Secunia Corporate Software Inspector

Transcription

1 Reference Code: TA001957SEC Publication Date: August 2010 Author: Karthik Balakrishnan and Andy Kellett TECHNOLOGY AUDIT Secunia Corporate Software Inspector Secunia SUMMARY IMPACT The growing range of software and application threats and the need to adhere to regulatory controls has caused the volume of patches and software updates to increase. Organizations need to have software protection controls as part of their risk-management strategy. Facilities should include automated vulnerability detection and patch-management deployment to ensure that service delivery is addressed securely and efficiently. Secunia Corporate Software Inspector (CSI) incorporates these security-management capabilities into its vulnerability scanning services as well as providing automated patch-repackaging facilities for real and virtual Microsoft operating systems, where it addresses vulnerabilities in both Microsoft and third-party applications. Secunia CSI suits any organization with a need to identify vulnerable software across an extensive range (covers programs from more than 2,500 vendors) of Microsoft and third-party applications. Secunia s authenticated vulnerability and patch-management scanner gives organizations the ability to identify missing patches and vulnerable applications across all areas of the business. Financial services organizations (typically large banks with many locations), energy providers, IT, and the government and education sectors are Secunia s core markets. KEY FINDINGS Strengths: A comprehensive solution that is driven by the ability to perform complete application scanning, vulnerability analysis, and patch management through a single product set. A non-intrusive and scalable offering that supports an extensive range of Microsoft, thirdparty applications, and legacy products, focusing on vulnerabilities rather than devices. Weaknesses: Currently only operates across Microsoft platforms. Does not provide out-of-the-box compliance-specific reporting. Key Facts: i Offers a mix of agent-based and agent-less scanning approaches. i Provides extensive coverage of third party programs in addition to Microsoft. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 1

2 OVUM VIEW The processes associated with software-vulnerability identification and the management of patching updates have traditionally been cumbersome, resource-hungry, and difficult to deliver in an operationally effective manner. Because of this many enterprises have neglected their vulnerability-checking and patchmanagement obligations or restricted these operations to the bare minimum. Secunia addresses these issues with its CSI product by inspecting local files rather than conducting traditional network-based vulnerability scanning. This approach enables the automated discovery and scanning of an extensive range (the latest count shows that the company covers programs from more than 2,500 vendors that can be referenced in the Secunia database) of third-party as well as Microsoft programs. It addresses all machines in the network to assess their vulnerabilities and patch status, and also provides an impressive level of automatic remediation services. In Ovum s view, one of the product s key advantages is its ability to offer clients the choice of agent-based or agent-less scanning approaches. This provides flexibility in the management of scanning processes through scheduling and logical hierarchical grouping of the Windows infrastructure. Initially Secunia concentrated on the delivery of its vulnerability intelligence (VI) services. The introduction of CSI strengthen the company s software management position by adding software inspection scanning and assessment capabilities, and with the latest release (CSI version 4.0) application remediation services have been included. This is achieved because CSI now integrates with Microsoft WSUS and Microsoft SCCM, allowing Secunia to offering patch remediation services. Importantly, in Ovum s opinion, this means the company now has the opportunity to occupy a more prominent place among the leading software vulnerability and patch-management vendors. Secunia is privately held and has gone from being a very successful start-up company to become an established player in the vulnerability-management sector. Over the years Secunia s organic growth has been higher than the market average, and the company is profitable with no existing debt. Its customer base is counted in thousands and includes Global 2000 and Fortune 500 organizations. Recommendations Secunia CSI is suitable for any organization with the need to protect 100 or more devices. Organizations in the government, IT, energy, education, and finance sectors have provided the company s strongest areas of success. This is due to the strength of the product s regulatory and associated industry control facilities. Secunia CSI is not positioned as a small-user system and cost overheads could prove prohibitive. It is best suited to organizations that have an administrator function and staff responsible for security management. However, to address these issues the company has plans to introduce small-user versions of the product that would be sold via resellers. Organizations typically select Secunia CSI because of the product s ability to provide continuous and ongoing security-scanning and reporting facilities that help to maintain a consistent security posture. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 2

