Tackling Third-Party Application Vulnerabilities in the Enterprise

Transcription

1 WhitePaper Tackling Third-Party Application Vulnerabilities in the Enterprise Shavlik th Street NW, Suite 200, New Brighton, MN

2 Introduction Recent security trends have highlighted the importance of effective enterprise application patch management. Five years ago enterprise security was mostly about widespread malware attacks perpetrated by mischievous young hackers out for notoriety. Today enterprises are threatened by much more insidious, targeted Advanced Persistent Threats (APT s) that infiltrate their networks secretly for months or years in order to steal highly valuable customer or proprietary information. Instead of teenagers out for a good time, today s attackers are often far more sophisticated organized crime organizations and government or terrorist sponsored hackers out for monetary reward and their sponsors competitive or national advantage. Past malware attacks could be stopped with basic antivirus and operating system updates. Today many organizations employ zero-day techniques that target application vulnerabilities rather than operating system vulnerabilities, knowing that many enterprises lack strategies and proper tools to inventory and patch all their applications regularly. A look at recent statistics in the National Vulnerability Database (NVD) reveals 4,347 new security vulnerabilities reported in 2012, up from 3,532 in 2011, with 86 percent found in third-party applications and only 10 percent in operating systems. The top targeted applications in 2012, according to the report, were Mozilla FireFox and ThunderBird. Other browsers such as Google Chrome and Apple s Safari were popular targets as well as Adobe Reader and Flash. Florian, Christian, Report: The Most Vulnerable Operating Systems and Applications in 2012; TalkTechtoMe blog; February 5, 2013 Similarly, Qualys s top 10 internal enterprise vulnerabilities for February 2013 included Adobe Flash Player, AIR, Acrobat and Acrobat Reader, and Oracle Java SE. Many of these applications are the targets of the infamous spearphishing attacks that kick off APT s in scores of enterprises and government agencies. Top 10 Vulnerabilities February 2013; Qualys, Inc., Past attacks were principally nuisances that caused outages and lost productivity. Today s can be highly damaging or even fatal to a company s reputation, competitive advantage, and revenues. Some attacks have even threatened critical infrastructure and other elements of national security. The list of organizations targeted successfully by sophisticated APT s grows every year and includes well-known companies such as Sony, Adobe, and Target, and even security vendors such as RSA and security-conscious defense contractors and government agencies. Despite the shift to zero-day attacks and thirdparty application exploits, many enterprises remain unaware of the hazards of third-party application vulnerabilities. Instead, they continue to focus on operating system updates provided by Microsoft and other OS vendors. Typically it takes major organizations on average twice as long to patch vulnerabilities on the client-side as compared with patching OS vulnerabilities. In other instances, hackers continue to take advantage successfully of application vulnerabilities that were discovered and potentially patched as long as five or more years ago. Many organizations simply find it too difficult to track every single application on their servers and users devices along with the constant flood of new application vulnerabilities and updates. Even if they could they lack the resources and tools to deploy these security patches quickly and effectively. Many rely on tools such as Microsoft System Center Configuration Manager, which work well for operating system updates but are difficult and unwieldy to configure for successful application security patch distribution. Instead many organizations rely on their endpoint and server anti-malware solutions to cover application vulnerabilities, as well as tools such as application firewalls and intrusion prevention solutions. Unfortunately many of these solutions are not as effective as they once were. Most rely on malware signatures, which are rendered ineffective by today s prevalent zero-day attacks. That s why reinforcing application defenses is more important than ever before. PAGE 2

