Managing non-microsoft updates

Transcription

1 Managing non-microsoft updates With Microsoft s System Center Configuration Manager secunia.com 1

2 How to patch all your programs directly in Microsoft System Center 2012 A common perception is that System Center 2012 is simply a tool for software inventory management and for patching Microsoft operating systems and programs. However, it is much more than that. Did you know that you can also use it to patch ALL programs installed in your infrastructure including non- Microsoft programs: the primary cause of vulnerabilities discovered in 2012? By having access to System Center 2012, you actually have a powerful and effective resource at your disposal. You just need to unleash its potential. This is where the Secunia SC2012 Plugin comes in. System Center Secunia CSI + Secunia SC2012 Plugin The seamless integration of the Secunia SC2012 Plugin with System Center 2012 means that you can access best-in-class vulnerability intelligence and a complete patch management solution the Secunia Corporate Software Inspector (CSI) directly from one console. There is no need to install an additional agent in your infrastructure. The result: increased visibility of the threats to your organization. Why patch? The number of cyber-attacks targeting businesses is increasing. Hackers are specifically focusing on exploiting vulnerabilities in non-microsoft programs and using them as doorways into corporate networks. Facts (1) The number of vulnerabilities found in the 50 most popular programs typically installed on an endpoint has increased by 98% over the last 5 years. In 2012, 86% of vulnerabilities in the 50 most popular programs were found in non-microsoft programs. Patches are proven to be the most effective means for remediating vulnerabilities. However, only patching Microsoft programs is not enough. By leaving non-microsoft programs unmonitored and unpatched, you are leaving your organization wide open. It only takes one unpatched, insecure program to leave your IT infrastructure exposed to a security breach and the potentially devastating consequences for your operations, revenue, customers and brand. 1: Secunia Vulnerability Review 2013, secunia.com/vulnerability-review 2 secunia.com

3 What to patch Knowing what non-microsoft programs to patch at any given time is also a significant challenge. Many organizations focus on only patching top-of-mind programs such as Adobe Flash, Adobe Reader and Java. This is a short-sighted approach as lesser-known or non-corporate programs can also be vulnerable. It is the unknown element of your software portfolio that could actually be your team s Achilles Heel the weak link that could compromise the security status of your entire company. Example: Apple itunes is not a typical corporate program, but the likelihood is that 10-15% of employees have it installed on their office or home systems. There were 243 vulnerabilities in Apple itunes in Q (2). Without a patch management tool in place, you probably would not have been aware of this fact until an issue arose. Cybercriminals will target and attack all programs; therefore you need to know about all programs installed in your IT infrastructure and patch all of them. Gartner predicts; Enterprises are using more client management features in the traditional Windows environment, such as software usage monitoring, self-service application deployment and application patch management. Desktop application patch management, while not new, is becoming a more common practice. As organizations continue to mature Windows OS patching, their focus will shift to third-party applications, such as Java and Adobe products. (3) Utilizing System Center 2012 With the Secunia SC2012 Plugin, the Secunia CSI provides a complete patch management solution directly from System Center 2012; enabling your team to lean on, and benefit from: Vulnerability intelligence Map your entire software inventory and correlate this to vulnerability intelligence covering more than 44,000 programs from thousands of vendors, so that you can immediately identify the programs that are critical and require prioritization. There are many customizable features such as the dashboard, reports and auto updates. Vulnerability scanning Metadata (*.exe, *.dll and *.osx files) is gathered from a locally installed agent running from SC2012. This is matched to raw metadata and Secunia s file signatures, and then compared to Secunia s advisory and vulnerability database. The frequency of this process is configurable by you. Patch creation Secunia s dynamic update catalog then provides the security patches that are specifically relevant for your IT infrastructure. Patch deployment Packages created with the Secunia Package System (SPS) can be edited, with the parameters determined by you. Customizations could include opting to detect all previous versions and updating to the latest version, removing and accepting EULA, withdrawing shortcuts on desktops and controlling auto updates. Organizations that require quick deployments of non-microsoft application patches should either staff their packaging groups appropriately to quickly package and test updates, or should use add-on patching tools or competitive products that offer stronger patching. (4) 2: Secunia PSI Country Report: USA. Q secunia.com/resources/countryreports/us 3: Magic Quadrant for Client Management Tools. April Gartner 4: Microsoft System Center 2012 Configuration Manager Offers Many Infrastructure and Administrative Improvements, but Challenges Remain. October Gartner secunia.com 3

4 Accurate security assessment, tactical decision-making The natural fit of the Secunia SC2012 Plugin and System Center 2012 results in many benefits for your team. Here are a few: Risk reduction through increased visibility and control of threats organization-wide. The ability to rapidly handle and remediate non-microsoft vulnerabilities via one console. Optimized time and resource management. The capacity to: conduct cross-platform scanning, pinpoint the exact vulnerabilities affecting your network, simplify the patching of vulnerabilities, secure your off-site assets and send alerts upon any changes in the network. Overall, with the right patch management capabilities in place, you will have a solution for the root cause of security issues affecting your organization: vulnerabilities in software. By prioritizing your remediation efforts, you can reduce the risks by focusing on the most severe issues first and the vulnerabilities that can be fixed easily, here and now. In fact, the right patching strategy will not only help your organization comply with industry regulations, it will also help you achieve an 80% reduction of risk. (5) Imagine a library that holds only the books you are interested in. That is what the Secunia CSI offers System Center 2012: No noise, no clutter just pure, relevant information that is actionable, and patches that are ready to be deployed. Morten R. Stengaard, Director of Product Management & Quality Assurance, Secunia. Take charge of your patching. 5: How to Secure a Moving Target Secunia 4 secunia.com

5 Common questions/tips & Tricks How easy is it to integrate the Secunia CSI with Microsoft System Center 2012? The Secunia SC2012 Plugin makes integration extremely easy. It means that you no longer have to login to separate consoles to do your day-to-day work. The Secunia Package System (SPS) is available directly in System Center 2012, including all the preconfigured patches that come with the Secunia CSI. What is the difference between using Secunia versus using System Center Updates Publisher (SCUP) for non-microsoft patching? With catalog-based solutions such as SCUP, there will be occasions when not all the threats will be detected. Should I wait until I complete migration to Microsoft System Center 2012 to implement a process for patching my non-microsoft programs? No. Never, ever wait! The Secunia CSI is fully integrated with System Center Configuration Manager 2007 without a plugin and the process is similar. System Center 2012 requires the Secunia SC2012 Plugin. From a security standpoint, being without a patch management tool for any length of time is extremely risky and is therefore unadvisable. What are the options for companies using Windows Server Update Services (WSUS)? The Secunia CSI is fully integrated with WSUS so you can also do a standalone WSUS installation. Unless your users are never connected to the Internet, then you need to be aware of all the programs in your environment and control them by ensuring that they are all patched. With a cloud-based solution such as Secunia s vulnerability intelligence database, which forms the foundation of the Secunia CSI, you can create tailored categories for both managed and unmanaged programs (customize security levels, enable auto update, patch creation, etc.). What about custom applications that need updates, which are not part of the database? You can report these directly to Secunia s Research Team they always want to know about new cases. Secunia s vulnerability database is the most extensive in the field, and its researchers are the eyes and ears of the industry. They constantly update the database so that you always receive the latest intelligence. Is there a report that can be linked to the administrator that doesn t require admin credentials? Yes. You can create and schedule customized reports and them to your managers or team members. You can very quickly generate an overview of your organization s security status including the number of insecure programs running in your infrastructure and the criticality rating for each. secunia.com 5

6 Secunia can help Secunia is a member of the Microsoft System Center Alliance Program. We can assist you with your Microsoft System Center 2012 questions and patch management needs. sales@secunia.com or secunia.com/sc secunia.com