LANDesk Technical White Paper Resolving the Top Three Patch Management Challenges Technical White Paper
Visit www.landesk.com for more information. To the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright. LANDesk retains the right to make changes to this document or related product specifications and descriptions, at any time, without notice. LANDesk makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. For the most current product information, please visit www.landesk.com. Copyright 05/2013, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others. LSI-1077 05/13 KB/AS/AZUU
Contents Introduction...4 How LANDesk Patch Manager Works...4 Hosted Vulnerability and Security Database...4 LANDesk Core Server and Scheduler Service...4 Inventory Service...4 LANDesk Security Agent, Vulnerability Web Service and Vulscan...4 Security Dashboards and Reports...5 Patch Management Challenge #1 Managing Non-Microsoft Patches and Updates...5 Patch Management Challenge #2 Keeping Road Warriors Patched...6 Patch Management Challenge #3 Simplifying and Improving Patch Management Processes...7 Competitive Differentiators...8 Bringing Patch Management under Control...8 www.landesk.com 3
Introduction Keeping all of an organization s endpoints patched and up-to-date is crucial to staying ahead of the latest exploits and vulnerabilities. LANDesk Patch Manager automates the repetitive processes of maintaining current vulnerability information, assessing vulnerabilities relevant to an organization s different software and hardware, downloading the appropriate patch executables, remediating endpoint vulnerabilities, and verifying successful patch deployment. LANDesk Patch Manager also enables organizations to easily and successfully tackle the top three patch management challenges they deal with on an ongoing basis. How do I patch all my non-microsoft applications and operating systems effectively and efficiently? How do I keep my road warriors patched and up-to-date? How do I simplify and improve my patch process so it requires less IT effort, decreases my exposure to vulnerabilities, and increases patch deployment success rates in a timely manner? How LANDesk Patch Manager Works To help organizations keep all their endpoints up-to-date with the latest security fixes, and OS and application patches, LANDesk Patch Manager is a subscription service that automates and brings under control patch deployment and management processes by leveraging the following key services: Hosted (cloud-based) vulnerability and security database LANDesk core server Scheduler service Inventory service LANDesk Security Agent Vulnerability web service (WS Vulnerability Core) Vulnerability scanner (Vulscan) Security dashboards and reports Hosted Vulnerability and Security Database One of the main ways that LANDesk simplifies patch management is by gathering and consolidating into a single hosted database the latest security definitions and patches from trusted industry and vendor sources, such as Microsoft, Apple, Adobe, Kaspersky Lab, Lenovo, McAfee, Red Hat, Dell, HP, Intel and others. It constantly maintains and updates this hosted database so LANDesk customers can easily stay informed on and access the latest security content via the cloud. By hosting the security content on a single consolidated database in the cloud, organizations only need to turn to one source for all their security and patch needs, rather than expending excessive effort dealing with and accessing content from multiple disparate sources. LANDesk Core Server and Scheduler Service To take advantage of that security content, organizations use the LANDesk scheduler service to create a task to download onto their local LANDesk core server the specific patches and security definitions that are relevant to the computers, operating systems, and applications used within their individual organizations. By default, this relevant security content will be placed into a local database with relating binary files contained in a patch directory on their LANDesk core server or other file system within their environment. Using the scheduler service, administrators can schedule a reoccurring task that will regularly synchronize the content on the organization s local core server with the constantly updated LANDesk-hosted security database. Organizations also have the ability to add their own custom-made security definitions to the core s patch repository. These user-defined definitions might include custom detection rules, associated patch files, and remediation commands. Inventory Service To help administrators understand what patch and security definitions are relevant to their organizations, LANDesk Patch Manager provides an inventory service that scans endpoints and collects information on their hardware, software, drivers, and patches. It catalogs and stores this inventory information on the LANDesk core server to facilitate an organization s ability to determine its relevant patch needs and quickly identify potential security problems. This inventory information also allows them to identify the status of current patch levels, determine OS and software versions, and spot any known vulnerabilities. LANDesk Security Agent, Vulnerability Web Service and Vulscan The LANDesk agent plays a key role in patch management. Once deployed on an organization s endpoints, agents perform regularly scheduled scans on their host machines and use the LANDesk vulnerability web service (WSVulnerabilty Core) to report the results of those scans back to the LANDesk core server. Those scan results will also be used to update each endpoint s associated inventory information. 4 www.landesk.com
The agent s security scanner, known as Vulscan, has the ability to scan for known patch vulnerabilities, including industry-defined and user-defined vulnerabilities. The scanner can detect if the endpoint needs certain OS, application, or driver updates. For organizations that have licensed LANDesk Security Suite, the security scanner will also detect spyware, blocked applications, and vulnerable hardware and software configurations, which includes the ability to perform scans that conform to Security Content Automation Protocol (SCAP) standards. Administrators can configure an agent s security scanner options, such as when and how often its scanner will automatically run, what remediation operations it will execute, and whether to display its scanning and remediation progress to the end user. In essence, these options dictate the agent s behavior, such as what does the agent scan for, when does it scan, and what remediation options does it have when it finds a vulnerability. Agent behaviors are configurable at very granular levels, allowing administrators to create global behaviors