Adobe s Acrobat Reader and Flash. That presents a problem. Because SCCM was initially designed for Microsoft operating systems and applications, not for Linux/UNIX, Mac OS or third-party software potentially leaving holes in your server and endpoint security. It s especially an issue when it comes to IT security compliance and audits. SCCM administrators lack the visibility they need into Linux/UNIX and third-party software vulnerabilities, and they lack automated, integrated processes for patching those vulnerabilities. To close these gaps, organizations need to augment their SCCM security. The good news is that you can achieve that goal while leveraging your SCCM infrastructure, and do so without adding complexity to your security processes. Figure 1: Worldwide Server Shipment Revenue by Operating System, 2014 (% of total) Software Shortcomings Worldwide, Windows captures 46 percent of new server sales, while Linux now grabs 29 percent and UNIX has fallen to 14 percent, according to IDC. (See Figure 1.) Each operating system is favored in different environments, but it s safe to say that many data centers are a mix of Windows and Linux/UNIX. On the desktop front, Windows has dropped below 90 percent of market share, while Mac OS is at 8 percent and rising, report NetMarketShare and StatCounter. That means desktops are increasingly heterogeneous, as well. For desktop applications, about two-thirds of the top 50 are Microsoft products while one-third are from third-party providers such as Adobe, Google and Oracle. In 2014, those applications had 1,348 vulnerabilities, three-quarters of which were highly or extremely critical. But only 23 percent of those vulnerabilities were attributable to Microsoft products. The 16 most popular thirty-party applications were responsible for 77 percent of endpoint vulnerabilities. (See Figure 2.) It s no wonder two-thirds of organizations identify thirdparty applications as their greatest IT security risk, according to Ponemon. (See Figure 3.) Figure 2: Top 50 Endpoint Applications and Their Vulnerabilities Other IBM 3% z/os 6% UNIX 12% 80% 70% 60% 68% 77% Windows 48% 50% 40% Linux 31% 30% 32% 20% 23% 10% Microsoft Windows still captures nearly half the server market revenue, but with Linux gaining market share, data centers are increasingly heterogeneous. Source: IDC, Worldwide Quarterly Server Tracker (Mar-2015) 0 Microsoft Products Proportion of Top 50 Third-Party Applications Proportion of Vulnerabilities While only 16 of the top 50 desktop applications are from third-party vendors, they represent 1,036, or 77 percent, of vulnerabilities reported in 2014. Source: Secunia, Vulnerability Review 2015 (Mar-2015) 2015 HEAT software. All Rights Reserved. PG 2

SCCM is optimized to help manage and secure a Windows environment, with a focus on vulnerabilities in Microsoft products. It also offers limited visibility into Linux/UNIX servers and Mac desktops. But it doesn t include comprehensive patch management capabilities to effectively manage those machines. Likewise, Microsoft offers a free tool to help security managers create software updates for third-party applications, such as Java and Adobe, running on Windows desktops. But those updates are labor-intensive and time-consuming for IT administrators to build and deploy. Configuration Manager Multiplies That hasn t kept SCCM from growing in use. In part that s because Microsoft includes SCCM with many of the Windows Server licenses it sells. In fact, it s safe to say that a majority of large enterprises use SCCM to manage their Windows desktops. And increasingly, IT and security pros at smaller companies are being pressured to use SCCM, because in many cases they have an SCCM license with their Windows license, and management perceives that they ve already paid for it. So a growing number of organizations are relying on SCCM, but the product isn t effectively managing vulnerabilities in all the software on all the servers and desktops in their environments. That s especially a problem for regulatory and policy compliance and audits, for a couple of reasons. First, in many organizations the Security function is responsible for vulnerability audits. They run regular scans to identify vulnerabilities in the environment that need to be addressed in order to remain in compliance and pass the audit. They hand off the results of their scans to the Operations team for remediation. Operations then has to figure out which patches will address which vulnerabilities using SCCM, a tool not designed to patch Linux/UNIX boxes and third-party applications. Second, the SCCM administrator has to query Mac desktops and pull reports from various sources such as Linux/UNIX administrators. The SCCM administrator also has to tell the Linux/UNIX administrator to patch whatever vulnerabilities turn up. That requires coordination among functions that can often be siloed. It wouldn t be at all unusual for a Linux/UNIX admin to simply inform the SCCM admin that the Linux/UNIX machines are mission-critical and updated quarterly leaving the SCCM admin to only hope vulnerabilities are being addressed, with no way of proving compliance. Figure 3: Top 5 Security Risks Mobile devices 80% Third-party applications 69% Remote employees 42% Negligent employees 41% PCs / laptops 38% 0% 10% 20% 30% 40%5 0% 60% 70% 80% 90% Over two-thirds of organizations rank third-party application vulnerabilities among their top IT security risks. Source: Ponemon, State of the Endpoint (Jan-2015) A true enterprise-class solution will shine where compliance, security, and low IT burden and costs are needed, 2015 HEAT software. All Rights Reserved. PG 3