3 FUNCTIONALITY SOLUTION OVERVIEW Secunia CSI conducts authentication scans of all computers in an organization s network to identify and report on the status of installed programs and plug-ins. The advantage of CSI is that it scans all computers based on the actual system files (such as.exe,.ocx, and.dll) in the scanned operations. The collected metadata is sent to the CSI central-processing facility where it is linked to Secunia s product and vulnerability database to maintain an inventory of installed programs and plug-ins. The results are then correlated with the Secunia vulnerability database based on the company s up-to-date vulnerability intelligence. Scan information includes full installation paths, version details, direct links to patches, and criticality ratings. The scanning facility also detects and reports on end-of-life programs and plug-ins. This is important as software that has reached its end-of-life status can be dangerous because of a potential lack of vulnerability information and new security updates. Figure 1: Secunia CSI Architecture Source: Secunia O V U M Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 3

4 The Secunia vulnerability and product databases provide vital program vulnerability results and patch remediation information. They are used to help organizations to proactively obtain details on the patch status of all their operational software along with their risk ratings and alternative mitigation strategies. Every program is directly referenced to the corresponding Secunia Advisory, which provides detailed explanations about all vulnerabilities along with expert-assessed criticality ratings and impact status. Once all program and related remediation requirements are confirmed, Secunia CSI can be used to integrate with Microsoft WSUS and Microsoft SCCM to provide simplified patch management, facilitating the distribution of the latest security updates for both Microsoft and third-party programs. This approach has the added advantage that most administration teams are already familiar with Microsoft WSUS and SCCM and therefore the end-to-end software protection processes of CSI and its patch management remediation services are delivered using common interfaces that customers are comfortable with. Secunia CSI is also capable of listing all programs and plug-ins that are patched and up-to-date, ensuring that patches are deployed regularly and when required. This helps organizations supplement the evaluation of their other asset and license-management tools, and allows them to track the installation of unapproved programs and plug-ins. Other complementary Secunia products include the Secunia VIF and Secunia EVM: Vulnerability Intelligence Feed (VIF) Secunia VIF provides organizations with all the latest vulnerability intelligence details. It filters, verifies, and analyzes vulnerability information, making it easier for organizations to distribute it. Vulnerability intelligence is obtained by the VIF from Secunia s advisory database, enabling Secunia s research experts to verify all vulnerabilities in detail, and in turn provide organizations with remediation plans for handling threats effectively. Secunia VIF provides proof-of-concept for vulnerabilities and helps to determine if all program installations are secured properly or remain vulnerable. In addition to providing organizations with a technical analysis of vulnerabilities, which provides an insight into impact and mitigation strategies such as network rules or configurations, it allows organizations to take the required preventive measures. Enterprise Vulnerability Manager (EVM) Secunia EVM is a vulnerability-management tool. It provides organizations with a dashboard interface facility that helps track and manage all vulnerability intelligence data. The dashboard interface enables administrators to obtain an overall view of present and emerging vulnerability threats (including zero-day threats) that could affect the network. The tool allows administrators to register all components or only the infrastructure components (depending on the user) that fall within their remit. This approach can be used to control the vulnerability analysis data, which is filtered and communicated, ensuring that only significant or relevant threat alerts get sent to users. The tool supports task delegation through the allocation of sub-users or multiple users to handle specific layers, segments, or regional parts of the organization. It also allows administrators to track and document various advisories that are being handled, helping administrators to adhere to remediation best practices. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 4

5 SOLUTION ANALYSIS Ease of implementation and use In Ovum s opinion, one of the key advantages of Secunia CSI is the ease with which it allows authorized users to manage vulnerability intelligence information through a centralized dashboard. In terms of its implementation infrastructure, Secunia CSI s architecture value comes from the fact that it can be deployed using a combination of agent-based and agent-less approaches. Although, an agent-less architecture is typically more flexible than having to install and maintain thousands of individual software agents, the agentbased approach provides greater value in cases where bandwidth is limited or inconsistent, or where the systems and machines involved are intermittently offline. The combination of these approaches also helps to ensure that the use of Secunia CSI is able to grow and be integrated alongside organizational expansion plans by providing the flexibility to increase the numbers of machines and software product installations supported. Ability to patch virtual machines Secunia CSI also stands out because of its ability to keep pace with the need to support the latest operating environments through its capability to support patching for virtual machines (VMs). This is essential in order to overcome the general problems caused by VM operations and specifically those caused through variable usage when VMs are brought online infrequently and are therefore potentially susceptible to being deprived of the latest security patches and application updates. Patches are distributed through Microsoft WSUS or SCCM, allowing updates to take place as soon as machines are brought online. Ability to handle the end-to-end scanning through to patch-management process Secunia has extended its vulnerability scanning, analysis, and software management services, to include a patch-management and remediation module in its portfolio, in order to keep up with increasing competition in the company s core markets. Secunia CSI integrates with Microsoft WSUS and Microsoft SCCM in order to ensure that all patches can be deployed across Microsoft as well as other third-party software. Using WSUS integration, Secunia CSI handles the complete patch distribution processes across Microsoft and third-party programs. Secunia CSI initially identifies all insecure programs, automatically repackages the patches, and publishes them onto the WSUS, which then handles patch distribution. Secunia CSI also tracks patch-deployment status in order to support audit and security-management requirements. While Microsoft SCCM is itself capable of configuring, managing, and keeping an up-to-date patch status for Microsoft applications on all servers and desktops, it lacks the ability to track third party software inventory, and its inability to map this to security intelligence related to software is a major shortfall. Secunia CSI helps SCCM to overcome this through the use of its integration capabilities. In functional use Secunia CSI uses SCCM s patch-management capabilities and then makes use of its own internal facilities to track all inventory systems, ensuring that the integration complements both Secunia and Microsoft operations. All inventory traced by Secunia CSI is mapped to the security intelligence data to track patch status, while Microsoft SCCM handles patch-deployment activities. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 5

6 Research and vulnerability analysis team In Ovum s opinion, another major strength of the Secunia CSI offering is the use that it makes of the company s intelligence vulnerability database. This is a mature database product that was developed before CSI was available by Secunia s team of research experts. While most of Secunia s competitors use ad hoc vulnerability information gathered from a variety of sources, Secunia s research experts conduct in-house research alongside the regular collection of information from sources such as websites, mailing lists, news groups, vendors, and other security researchers. The advantage of this approach is that all the collected information is assessed, verified and tested, by the Secunia research team before being published, and based on this intelligence the patch status requirements of applications and programs is determined. The advisory database provides users with detailed information about each new vulnerability to ensure that customer organizations obtain the necessary information to enable them to clearly understand the security issues, estimate the business impact, and make informed riskbased decisions about how threats should be handled. Secunia is also able to provide organizations with direct access to its security research experts who can help to clarify any end-user doubts about existing and newly discovered threats. Centralized administration and reporting capabilities Secunia CSI allows organizations to centrally define operational rules. For example, administrators can define what actions are taken when an end-of-life program is identified. This allows organizations to manage their own risk profile and control vulnerability and patch-management processes. The rules and processes that administrators are able to define vary according to applications, departments, and user-group requirements, and can be tailored to ensure that compliance requirements are addressed. Secunia CSI comes with pre-built reports and a reporting tool that helps users to tune the information provided to ensure that it fits end-user requirements. Flexible reporting can be based on key reporting criteria such as vendors, groups of users, patching levels, and vulnerability levels. The product is capable of providing very detailed reports as well as overview versions to support the decision-making needs of senior managers. The reporting tool is simple to use and host- and program-level reports that contain lists of missing patches can be used to provide corrective and remediation information. Where further analysis is required reports can be extracted in PDF format. One shortfall that Secunia says it is keen to address is the lack of availability of specific compliance-based reports. PRODUCT STRATEGY Secunia CSI has been designed to be applicable to Microsoft infrastructures and is available in a range of versions that suit organizations of different sizes. The product versions include: CSI-Small Business (maximum 100 hosts), CSI (100 to 400 hosts), CSI-Professional (400 to 1,000 hosts), CSI-Enterprise (more than 1,000 hosts and includes user management facilities), and CSI-Server, which is targeted at multinational enterprises (MNEs), specifically those in the financial and pharmaceutical sectors. Secunia CSI contracts are sold using a licensing model, customers subscribe for a period of one, three, or five years. All service costs are included in the license fee, and additional support options are available where required. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 6

7 Secunia s main route to market is via a direct sales team, which contributes the majority of the company revenues, OEM/ODM and channel partners contribute a smaller yet growing share. The company has also recently started selling its products online. Although the geographic spread for the CSI product is global, Secunia primarily focuses on the Nordics, DACH (Deutscher Sprachraum, German-speaking Europe), and North America. In vertical industries Secunia CSI is mainly targeted at the financial services, government, IT, energy, and education sectors. Secunia has key business partnerships with Seccom Global (Asia-Pacific), CTMS (UK), and SecureOps (USA). The AV vendor Kaspersky is positioned as a technology partner (it has chosen to use Secunia CSI to offer a vulnerability scanner with its Internet Suite). IMPLEMENTATION Secunia CSI is defined as being simple to implement. The overheads of a complete technical implementation mainly revolve around the deployment of a simple agent that is capable of maintaining itself. Use of the agent is also optional as scans can be undertaken using an agent-less approach. IT security workers are responsible for managing the solution on an ongoing basis, but for implementation purposes the internal skills required involve an administrator with full administration credentials. For larger projects additional internal IT resources are needed to support the roll-out of further agents across the organization. Secunia also provides support options for online documentation (set-up guides and FAQ facilities) and webinars that guide users through the basics of CSI. In terms of professional services options during implementation, Secunia provides , phone, and web-based (GoToMeeting) support and can provide onsite installation and training sessions. Customer support options include standard, premium, and enterprise support. Standard support provides response facilities (based on Denmark standard time CET) with a response SLA of three working days. The premium option provides telephone and support, with a twoworking-day response time, and the enterprise option provides priority and direct telephone support from a dedicated specialist. The Secunia CSI small business product comes with standard support (later upgradable to other options), CSI Professional comes with a premium support option, and CSI Enterprise comes with enterprise-grade support. The solution can be deployed in either on-premise or SaaS modes. Further deployment options include agent-less out-of-the-box scanning of all systems on the network using standard Windows networking services, agent-based scanning of systems that are not always online, appliance mode, which enables agentless scanning from centralized hosts for remote sites or branch offices, and CLI mode that allows organizations to schedule and manage scans using other tools such as log-on scripts. Platform support is limited to Microsoft Windows environments. However, the company recognizes the need to extend its coverage and is working toward developing support for other environments in the near future. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 7

8 Deployment examples Herth+Buss Herth+Buss employs more than 200 staff in its automobile spare-parts operation. It was looking to implement a vulnerability-management solution capable of scanning, monitoring, patching, and reporting all in-house vulnerabilities against an established security baseline. It was keen to deploy a solution that was also capable of monitoring and patching all third-party updates. The Secunia CSI product was evaluated, and Herth+Buss found that it suited its extensive list of requirements, which included the need to perform daily scans on the company s critical servers and workstations, collect all required vulnerability intelligence data, and from the data provided to report on and patch all vulnerabilities. Indiana University Indiana University was using manual facilities to monitor and patch software vulnerabilities across more than 250,000 network devices spread across the university s eight campuses. With growing system numbers, the manual method was proving complex, difficult, and resource-heavy to support, and on occasion some vulnerability updates were missed. In order to overcome these issues, it was looking to deploy a solution that would be able to automatically perform vulnerability identification and remediation and help it to improve its overall risk-management and IT support efforts. Secunia CSI was chosen because it enabled IT to remove existing manual support processes and automate the entire vulnerability-scanning system. The solution s ability to provide prioritization reporting and remediation tracking, and handle security and risk-management initiatives, also helped the university to achieve its IT governance goals. Niko Group Niko Group is an electronic and electrical solutions provider with about 600 staff. Its requirement was to deploy a security solution capable of performing automated and detailed vulnerability analysis and reporting. Secunia CSI, with its ability to perform automated scanning to detect software vulnerabilities, provide detailed analysis on the vulnerabilities found, and remediation suggestions very closely matched the requirements of Niko. Secunia s ability to scan Microsoft and third-party programs, inspect them for their version information, assess them for critical vulnerabilities, and detect end-of-life programs allowed Niko to make use of the technology to optimize its patch-management policies. It also chose CSI because of the solution s ability to allow it to centrally manage all vulnerability scans through a central management console and because of the range of reporting services that helped it to obtain an accurate view of its technology infrastructure and health status. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 8

9 Table 1: Contact Details Secunia Corporate Headquarters Weidekampsgade 14A DK-2300 Copenhagen S Denmark Tel: Fax: Source: Secunia O V U M Headquarters Shirethorn House, 37/43 Prospect Street, Kingston upon Hull, HU2 8PX, UK Tel: +44 (0) Fax: +44 (0) Australian Sales Office Level 46, Citigroup Building, 2 Park Street, Sydney, NSW, 2000, Australia Tel: + 61 (02) Fax: + 61 (02) End-user Sales Office (USA) 245 Fifth Avenue, 4th Floor, New York, NY 10016, USA Tel: Fax: Important Notice This report contains data and information upto-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Ovum cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report F or more information on Ovum s Subscription Services please contact one of remains with you. Ovum will not be liable for any interpretations or decisions made by you. the local offices above. Ovum. This Technology Audit is a licensed product and is not to be photocopied Page 9