as well as behaviors for specific patch deployments, endpoints, or groups of endpoints. A common remediation behavior for an agent when it finds a vulnerability might be for the agent to interact with the LANDesk vulnerability web service to determine if there s a defined policy associated with that vulnerability. That policy can instruct the agent on the exact steps to perform for remediation. Another common agent behavior for remediation, which is very powerful and convenient, is autofix. As the name suggests, autofix remediates the vulnerability automatically, upon detection by deploying the associated necessary patch or patches. The agent will also use the vulnerability web service to communicate the remediation status to the LANDesk core. Security Dashboards and Reports LANDesk logs all patch management events into its core database to facilitate an organization s ability to gather the necessary historical data needed in order to better comprehend the patch management issues they face. This data can be intelligently organized and leveraged through a variety of LANDesk dashboards and reports. repaired. It also includes trending dashboards that show how many endpoints have been scanned, if any endpoints should have been scanned that weren t scanned, which endpoints have been successfully remediated, and if any remediation has failed. The dashboards have drill-down capabilities that allow administrators to obtain more information on an endpoint s status, such as scan history, existing vulnerabilities, causes of failed repair attempts, and more. In addition to dashboards, LANDesk Patch Manager offers more than a dozen customizable canned reports that provide administrators even more details on the success and status of their patch efforts, as well as ensure audit and regulatory compliance. Patch Management Challenge #1 Managing Non-Microsoft Patches and Updates Some organizations turn to Windows Server Update Services (WSUS) to take care of their patching needs, which is fine for keeping their Microsoft products current, but it does nothing to address vulnerabilities in their non-microsoft products, such as PDF Readers, Flash, Java, and other vendors software, including non-windows operating systems. Due to the heavy reliance often placed on WSUS, non-microsoft applications often become the most frequently attacked applications. Malware practitioners target these applications because they recognize organizations often don t want to deal with multiple patch management programs, which leaves their non-microsoft systems open to attack. LANDesk Patch Manager closes down those attack vectors by giving organizations a single tool to seamlessly manage patch deployment and updates for all their systems, including Windows, Macintosh, and Linux, as well as a wide array of the most-used applications from different vendors. Additionally, LANDesk and its partners perform thorough testing of these non-microsoft patches in their compatibility labs to help ensure trouble-free patch deployment. Even so, best practices specify that organizations still need to perform their own testing of all patches in their own test environment before deploying patches into their production environment. The LANDesk Patch Manager dashboards help administrators visualize their compliance and remediation status, including providing snapshots that summarize the number of endpoints that are out of compliance for any critical security definitions or service pack updates. The dashboards can present a variety of key indicators, such as how many endpoints have been scanned for a single definition type or group, as well as detected or www.landesk.com 5
organization s back-end LANDesk core server. The core server issues a certificate that secures a pipeline and establishes a trusted relationship. Using an auto-sensing technology, the management agent on the mobile endpoint can detect whenever it has an Internet connection and then authenticate to and obtain a client certificate from the core server. That authentication will authorize the management agent to communicate with the management services on the core server through the appliance. Similar to VPN tunneling, this enables the mobile endpoint to access only the core server not the corporate network. IT infrastructures, administration philosophies, and the distinctive mix of computers, systems, and applications vary widely among different organizations, but LANDesk Patch Manager can adapt easily to the unique patch management processes and procedures that an organization wants or needs to employ. The typical scenario for securing most heterogeneous environments will include regular scanning of all endpoint systems and their applications, assessment of potential vulnerabilities, prioritizing how and what to patch first, pre-stage testing of patches, pilot patch deployment, production patch deployment, and verification of patch deployment success. LANDesk Patch Manager streamlines and simplifies every aspect of these different phases for both Microsoft and non-microsoft systems and applications. Patch Management Challenge #2 Keeping Road Warriors Patched The infrequency in which many mobile users connect to the corporate network creates significant patch management challenges for organizations and their IT administrators. How do IT administrators keep on top of the patch and vulnerability status of their mobile endpoints? How can they make sure critical updates and patches get installed on a timely basis? How do they put a stop to compliance drift among their mobile workforce? LANDesk Patch Manager works in conjunction with the LANDesk Cloud Service Appliance to provide easy answers to all of these challenging questions. Whether mobile users are down the street, across the country, or on the other side of the world, the LANDesk Cloud Services Appliance lets administrators securely manage mobile endpoints without having to punch a hole in the corporate firewall, and without having to buy or maintain a VPN or leased line. The appliance brokers a secure socket-layer (SSL) connection between the managed mobile endpoint and the Once connected, the mobile endpoint can retrieve the latest security definitions from the core server transparently and automatically, scan for any new potential vulnerabilities, and install any needed patches and updates. If the connection or download gets interrupted, the LANDesk checkpoint restart capability allows the download to continue from where it left off the next time it connects. Additionally, the LANDesk agent on the mobile device can update the inventory database on the LANDesk core server automatically so that IT administrators can continue to easily track and manage the mobile endpoint. Administrators have the flexibility to configure the agent behavior of different mobile endpoints, which can determine when they connect, as well as what management and patching tasks the agent will perform on the mobile endpoint. When an administrator makes policy changes to an endpoint s agent behavior, the agent will retrieve and adhere to those new policies the next time it connects. 6 www.landesk.com
