I.T. can be a real ditch
if there’s a patching glitch.
Down in the trenches
amid all the stenches?
Time to make a switch.
Okay, I admit it. I love limericks. So much so that I’ve penned a few on the job about the world of I.T.
Take patch management for example. Even though patching and updating computers have been around for years, organizations of all sizes still struggle to patch systems effectively. Which provides some good grist to wax poetic.
Patching Is “Not a Solved Problem”
Whether computers are behind the firewall or remote, the challenge of patching the OS and applications in a timely fashion persists.
The US National Vulnerability Database, operated by the National Institute of Standards and Technology (NIST), says that as many as 86 percent of reported software vulnerabilities affect third-party applications, not operating systems. As IT environments become more heterogeneous, the vulnerabilities of third-party applications become larger threats to enterprise security and user productivity.
Whatever the mix of operating systems and applications in an environment, that environment needs protection from malefactors as well as from mistakes by legitimate users and system malfunctions.
At the October 2015 Gartner Symposium/ITxpo in Orlando, Florida, Marc van Zadelhoff, VP, IBM Security, presented on “Rethinking the Challenge of Security.” According to a Ponemon/IBM survey of some 200 customers who have been breached, “only 45 percent of the breaches are caused by malicious activities, and 55 percent are caused by mistakes, inadvertent errors [by legitimate users], or problems with systems—system glitches,” Zadelhoff said.
The challenges to delivering the protection IT environments and users need grow along with the heterogeneity of those environments. Perhaps the most pervasive example of the growth and evolution of that challenge is Microsoft’s Windows 10. With the release of that software, Microsoft replaced its traditional method of releasing patches and updates with a collective, “cumulative” approach. However, such an approach creates additional risk in some environments.
Controls Three and Four of the SANS “First Five”
Those who don’t possess effective methods for software updates open up serious vulnerabilities within their infrastructure.
In the John Pescatore-authored SANS white paper that you can download below, he writes that SANS has created a subset of the Center for Internet Security’s (CIS) Critical Security Controls, Version 6.0. This subset, known as the SANS “First Five”, delivers the highest payback in reducing risk from advanced targeted attacks:
- Software whitelisting
- Secure standard configurations
- Application security patching
- System security patching
- Minimization of administrative privileges
Let’s consider the third and fourth of the five controls, “Application security patching” and “System security patching,” and how the LANDESK and Shavlik family of solutions can help with continuous vulnerability assessment and remediation.
Application security patching
Patching operating systems is a common practice, but 86 percent of vulnerabilities attack third-party software not part of the OS. Shavlik® Patch™ for Microsoft System Center maximizes your organization’s investment in Microsoft System Center Configuration Manager (SCCM) to reduce security risks from unpatched non-Microsoft third-party applications. Shavlik delivers the latest software updates for hundreds of third-party apps, including Windows, Mac, and VMware.
Shavlik also offers several options to deliver software updates and ensure patch compliance, whether a system is on the network or air-gapped: agentless, agent-based, or cloud-based. It also performs hypervisor, offline virtual machine, and virtual template patching.
System security patching
LANDESK Security Suite scans for vulnerabilities that it can remediate with a patch and correlates its actions with vulnerability scanner output. Scan events are logged and can be audited. Vulnerability data is stored based on a first detection.
The LANDESK solution can also scan for vulnerabilities that it can remediate with a patch in authenticated mode with agents running locally. You can use a dedicated account. Role-based access controls ensure that only authorized employees have access.
Shavlik Empower is a cloud-based solution delivers patch management for and asset intelligence about Windows and Mac OS X devices. Empower sentinels scan for devices across your environment, then leverage Microsoft Active Directory to extract and map significant intelligence about your organization’s IT assets. Empower then deploys agents that enable comprehensive, flexible patching of Windows and Mac OS X systems, wherever they are. Shavlik Empower also produces reports that quickly highlight the status of your Windows and Mac devices, their third-party applications, and their patching profiles.
LANDESK assesses state and applies patches across the enterprise, allowing you to establish policies for when devices are patched, leveraging distribution technologies to reduce the impact on the network and disruption to the user. Rollout automation allows for an automated process from definition download through pilot and production rollout phases.
LANDESK uses multiple technologies to distribute patches quickly across the network. Integrated project rollout features can deploy patches at scale and at speed while optimizing bandwidth utilization and hardware resources. Risk rating is based on the vendor patch. Devices can be patched in and out of network.