Extending System Center Configuration Manager Fortunately, solutions are available that extend SCCM to address more than just Microsoft operating system and application vulnerabilities. The key is to deploy solutions that: Leverage your existing investment in SCCM Let you deploy software updates as necessary through SCCM Enable patch reporting so you can prove compliance Cover Linux/UNIX, Mac OS and third-party desktop software Leveraging existing investments IT security is already complex enough. You don t want to add to your security infrastructure, processes and investment if you don t have to. So wherever possible, you should deploy a solution that leverages your SCCM infrastructure, extending native SCCM capabilities to Linux/UNIX servers, Mac desktops and third-party applications. Look for a solution that uses the SCCM console, so you have a single pane of glass for patch management on both Windows and Linux/UNIX servers.likewise, the solution should leverage native functionality in SCCM wherever possible to minimize the number of agents on your endpoints. Better Than Free: Beyond Adobe SCUP Free software tools that help IT and security administrators are always welcome. But often you get what you pay for, and sometimes it makes more sense to invest in something that s better than free. A case in point is the Adobe SCUP catalog. Microsoft s System Center Updates Publisher, or SCUP, is an application that lets administrators import software updates from third-party vendors and publish them to an update server. The Adobe SCUP catalog is a free resource that covers Acrobat, Reader and Flash player. Those are highly popular applications that are frequent targets for attacks. But merely patching those applications will get you only so far. Effective patch management for Adobe software requires much greater depth and breadth of capabilities. Look for an enterpriseclass patch management solution that: Supports Adobe products commonly used in enterprises, such as Reader, Acrobat, Flash Player (standard and extended support release), AIR, Illustrator, InDesign, Photoshop,RoboHelp and Shockwave Player Includes CVE metadata for security bulletins to give you insights into vulnerability risks Checks for file-based applicability in addition to Registry Key detections for better accuracy Validates both file-based install and Registry Key settings Checks for both 32-bit and 64-bit architectures Provides version control, with the actual binary version documented in the update title Includes superseded updates information when the update replaces older application versions Doesn t expire older versions of applications Provides bundles to simplify publishing, deployment and reporting 2015 HEAT software. All Rights Reserved. PG 4

Such a solution should integrate with your existing SCCM workflow without requiring plug-in or software maintenance, applying a broad content catalog and prepackaged updates. By taking advantage of your established workflow and not adding management overhead, the solution can provide IT operations with a streamlined process to ensure compliance and provide IT security with a faster path to compliance. Deploying software updates Packaging update content manually and importing it to desktops can take hours for each vulnerability. You need prepackaged content you can deploy directly through your SCCM console, taking advantage of existing automation. That will save you tremendous time and effort in patch management. It will also give you much more confidence that you ve deployed patches successfully and actually achieved patch compliance. Get the greatest coverage possible to reduce your overall attack surface Benefiting from prepackaged patch content and existing patch automation can also help you support business operations. On the server side, Linux/UNIX servers are typically mission-critical, highavailability machines, with a narrow patch window of only a few hours every few months. On the desktop side, reboots during business hours can have a significant impact on employee productivity. For managing Windows machines, look for a solution that uses only native SCCM tools to give you total control when deciding which patches to deploy on which systems. The solution should cover the more prevalent and targeted applications on enterprise desktops, and should provide deep coverage for enterprise software from vendors such as Adobe, Citrix and VMware. It should also automatically identify and patch enterprise versions of third-party applications, such as Mozilla Firefox ESR, Chrome for Business and Adobe Flash Player ESR, as well as consumer versions if desired. Likewise, the solution should ensure access to version-specific applications, not just the latest version, to avoid unintended consequences when vendors make application changes (e.g., Java). The goal is to achieve the greatest coverage and control possible, so you can eliminate known vulnerabilities and reduce your overall attack surface. hardware and software inventory of Linux/UNIX machines is no substitute for a patch-compliance report. So, an effective enterpriseclass patch management solution should provide extensions to SCCM to enable reporting on patch compliance. Smart Patching: Getting It Right the First Time and Every Time As third-party application vendors uncover vulnerabilities in their products, they issue patches. But many of these software updates amount to little more than, Here s some code; now go secure your endpoints. Likewise, there s no consistency in how these application vendors build their update installers. Does the installer support quiet install, with no user interaction? Does it check whether the application is running before trying to install? Does is set the application to auto-update after the install? Each vendor approaches each aspect of patching differently. As a result, administrators are burdened with inconsistent, inefficient patch detection and deployment, plus uncertainty around their overall security profile. So they spend extra time validating that a patch installation was successful or, worse yet, rebuilding and repeating the process multiple times. To solve these problem, you need an enterprise-class patch management solution that normalizes the installation experience across all supported third-party applications. Such a solution should leverage your existing SCCM environment while providing detailed information about the specific application being patched. The goal should be to ensure greater first-time success of patch installation, as well as confirmation that the patch has remediated the vulnerability. Enabling patch reporting While SCCM provides a client that you can use to deploy a script to patch Linux/UNIX machines, it offers no reporting on what was deployed or whether the machines are patch-compliant. And a simple 2015 HEAT software. All Rights Reserved. PG 5