Patch Management Challenge #3 Simplifying and Improving Patch Management Processes Patch management is a very process-oriented activity. Unfortunately, many patch management solutions require organizations to rely on a number of manual processes that are difficult to employ and manage. LANDesk Patch Manager has a built-in process management engine that automates and streamlines patch management processes and activities. The automated process could be as simple as when new patches become available, an event gets triggered that notifies an endpoint s agent regarding the new patch, which in turn will refer to different criteria within a policy that will instruct the agent to deploy the patch automatically or perform some other operation. Administrators can also set up an e-mail alert when a specific vulnerability or severity level is detected. Through its integration with LANDesk Process Manager, LANDesk Patch Manager can also enable organizations to implement and streamline more complex end-to-end processes to simplify and enhance patch management efforts. LANDesk Process Manager operates as an integrated business process and workflow management system that provides intelligent coordination across all IT management and security functions. It integrates software and human processes to enable comprehensive definition and control of all interrelated processes across an enterprise. 1. 1. It e-mails a notification to an IT administrator regarding the newly downloaded vulnerability. 2. 2. It e-mails a specified IT team, instructing them to immediately perform pre-deployment testing of the vulnerability fix. 3. 3. After a specified period of time, it e-mails a feedback request to the team that asks for status of the testing. The team might respond to the request that it needs more testing time, the testing failed, or that the testing was a success. 4. 4. Upon a positive response, in addition to notifying the IT administrator, LANDesk Process Manager interacts with LANDesk Patch Manager to scan for that vulnerability and repair it within a pilot group of users. 5. 5. During the pilot testing period, LANDesk Patch Manager scans for the vulnerability in all the endpoints in the organization, and, in preparation for eventual deployment, it begins to pre-stage the patch or fix in the cache of all of the vulnerable endpoints. 6. 6. After a specified period of time, a feedback request is sent to the pilot group members automatically, asking if any problems were encountered as a result of the fix. 7. 7. Upon a positive feedback response, an e-mail is sent to the IT administrator requesting approval to autofix the vulnerability enterprise-wide. 8. 8. Upon approval, LANDesk Process Manager interacts with LANDesk Patch Manager to immediately autofix the vulnerability across the entire organization. In addition to its integration with LANDesk Patch Manager, LANDesk Management Suite, and LANDesk Security Suite, LANDesk Process Manager provides a Services Oriented Architecture (SOA) that enables simple integration with third-party and custom applications, databases, external data sources, productivity applications, and e-mail platforms to tie together and automate business processes with the tools that users are familiar with and already use to do their jobs. For example, in a patch management scenario when the LANDesk core receives a new vulnerability definition from the LANDesk hosted security database, LANDesk Process Manager might initiate and govern the following workflow steps: www.landesk.com 7
Competitive Differentiators LANDesk Patch Manager differentiates itself from other patch management solutions by delivering the following value propositions: Single pane of glass Through an integrated management console and a single client agent, LANDesk offers a unified platform of IT management, security management, and process management that enables organizations to secure and manage their endpoints in a way that strengthens overall security, streamlines operations, reduces costs, enables higher service levels, and fosters greater business success. Multi-platform patching LANDesk Patch Manager provides a single, all-in-one tool that allows organizations to manage patches and security definitions for their Windows and Microsoft applications, as well as non-microsoft applications and operating systems from vendors such as Apple, Adobe, Java, and more. Secure and easy mobile workforce patching Ensures mobile endpoints stay patched and managed in a simple, secure, and automated manner without requiring expensive VPNs or leased lines. Intelligent patch management LANDesk Patch Manager goes beyond registry-based examination to providing file system interrogation in order to determine endpoint vulnerability and whether certain endpoints actually need a patch. This enables organizations to push out more quickly the critical fixes and updates to endpoints that actually need the fixes and patches. LANDesk Patch Manager also detects patch dependencies to ensure the proper patches are deployed in the proper order. Light infrastructure LANDesk Patch Manager leverages a variety of technologies to reduce server hardware requirements and bandwidth consumption, which can be quite extensive with other patch solutions. Some of these light infrastructure technologies include preferred servers, peer downloads, targeted multicasts, parallel patch processes, bandwidth throttling, and checkpoint restart. Bringing Patch Management under Control LANDesk Patch Manager automates baseline security, stability, and performance of applications and operating systems across mixed IT environments. It lets administrators proactively see, manage, update, and protect their IT systems through a single console. It enables organizations to research, evaluate, test, and apply patches easily and automatically across the enterprise. It enables the remediation of thousands of systems with one task and without saturating the corporate network. With LANDesk Patch Manager, organizations can tackle and easily bring under control even their most difficult and complex patch management challenges. LANDesk Patch Manager is sold as an add-on product to LANDesk Management Suite and is included in LANDesk Security Suite. For more information on LANDesk Patch Manager and other leading LANDesk technologies, please visit www.landesk.com or email us at sales@landesk.com. 8 www.landesk.com