Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation Version 7.0 SP1 Evaluation Guide September 2010 Version 2.4 Copyright 2010, Lumension, Inc.

Table of Contents Lumension Endpoint Management and Security Suite (LEMSS):... 1 Patch and Remediation... 1 Version 7.0 SP1... 1 Evaluation Guide... 1 Lumension Endpoint Management and Security Suite: Patch and Remediation, v. 7.0 SP1... 3 Evaluation Guide... 3 Objective:... 3 Note: Prior to starting the evaluation, please login to the LEMSS evaluation environment:... 3 Product Introduction:... 4 Challenge #1: Understanding your Risks... 5 WHY CUSTOMERS CARE:... 5 How Lumension Patch and Remediation solves this problem:... 5 Challenge #2: Mitigating the Threats... 12 WHY CUSTOMERS CARE:... 12 Lumension Endpoint Management and Security Suite: Patch and Remediation solves this problem:... 12 Challenge #3: Power Management... 16 WHY CUSTOMERS CARE:... 16 Utility Rebate Incentives... 16 US Federal Regulatory Drivers... 16 Challenge #4: the Results... 21 WHY CUSTOMERS CARE:... 21 How Lumension Patch and Remediation solves this problem:... 21 Evaluation Wrap-Up... 25 Additional Challenge: Content creation... 27 WHY CUSTOMERS CARE:... 27 New Patch Wizard... 29 Power Management... 34 2

Lumension Endpoint Management and Security Suite: Patch and Remediation, v. 7.0 SP1 Evaluation Guide Objective: The goal of this guide is to help you understand how Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation uniquely addresses the 3 main challenges you face in regards to the tidal wave of software vulnerabilities that exist in your organization: 1. Accurately Identifying and Analyzing all the Software Vulnerabilities on all your endpoints, physical or virtual, online or offline 2. Rapidly Patching Vulnerabilities with Minimal User Impact 3. Monitoring Patch Efficacy and Demonstrating Policy Compliance Additionally, our enhanced Power Management capabilities with integrated Wake-on-LAN, will allow you to dramatically reduce your energy consumption and improve your security posture. NOTE: PRIOR TO STARTING THE EVALUATION, PLEASE LOGIN TO THE LEMSS EVALUATION ENVIRONMENT: The evaluation server can be accessed from any internet-ready computer running Microsoft Internet Explorer 7.x or higher or Mozilla Firefox 3.6+. Depending upon your evaluation environment: Online, VMWare Image, or installed within your environment, login to the environment. ID: Administrator PW: Lumension.! 3

Product Introduction: L.E.M.S.S.: Patch and Remediation on the Lumension Endpoint Management platform (LEMP) is the world s best selling patch and vulnerability management solution. Lumension Patch and Remediation enables organizations to automate the arduous process of gathering software patches and configurations, assessing their environment for vulnerabilities and patch applicability, deploying and executing the patches throughout a complex, distributed network, continuously monitoring patch efficacy, and providing a flexible reporting mechanism to validate patch viability. Vulnerability remediation, configuration and system management, software deployment and management, as well as Power Management are just a few additional tasks that can be accomplished through Lumension Patch and Remediation. The backend patch server is currently deployed at thousands of customer sites worldwide, protecting tens of millions of computers, and is the most advanced patch and vulnerability solution available today. 4

CHALLENGE #1: UNDERSTANDING YOUR RISKS WHY CUSTOMERS CARE: With over 30,000 known software vulnerabilities, accurately identifying and analyzing all of the possible threats to all of your computers can appear to be an insurmountable task. How Lumension Patch and Remediation solves this problem: Through the Discover workflow process, Lumension Patch and Remediation can discover all physical and virtual assets on the network, whether they are online or offline, swiftly deploy an agent to any unmanaged systems, and allow the administrator to manage all endpoints from a single console. When you open the LEMSS administrative interface, you will be presented with the application s Home Page. This is a web-based application, it is accessible from any compatible web browser, easy to use (no steep learning curves) and provides an information-rich environment, with a configurable graphical dash board for a quick, at-a-glance status of key vulnerability metrics across the organization. There are multiple widgets that detail various aspects of your environment. 5