For operating systems, you want to report on patch compliance for Linux/UNIX servers as well as Mac desktops. For desktop applications, you want to report on both Microsoft and third-party applications on Windows machines. In both cases, your patch solution should include Common Vulnerabilities and Exposures (CVE) metadata for security bulletins to give your insights into vulnerability risks. It should also leverage SQL Server Reporting Services, the native reporting engine in SCCM, to deliver your reports expanding your reporting capabilities without adding complexity to the process. The goal is to always have visibility into the status of patch compliance on your servers and desktops across your network. That way, when the auditors or management comes looking for proof of patch compliance, you have the answers at your fingertips. Covering the data center to the desktop Clearly, it s not enough to only address Microsoft vulnerabilities. You need to be assessing, patching and reporting on Linux/UNIX servers, Mac desktops and third-party applications. It s especially important to address popular applications, such as Oracle s Java and Adobe s Reader and Flash, that are known to be frequently exploited by attackers. Likewise, the CIO needs to have confidence in effective patch management and clear, consistent reporting from the data center to the desktop. Whether your organization has one admin or many admins, whether administration is divided between data center admins and desktop admins, the CIO needs a single, consistent view. Look for a solution that provides the in-depth security information and metadata you need to comply with patching policy, including: CVE metadata for all security bulletins Vendor security identifier information Security update severity level, such as critical Vendor release date Only that level of detail can give you the context you need to understand the risks posed by vulnerabilities. Armed with that information, you can prioritize patch deployments to reflect your security policy. You avoid vulnerability blind spots and gain greater visibility into patch compliance. Less Vulnerable, More Compliant Ultimately, your augmented SCCM should enable a life-cycle approach to patch management. (See Figure 4.) That will position you to discover, assess, prioritize, remediate and report on your security profile, from data center to desktop: Discover Gain complete visibility of your heterogeneous network environment. Leverage native capabilities in SCCM to proactively discover all your IT assets through in-depth scans and flexible grouping and classification. Assess Identify known issues before they can be exploited. Perform a deep analysis of operating systems, applications, and security configurations. Prioritize Understand and focus on the security risks that threaten your most mission-critical data and operations. Remediate Automatically deploy patches to your entire network. Continuously monitor, detect and remediate policy-driven environments across all major platforms and applications. Report Leverage a full range of operational and management reports that consolidate discovery, assessment and remediation data on a single management console. Figure 4: Patch Management Lifecycle Report 5 Remediate The benefits of patch solutions that extend SCCM to Linux/UNIX servers, Mac desktops and third-party applications are manifold. For starters, you save time, effort and cost by leveraging SCCM, the system of record you re already using. You spend less time deploying patches and rebuilding failed patches, freeing up time for more strategic activities and ultimately lowering total cost of ownership. That s especially important at a time when IT departments are being asked to do more with less. Ultimately, you relieve the pain of patch management and especially security audits and compliance. More important, you strengthen your security posture across the network. Organizations will continue to rely on Microsoft s System Center Configuration Manager. And to Microsoft s credit, the company continues to enhance the offering with new features. But enterprises will recognize SCCM s limitations and take steps to augment its functionality with capabilities that extend its effectiveness and close clear security gaps. The rewards include simplified IT and security processes, fewer software vulnerabilities, and a stronger security profile, from data center to desktop. 1 4 3 Discover 2 Prioritize Assess Augmented SCCM should enable a life-cycle approach to patch management. 2015 HEAT software. All Rights Reserved. PG 6

HEAT Software USA Inc. 490 N. McCarthy Blvd. Milpitas, CA 95035 USA P. +1 800.776.7889 or +1 408.601.2800 2015 HEAT software. All Rights Reserved. PG 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback