WhitePaper: Security "Point" Solutions are Not a 4 Letter Word:

Transcription

1 Securty "Pont" Solutons are Not a 4 Letter Word: Why Purpose-Bult Solutons for Patch and Confguraton Management Contnue to be a Good Thng

2 Securty "Pont" Solutons are Not a 4 Letter Word: In recent years there has been a substantal amount of consoldaton n the IT securty ndustry. There were over 20 sgnfcant securty related acqustons n 2007 alone. Google acqured both Postn and Green Border, IBM bought Watchfre, HP bought SPI Dynamcs, Checkpont acqured Pontsec, Symantec snapped up Vontu, and there were plenty of others. Large vendors wth a healthy appette for acquston would have buyers of securty software beleve that ths consoldaton s a good thng; that bgger s better, that bult-n s tops, and that ndvdual best-of-breed pont products are a nusance to be avoded, a four letter word f you wll. Whle consoldaton can be a good thng, flyng the same corporate brand doesn t always equate to ntegraton or operatonal effcency. Patch management s a good example where an ndvdual pont soluton s not only desrable, but may be requred. Whle acquston-hungry vendors have tred to delver broader functonalty by addng patch management functon nto ther sutes, there wll always be a need for 3rd party patch management tools. There are a number of reasons why. Consoldaton of patch management functons s tough to do correctly. Sutes offered by the bg guys don't provde best-of-breed patch management capablty they lack patch content, patch-specfc targetng or patch reportng. Ths document s provded strctly as gude. provded or expected. The same stuaton exsts for securty confguraton management. Most sutes offer patch and confguraton management as part of a larger PC lfecycle management soluton. But these sutes lack the substance and depth to gve you confdence that your systems comply wth corporate securty polces or at least that you can prove your systems comply. There s certanly a case to be made for solutons that promse to streamlne complance costs and mprove your securty scorecard. But the false sense of securty that results from deployng a sute of ntegrated products can leave you wth msconfgured devces that expose data to explots and nternal msuse. Examples and sde effects of consoldaton gone wrong nclude a lack of any real ntegraton, slowng of patch management nnovaton and new releases, lack of flexblty, dmnshed focus on actual securty ssues, bg expensve bloatware when lghtweght focused solutons wll do better, and beng locked nto a specfc, nflexble, vendor specfc approach. Wth all of the consoldaton and nvestment n more expensve and larger systems, the end customers are not necessarly seeng any added value. Let s examne some of the ssues. Pag e 2

3 Securty "Pont" Solutons are Not a 4 Letter Word: Inherent bugs, weaknesses and securty vulnerabltes All operatng systems, applcatons, and even hardware have nherent bugs and weaknesses that can be exploted f operatng systems and applcatons are not patched or devces are msconfgured. That premse has exsted snce the begnnng of software development. It sn t gong to change anytme soon, at least not untl developers produce bug free code. Thrd party patch management products act as back up safety nets and address vulnerabltes that are bound to be present n larger systems. Whle securty vendors and technologes wll contnue to be acqured and mbedded wthn larger systems, new, best of breed patch management, confguraton management, and other securty solutons wll necessarly keep emergng to address the ongong and ever-changng securty threats. Bgger sn t always better In the wake of consoldaton, some acqurng vendors wll have you beleve that the best soluton s the one that covers the wdest range of IT tasks. Yes, breadth s mportant, but for confguraton and (especally for) patch management depth, completeness, and accuracy cannot be sacrfced for system wdth. A soluton that s a mle wde but only an nch deep won t provde the protecton needed by organzatons that are prme targets for attack. Ths document s provded strctly as gude. provded or expected. For nstance, vendors that prmarly provde network or systems management solutons are not really focused on securty, let alone the specfc aspect of patch or confguraton management. Securty s an afterthought or a checklst tem only. Whle they mght acqure varous patch management technologes and confguraton management tools and bolt them on top to gve the appearance of securty across a wde scope of applcatons, the companes themselves are focused on other thngs. Patch and confguraton management securty features from such vendors tend to langush and fall behnd. Most consoldated solutons lack real ntegraton It s very dffcult to correctly ntegrate multple technologes and products nto a cohesve soluton, or sute. Although there are exceptons, the ntegrated solutons offered by most vendors today are not really ntegrated at all. The features and technologes were developed by dfferent companes wth dfferng objectves, usng dfferent development teams, for dfferent threats. The varous packages have a myrad of dssmlar nterfaces and admnstraton styles. Pag e 3

4 Securty "Pont" Solutons are Not a 4 Letter Word: As any vendor who s attempted t wll testfy, t s ncredbly dffcult to take multple pont securty products and pece them together nto a cohesve whole wthout losng a substantal porton of the features and benefts. In those rare cases where a suppler wll actually spend the resources to properly ntegrate securty features such as patch management, t usually takes a number of years to pull t off. Unfortunately, by then new solutons are needed to meet the new and ever changng securty threats and the must be repeated. It s a vcous cycle to mantan and get rght. More often than not a number of dverse securty products are merely bundled together as a package. Ths knd of consoldaton hurts more than t helps. Need patch management depth & applcaton coverage Another crtcal ssue for patch management s depth and completeness of applcaton coverage. Mcrosoft s WSUS and any vendor s offerng that reles on the Wndows Update APIs only addresses Mcrosoft systems and applcatons. Unfortunately Mozlla Frefox, QuckTme, Adobe, Realplayer, to name just a few non-mcrosoft applcatons are realtes n most networks today. Whle custom scrpts can be created to help manage these non-mcrosoft applcatons, t s a very complcated task to do wthout the rght tools. To manage non-mcrosoft systems n a cost effectve manner requres a separate pont soluton lke Shavlk NetChk Protect. Ths document s provded strctly as gude. provded or expected. Lkewse, Mcrosoft WSUS and technologes that deploy agents can t easly manage systems that are offlne. Ths s a partcular challenge for large enterprses where at any gven moment there are potentally thousands of devces that are not connected to the network. Extraordnary steps must be taken to patch prevously offlne machnes as they go-onlne. Agan, t takes a best of breed pont product lke Shavlk NetChk Protect to effectvely admnster the patch management of offlne systems. Smple, sustanable patch and confguraton management are keys to success Another mportant consderaton regardng a sustanable patch and confguraton management soluton s the tme to mplement and manage large systems. A large scale Tvol, Openvew, or other large network management system can easly take 9 to 18 months to mplement, and several full tme admnstrators to keep t gong. Good pont products lke Shavlk NetChk Protect and Shavlk NetChk Complance Pag e 4

5 Securty "Pont" Solutons are Not a 4 Letter Word: on the other hand can be deployed and mantaned n a fracton of that tme, produces benefts mmedately, and requres mnmal staffng. Smplcty and ease of use means that you should be able to manage your envronment n ways that support your busness goals. Unless your patch management and confguraton management solutons are comprehensve yet smple enough to manage and sustan n a cost effectve manner, they are not servng your needs. Here are some mportant admnstraton ssues to consder when evaluatng patch management and confguraton management solutons: Ths document s provded strctly as gude. provded or expected. Smple, quck nstallaton and confguraton. Wth a reasonable knowledge of your network and ts assets, you should be able to complete the nstallaton and confguraton of a patch management or confguraton management soluton wthout havng to hre professonal servces from the vendor to be successful. If you cannot download, nstall, and perform the smplest assessment scannng a local machne n 30 mnutes, a red warnng flag should be rased. Polcy establshment and complance reportng. You must be able to easly establsh your patch management polces or confguraton baselne and assess how well you meet those polces. A contnuous, sustanable, ongong s the only way to prevent eroson of your securty status. Automated dscovery and assessment. The admnstraton nterface should dscover new systems on your network and quckly determne f the latest securty bulletns or vendor patches are needed and applcable for your organzaton. The soluton should also provde you wth an easy but effectve way to judge the prorty of vulnerabltes and devces that are out of complance. Quckly determne rsk level. The system should be able to quckly ascertan rsks and level of securty or conformty wth corporate polces for patch deployment and confguraton baselnes. Accuracy and trust. The rght soluton needs to provde an accurate assessment wthout dsplayng false postves or false negatves. It should also perform a deep assessment of patches to ensure accurate results, and t should be able to dentfy patches that have been reverted as well as understandng supersedence so t only dsplays what s needed. A soluton that can be fooled by ncomplete patch nstallatons or faulty regstry key settngs cannot be trusted. Pag e 5

6 Securty "Pont" Solutons are Not a 4 Letter Word: In depth reports. The user nterface and reports should provde real-tme ndcatons of the latest patch status. You should be able to quckly get a lst of top offendng machnes or machnes wth unauthorzed confguratons, applcatons, or out of date patches or software. Automated remedaton. Sustanable patch management and confguraton management must automate routne, mundane tasks such as remedaton and gve you vsblty nto how well those tasks have been accomplshed. Securty Focused. Is the soluton secure by default? Is all necessary traffc encrypted? Can the soluton be subverted by malcous users? The rght soluton needs to ensure that all senstve data s encrypted whle n transmsson. It also needs to employ multple securty checks to ensure the cannot be tampered wth. Defense n depth Another leadng reason for deployng purpose-bult pont solutons s to provde defense n depth. Deployng multple, varyng securty countermeasures has become standard practce for most hgh profle organzatons that are subject to specfc targeted attacks. Not only can 3rd party pont securty products provde backup defenses for other systems, they can be used to audt or valdate that systems are correctly confgured and that the securty s actually workng. Ths document s provded strctly as gude. provded or expected. Quck response tme to new securty threats s crucal Operatng systems and many applcatons that are so large and have such long development and release cycles that they can t possbly respond to the ever changng securty landscape. Snce IT securty threats are constantly emergng, often rapdly, t s not feasble for large systems such as operatng systems to respond to every new and emergng threat. Independent patch management and securty confguraton products that can emerge and adapt quckly must fll that role. Innovaton s drven by small, pont soluton provders Whle mature and unchangng patch and confguraton management features and technologes wll contnue to be acqured and mbedded wthn larger systems, new pont securty solutons wll keep emergng to address the ongong and ever changng securty threats. Most of the nnovaton n the IT securty ndustry comes from smaller companes such as Shavlk Technologes that are focused exclusvely on patch and vulnerablty management solutons. Pag e 6

7 Securty "Pont" Solutons are Not a 4 Letter Word: Securty developers who were acqured by larger IT companes ndcate that the larger IT focused organzatons see securty as merely a checklst tem that they can provde for ther customers. In that envronment nnovaton becomes an expense rather than an asset and therefore takes a back seat to other actvtes. Ths however s opposte for smaller companes who thrve only on nnovaton. They tend to lead wth nnovatve deas and products, contnuously brngng new pont patch management solutons to the marketplace. Fllng the gaps left by network management systems Pont products lke Shavlk NetChk Protect and Shavlk NetChk Complance fll the gaps left by other network management systems. Pont patch management products may not always replace other solutons lke Tvol, SMS, or WSUS, but they are great companon products, complementng and provdng mportant securty benefts otherwse not avalable. Ths document s provded strctly as gude. provded or expected. Whle products lke Tvol or Openvew do a lot to manage the patchng of crtcal systems, because they are not focused on securty they can t go as deep as pure pont securty products. For example, network management or operatng system products rarely f ever cover patch management needs for 100% of an organzaton s applcatons. There s almost always a percentage, typcally between 5 to 20 percent, of applcatons that don t get managed. Pont products address these areas. Don t get locked nto an nflexble, vendor specfc approach Relyng solely on a sngle, comprehensve PC lfecycle management soluton locks you nto an nflexble, vendor specfc approach. Effectve securty solutons requre a lot of flexblty. There are tmes when an agent-less soluton s best, just as there are stuatons where an agent-based soluton s the rght soluton. For maxmum flexblty, a combnaton of agent and agent-less archtecture allows you to protect servers, desktops, and laptops whether they are connected to a LAN, connected over VPN, or are on the Internet. You should also have the flexblty of scannng from ether a dstrbuted or from a centralzed source. Large enterprses wll frequently need to use both approaches n order to meet ther securty and management needs. Pag e 7

8 Securty "Pont" Solutons are Not a 4 Letter Word: Summary Whle the consoldaton trend wll contnue as redundant securty vendors combne and the more mature technologes get embedded wthn the general IT nfrastructure, t doesn t mean that a bgger, more expensve soluton s a better soluton. Wth all of the consoldaton and nvestment n more expensve and larger systems, the end customers are not necessarly seeng any added value as far as patch management s concerned. Unless consoldaton results n a more secure product, and one that s easer to admnster and sustan over the long haul, the consoldaton s of no beneft to end organzatons. Customers seekng qualty and complete solutons for ther patch management and confguraton management needs wll contnue to augment ther network management systems and operatng system tools wth 3rd party, best of breed pont products. In spte of how nce t would be for the operatng system or other large applcatons to handle all securty effcently and transparently, t cannot be. Thrd party pont securty products wll always be necessary, and to a sgnfcant extent. Ths document s provded strctly as gude. Not all pont securty products are four letter words. In your tme of need they just mght become your best frend. If you requred specalzed medcal care, you wouldn t want to rely on a generalst. You would want a certfed pont specalst who does nothng but focus on solvng the partcular threats to your health. The same holds true when t comes to patch management and securty confguraton management and protectng the health of your organzaton s nfrastructure. A pont soluton wll be your best opton. provded or expected. Pag e 8