Move on to the Discover menu option. This is the beginning of the workflow being introduced in L.E.M.S.S. L.E.M.S.S. is a modular framework that introduces a workflow based on Asset Discovery and Remediation not found in any competing product. Hover over the menu option and see the fly-outs of the additional menu options. The Discover menu allows you to discover all managed and unmanaged assets on your network, both physical and virtual, from the router to the Desktop via IP, Active Directory, Network Neighborhood, computer name, etc. From the Discover menu, a remediation agent can be deployed and installed on unmanaged endpoints. You can also click on the any of the widgets to be taken, immediately, to the corresponding page for a detail view of the provided information. 6

The next menu in the workflow is the Review menu. Again, you can hover over the menu and observe the fly-outs. From this menu, you have the views into Vulnerabilities, Software installers, Packages, System Management tasks, and Discovery results. Review Vulnerabilities provides a scorecard of Vulnerabilities to the number of machines applicable. 7

The Review Job Results will provide you with a comprehensive view into the discovery jobs for your environment and the means to install remediation agents onto those machines. 8

The next workflow is Manage. From the Manage menu, you can view the managed Endpoints, their Inventory information, Groups, review Deployments, and manage and edit Agent Policy Sets. Select Manage then Groups. Groups describe the automatic grouping methods available: Directory Services location, Operating System, Virtualization, IP Address, and Custom Grouping. The Vulnerabilities view shows a list of all of the vulnerabilities that the agent discovered from its latest internal machine scan, per the filtering criteria as defined in the filter options in the upper right hand corner. Lumension Patch and Remediation provides an automated mechanism for gathering software updates from most leading operating system and application developers, with multiple thousands vulnerability signatures currently available, ensuring broad coverage for today s heterogeneous environments. 9

This particular vulnerability analysis displays all vulnerabilities from Microsoft (have MS in the name) that are not patched and are critical, but not superseded. Modify the filters and type System Management in the Name field to display the new System Management Policy content. 10

The filtering capabilities show the drop down options for Results for Groups, Status and Impact drop down menus. For all identified vulnerabilities, the system provides information on the remediation packages that repair the vulnerability. 11

For all identified vulnerabilities, the system also provides an analysis showing the number of machines for which the vulnerability was applicable, as well as their current risk status. CHALLENGE #2: MITIGATING THE THREATS WHY CUSTOMERS CARE: Once the identification and analysis is complete, you will discover a huge number of vulnerabilities that afford hackers a means to penetrate your environment. How do you effectively remediate all of these threats in order to dramatically improve your risk posture and avoid costly, embarrassing attacks? Lumension Endpoint Management and Security Suite: Patch and Remediation solves this problem: L.E.M.S.S. combines a scalable, secure agent-based architecture, the industry s most sophisticated content acquisition strategy and a wizard-based deployment tool to enable our customers to rapidly and efficiently patch all software-related vulnerabilities in your environment. Once vulnerabilities have been identified and analyzed, you can easily remediate using the Lumension Patch and Remediation deployment wizard. Simply check the box next to the vulnerability name and click the Deploy button 12

Click Next to enter the wizard. 13

Within the wizard, the system has already identified the vulnerable computers that require the patch for the selected vulnerability. Continue to click Next to move through the wizard to show Deployment Options o how you can select the date and time of deployment o how you can set bandwidth throttling to control how many agents can communicate with the server simultaneously. (Note: you must name the deployment to move to the next screen) Package Deployment Order and Behavior o ability to auto-qchain patches together o control of whether computers are to be rebooted Notification Options o Ability to notify users of deployments and provide them with the ability to delay deployments for a period of time that you define 14

At the end of the wizard process, the Deployment Confirmation screen appears. That s it; the deployment is now ready to be scheduled. At this point, each agent now picks up its deployment the next time it checks in with the server. The flexibility of the Wizard allows the administrator granular control over all aspects of the deployment, or the ability to simply accept the system defaults and deploy patches with a few mouse clicks. A few of the other key capabilities available within the information-rich, web-based interface, include: o Ability to view vulnerability / inventory data in numerous ways (by specific vulnerability, by deployment, by group, by device, by user, etc) o Ability to automatically enforce patch policies using the Mandatory Baseline feature o Ability to organize activities by groups (according to Active Directory, Operating System or custom group definitions) o Ability to view detailed inventory data for each managed device o Ability to assign user roles to control information access 15

CHALLENGE #3: POWER MANAGEMENT WHY CUSTOMERS CARE: Organizations that are actively employing power management functionality can expect to save $43,300 per year, compared with an unmanaged 2,500-PC organization, according to Gartner. Organizations can save $60 per machine by deploying power management policies - Forrester Lumension Power Management enables organizations to reduce their power consumption while simultaneously improving operational visibility and security posture. Delivering easy enforcement of power conservation policies ensures inactive systems are powered down throughout the organization. Enhanced Wake-on-LAN ensures that systems are available for maintenance windows while eliminating operational blind-spots to provide effective security and system management. Onboard power consumption reporting quantifies energy savings and demonstrates the impact of effective power management. Utility Rebate Incentives In the US Market, several energy utilities have offered power management rebates of up to $15 per networked PC implementing power management (with proof of 5 year software license.) The rebates generally apply only to fixed PC resources and not laptops. The requirements to receive the rebate, vary by specific utility, but, typically include documenting or proving during a potential audit, the following items of proof. Itemized Invoice: This should state the quantity of PCs deployed. Software License Agreement: As noted, license must be in effect for a minimum of five years. Workstation Report: Documenting locations of power-managed workstations. Savings Report: Indicates the number of workstations controlled and the savings in kilowatt hours and/or dollars. Some utilities may require a minimum amount of power to be saved or require pre and post measurements. Location of the Power Management Server: Provided for the installation audit. US Federal Regulatory Drivers US Executive Order 13514, signed October 5, 2009, also establishes goals for US Federal Agencies to promote electronics stewardship, in particular by: (ii) establishing and implementing policies to enable power management,. as well as general reduction of greenhouse gas emissions. 16

The Power Management installation creates additional Dashboard widgets allowing you to monitor your power usage and potential savings in an at-a-glance view: 17

Navigate to the Tools \ Power Management section of the interface to configure the power settings for your environment: 18

Finally, from the Reports menu, there are additional reports specifically for Power Management: 19

20

CHALLENGE #4: THE RESULTS WHY CUSTOMERS CARE: With mounting pressure to comply with internal security policies and external regulations, identifying and removing vulnerabilities is no longer enough. Now you must be able to prove ongoing patch efficacy and easily report on all aspects of their vulnerability management process. How Lumension Patch and Remediation solves this problem: Lumension Patch and Remediation enables you to prove the effectiveness of your vulnerability management process though ongoing patch monitoring and rapid, flexible report generation. The agent continuously scans the machine to determine the efficacy of the remediation activities it has performed, on a pre-defined schedule set by the administrator. The information from these DAU (Discover Applicable Update) scans is propagated to the server(s), where it is available for analysis and reporting. Powerful and flexible reporting options are available to both assist in the vulnerability management process and prove compliance with internal security policies and external regulatory requirements. Access the report window by clicking on the Reports tab as shown below: 21

Reports are now arranged by categories for easy reporting. By selecting the individual categories, the various reports are displayed. 22

Or, of course, you can list all for an alphabetical listing. In the reports window that opens (shown below), the Patch and Remediation server contains 29 standard application report templates that provide a wide range of information on vulnerabilities, deployments, policy compliance and with multiple configurable items and a description of the type of report and the export type, as well. 23

Click on the Deployment Summary Report The flexible structure of the report template allows for the selection of a wide range of criteria at different levels of aggregation. Select all Available Deployments by clicking on the 2 downward pointing arrows and click Generate to run the report: 24

The finished report (below) explains how it can be easily re-formatted, exported or printed. EVALUATION WRAP-UP This powerful role-based application provides a wide range of capabilities, some that were not discussed, including detailed inventory assessments, software distribution, custom package creation, and many more. In addition to Lumension Patch and Remediation, Lumension offers an advanced scan tool for asset discovery and an award-winning patch engine. Lumension Security Configuration Management is a tool for standards-based assessment of configuration issues that leverages the massive repository of best practices security management content developed by NIST and other leading security organizations. 25

Lumension Endpoint Management and Security Suite: Patch and Remediation will allow you to meet the following key vulnerability management challenges: Provide Full Network Visibility and Continuous Control through Comprehensive Asset Discovery Rapidly and accurately identify software vulnerabilities for all major operating system platforms and applications Effectively mitigate those threats with up-to-date content delivered through a secure, scalable architecture through an easy-to-use deployment wizard Constantly monitor the efficacy of your remediation efforts and easily report on compliance with stated vulnerability management policies 26

ADDITIONAL CHALLENGE: CONTENT CREATION WHY CUSTOMERS CARE: Every organization has IT needs that are not completely addressed with out-of-the-box software solutions. PC configuration-related issues increase the workload on administrators and IT help desk staff and introduce new sources of risk. Meanwhile, in a tough economic climate, organizations are facing greater pressures to optimize IT efficiencies wherever possible including reducing the hard costs of energy consumption. Do you have a need to expand traditional Vulnerability Management Capabilities to Centralize, Automate and Streamline Desktop and System Management, Power Management, Configuration Enforcement, Software Distribution and Customizable Scripting? Lumension Content Wizard (FORMERLY PATCHLINK DEVELOPERS KIT) to cost-effectively streamline desktop and system management tasks with simple and customizable wizard-based policy creation, distribution and baseline enforcement. From within the Lumension Content Wizard (LCW) interface, you can select from a list of available Wizards to create: Software installers (New Patch Wizard), Software removals (Uninstall Wizard), Set Power settings per computer or group (Power Management Wizard), and create and modify computer policies (Policy Wizard). Additional functions include Subscribing to and sharing content with the Content Community. 27

After installation, login to the LCW Selecting whether you are logging into the PLUS (PatchLink Update Server 6.4) or the LEMSS (Lumension Endpoint Management and Security Suite 7.0). Select the defaults. Next, if you chose to edit and existing piece of content from your server, search for and select the appropriate content, otherwise click Cancel to enter the LCW interface. 28

From the Tools menu option, select the appropriate wizard: New Patch Wizard Let s select the New Patch Wizard; new patches can be any content you wish to have loaded or installed onto the target machine: Now, just follow the wizard through the process: 29

30

31

32

Done! You have just created you first piece of content to deliver to your computers. 33

You can now Save this content. Your computers will assess themselves against this content to see if they have this software installed. If they do not have this content installed, this content will show up as applicable to as many computers that this software is not installed. You can now select this content from the Vulnerabilities page of the interface and deploy it as you do with any other content on your server. Power Management Centralized Endpoint Power Management Policies: Reduce IT power consumption and meet organizational "green" policies by standardizing power settings of systems across the organization without requiring a centrally managed domain or impacting user productivity. Easily create and centrally manage power policy settings, including: standby, hibernation and sleep timing settings based on user and system inactivity. When combined with the Wake-on-LAN capability within Lumension Patch and Remediation, high levels of IT security can be attained with minimal power consumption. From the LCW interface, select Tools, then Power Management 34

35

Done. We can now deploy this Power Management task to our computers and manage their downtime. 36

Lumension Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA Phone: +1.888.725.7828 Fax: +1.480.970.6323 37