3 A Layered Approach Preventing application-level attacks requires an integrated, layered approach that combines comprehensive application patch management with careful application and operating system configuration management and anti-malware capabilities, all working together to thwart new attacks as they surface. The SANS Institute has placed particular emphasis on application and operating system configuration management, ranking Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Critical Control 3 of its 20 Critical Security Controls. SANS points out that hackers often target networks with software configured in its insecure default configuration and suggests that measures such as the removal of unnecessary services and accounts, limiting of administrative privileges, careful change management and control, and regular file integrity checking should be employed to prevent attacks, not to mention regular operating system and application patch management. Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, SANS Institute, Virtualization As if the security landscape in the physical world weren t complicated enough, the trend towards server and storage virtualization in the enterprise has made security management even more complex and unwieldy. Before virtualization became widespread, the requesting, procuring, installing, and configuring of new servers was a highly visible process and workflow that took days, weeks, or even months and almost inevitably came to the attention of IT and security teams. It wasn t unusual for most organizations to employ a single physical server or even multiple physical servers for each application. With such a lengthy timeline it was relatively easy, at least compared to today, for IT to control and maintain the secure configuration of servers, operating systems, and applications. In the current environment of widespread server virtualization, configuring a new server together with operating systems and applications can take just a few hours or even minutes, and generally doesn t require the purchase, installation, or configuration of new hardware. Since old procurement and configuration processes have broken down in the virtual world, new servers are often deployed without the necessary coordination of IT security. This is unfortunate since virtual machines are just as vulnerable to scanning, compromise, infection, and hacking as their physical counterparts. There s also the problem of virtual sprawl. Many organizations today find themselves with hundreds or thousands more virtual servers than the physical servers they once had. It s not uncommon for tens or even hundreds of virtual machines to sit unused on a physical server for months. In some cases organizations have been known to set up multiple virtual instances of the same applications without even realizing it. Scores of rogue virtual machines deployed without IT knowledge then remain undetected for months. Each and every virtual machine requires the same security measures, including anti-malware protection and patch and configuration management as its physical counterpart. However, IT departments have been hard pressed to ensure such best practices are actually followed and maintained across the constant flood of new virtual machines deployed by various departments. In many cases the virtual machine templates they ve configured to maintain security are either out of date or not used consistently. In other cases IT departments are under the illusion that protecting the virtual hypervisor is sufficient and each of the virtual machines operating under the hypervisor can run without the same protection as their physical counterparts. Security vendors have also been playing catch-up, spending the past several years creating and refining products for the specific requirements of the virtual environment. Patch management in particular has been a difficult issue in today s mixed physical, virtual, and cloudenabled environments. Many organizations have PAGE 3

4 felt forced to deploy completely separate tools to patch physical and virtual servers and their operating systems and applications, requiring a lot of unnecessary extra time and resources, not to mention the increased risk of human error and missed applications. Others haven t yet devised a comprehensive patching strategy and set of tools for the virtual environment and treat it as an afterthought, leaving them vulnerable without the usual best security practices and tools. Another security issue has been the prevalence of virtual machines that sit off-line for long periods of time, only intended to be used when peak demand requires them, such as during a special sale in an online retail environment. If and when they are activated, they are often far behind in operating system and application patches. The result of widespread virtualization is hundreds or even thousands of potential targets in the virtual enterprise that hackers can exploit for entry into the network. Power Savings and Sustainability In light of tighter IT budgets, higher energy costs, and organizations seeking to raise their public profile with sustainability and carbon footprint reduction initiatives, new attention has been focused on power management. Since virtualization slashes the number of physical servers requiring power and cooling, the technology has been an essential component of power reduction strategies. However, organizations have found that significant additional power savings can also come simply from shutting off unused printers, copiers, monitors, workstations, and servers overnight. For example, the U.S. Department of Energy found it could save more than $16 million annually by shutting down 5,000 systems every night at its Washington D.C. headquarters and has since expanded the practice to most of its other facilities. A major computer manufacturer was similarly able to reduce its energy costs by 40 percent or $1.8 million annually. Building a Coalition for Computer Power Management How the Department of Energy Saved $16 Million in Electricity, Energy Star, U.S. Environment Protection Agency; downloads/us_doe_success_story.pdf At one time there were concerns that shutting down and starting up PCs and other devices could cause them to fail earlier. However today s robust systems are far more likely to become obsolete years before the small surges they experience on startup cause them to fail. And it has been found that fans and hard drives left on 24 hours a day have a higher potential for failure, so shutting down systems every night may actually enhance their lifespan. The security implications of systems shut down at night are mixed. On the one hand they are no longer targets for malware and other vulnerability exploits and so shutting them down can enhance the security profile of the organization. On the other hand, however, the same systems may be overlooked when IT applies operating system and application patches during the night. The best, most secure application patch management solution would be one that employs Wake On LAN capability, which, when built into the system motherboard, allows a system to be turned on and shut down over the network via management software. An effective use of Wake On LAN would allow users to shut down their systems every night while enabling management tools to fire them up temporarily when it s time to apply new application security patches and then shut them down for the rest of the night. The Shavlik Solution To protect themselves from today s application-level attacks, enterprises require solutions that can take on the most current, evolving enterprise trends of application-level threats, virtualization, and power management. They must be able to: PAGE 4

5 Discover and track enterprise hardware and associated virtual and application assets throughout their lifecycle, whether installed on physical or virtual machines and whether active or temporarily inactive. All of this information should be easily available and visible in a single console. Keep up with the constant onslaught of security patches across thousands of applications. In order to do so the patch management solution vendor must bring extensive third-party application expertise to the table. Users should not be required to do a lot of complex configuration to apply each patch. Apply application security patches immediately when they become available across thousands of physical and virtual systems and templates throughout the enterprise, whether they are on or turned off. That way when dormant virtual systems are activated they are completely up to date with the latest application patches. Integrate tightly with antivirus and operating system patch management, forming an effective, coordinated defense against application threats. Shavlik offers two solutions for enterprise application patch management: Shavlik Protect and Shavlik Patch for Microsoft System Center. Shavlik Protect is a complete enterprise application vulnerability protection solution combining bestin-class patch management with comprehensive hardware and software asset inventory and tracking, power management, and integrated antivirus protection. Discussions about which browser is most secure do not make much sense; they all have new security vulnerabilities. A safe Web browser is one that is used by only a few people and therefore is not popular enough to get attention from hackers. However, on such a browser, many sites will not work simply because most developers test their sites on the most popular browsers. Combined Physical and Virtual Asset Inventory Shavlik Protect provides a single solution for inventorying and tracking hardware and applications on both physical and virtual machines throughout the enterprise, including virtual hypervisors. Its agentless approach enables dynamic discovery and cataloging of all physical and virtual assets, including those IT never knew existed, allowing IT to close all the application security gaps and blind spots it once had. IT then has comprehensive hardware and software information in a single location, so it can make quick, informed decisions not only about security but server capacity. Fast Application Patching Shavlik s agentless approach makes it easy to deploy Shavlik Protect immediately across new virtual machines as they are added to physical servers and the network since there is no need to install and configure an agent on each new virtual machine. An agentless approach also saves management time, resources, and expense since IT doesn t have to take the time to deploy each agent. Offline Coverage Shavlik Protect is also unique in the industry in that it can discover, inventory, and patch ALL virtual machines and templates, in addition to physical servers, regardless of their power state and whether they are on or off-line. This brings security and peace of mind as IT can be certain that ALL servers, their virtual machines, and applications have been discovered and are completely up to date with application and operating system security patches. Further, virtual machines can remain off the network while they are being patched, so they are not exposed to the vulnerability they are being patched for. When offline virtual machines come online, IT can rest assured that they are secure and meet corporate policies. With the Shavlik virtual redundant servers capability, organizations can even patch an offline standby server and then bring it online as a production server, PAGE 5

6 avoiding the service interruptions involved with necessary server reboots after patches are applied. Its virtual machine snapshot capability allows easy rollback of virtual machines if there are deployment issues. Third-Party Application Expertise Unlike with competing patch management solutions, Shavlik Protect and Shavlik Patch don t require enterprises require enterprises to do any heavy lifting to configure and deploy new application patches. Shavlik s own Patch Patrol harnesses years of application patch experience and expertise to do all the patch research and creation and maintains an extensive, up-to-date catalog of third-party application patches. Shavlik Protect also enables enterprises to create custom patches where necessary. With its new cloud agent feature, Shavlik Protect even allows enterprises to protect Windows PCs of those mobile users who roam frequently outside the corporate network. Integrated Anti-Malware Protection In addition to comprehensive asset inventory and application patching, Shavlik Protect adds comprehensive anti-malware capabilities, powered by the award-winning VIPRE antivirus and anti-spyware engine from ThreatTrack Security, Inc. The VIPRE engine moves beyond traditional signature- and rules-based detection, using heuristics and real-time, secure behavior analysis of new threats, which it fools into thinking they ve taken over Windows in order to analyze their behavior. The engine has a lightweight design that ensures it won t bog down system performance. Wake On LAN Wake On LAN capability allows organizations to power off systems during the night, allowing Shavlik Protect to power them on temporarily as necessary for application security patch updates, then power them down for continued savings in power and cooling. Shavlik Patch for Microsoft System Center Similar to Shavlik Protect, Shavlik Patch for Microsoft System Center features application patch management capabilities, but they are built to integrate tightly with Microsoft SCCM. This allows SCCM-empowered organizations to extend their patching capabilities with Shavlik s comprehensive, easy-to-deploy application patch management. With Shavlik Patch for Microsoft System Center, enterprises have protection beyond Microsoft operating systems and applications without having to deal with SCCM s cumbersome third-party application patch configuration and deployment. Shavlik updates are completely synchronized with those of SCCM to realize a single operating system and Microsoft and non-microsoft application patch management workflow and reporting capability. Microsoft SCCM users get the benefit of the same Shavlik application patching expertise and cataloging as their Shavlik Protect counterparts. Shavlik Patch is fully integrated into the Microsoft SCCM solution and leverages Shavlik s singular content to deliver a complete patch management solution for third-party software. Conclusion To protect themselves from today s nefarious advanced persistent threats, enterprises and government agencies need an effective, comprehensive strategy to protect targeted thirdparty applications in addition to operating systems on all their systems physical and virtual. Shavlik tools enable organizations to build and deploy such a strategy, helping to protect today s enterprises form insidious advanced persistent threats. Contact Information To contact a product representative, please sales@shavlik.com Copyright Shavlik Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by international treaties. SHV /14 BB/RP PAGE 6