WHITE PAPER
Proving Your
Vulnerability Compliance:
Patches, Configuration,
Reports, and More
WHITE PAPER
Today’s organizations have a lot of computers to worry about, all of
which run an operating system of some kind, and all of which run
hundreds, if not thousands, of applications and utilities. All of that
software potentially contains millions of undiscovered security
vulnerabilities – bugs, in other words – that will eventually be
discovered and patched. All that software also includes millions of
configuration settings, many of which are security-related and
need to be properly managed in order to maintain organizational
security goals.
Providing that proof can be incredible time-consuming, manually
driven, and complicated. It’s an enormous amount of overhead
that doubtless accounts for a significant portion of every IT team’s
time and budget.
Everything’s made more complex by the fact that very few
organizations, these days, are truly heterogeneous. In order to
meet our varying business needs, we’ve adopted a variety of
operating systems, leading to an exponential number of applications
that need to be patched and configured as well. If we were able to
stick with a single OS and application set, then we could probably
find tools that would help deploy patches, track their deployment,
and even track key configurations settings. In fact, that’s one
reason why so many organizations, for so many years, tried to
stick with a single operating system and application set. That didn’t
turn out to be practical.
In other words, it’s a lot to keep track of.
What’s even harder is proving that you’ve kept track of it. When
auditors arrive, they’re looking for evidence that you are on top of
your patches, that you have maintained the proper security
settings, and that you’re continuing to do so on a day-to-day basis.
Now, organizations struggle. Without
unified cross-platform tools for managing
patches and configurations, they wind up
with numerous disparate tool sets, gaps in
between those tools’ functionality, and a
great deal of manual effort to make
everything work consistently and reliably.
It’s time for a change. It’s time to get
everything on one page, to make patch
management and configuration auditing
consistent and automated. It’s time to stop
wasting money and time.
Figure 1: Tools can manage multiple computers running a variety of operating systems.
True, Cross-Platform
Vulnerability
Management
It’s absolutely possible to acquire tools that
understand cross-platform management of
patches and security-related configuration
settings (which we’ll collective refer to as
vulnerabilities from here on out). You’ll
rarely get those tools from the first-party
operating system vendors, but there’s a
rich third-party ecosystem that you can
tape into instead. For example, as shown
in Figure 1, tools exist that can help
manage multiple computers, running a
diverse array of operating systems
(Windows, various Linux builds, and even
Mac OS X are shown).
Figure 2: The US National Institute for Standards and Technology offers a checklist of
vulnerability-related settings.
1
This cross-platform support is crucial,
because it’s the only way to truly get all of
your vulnerability management onto a
single screen, and into a single set of
reports. Typically, tool vendors achieve this
level of cross-platform support through an
WHITE PAPER
agent-based architecture. By writing a
centralized management console – which
itself may only run on a single operating
system like Windows, or which may be
Java- or HTML-based for cross-platform
operations – they support multiple
operating systems by simply developing
and deploying an OS-specific agent for
each supported OS. That means bringing
a new OS into the organization is as simple
as acquiring the proper agent.
Remember: Not Just
Patches
Vulnerabilities consist of more than just
patches, although those are obviously a
big part of the picture. Sometimes,
vulnerabilities can be corrected by a simple
configuration change, such as enabling a
firewall, engaging a specific operating
system feature, and so on. Organizations
typically have business policies in place
that dictate how these settings should be
used, but comparing those policies to
what’s actually in use can be difficult – if
not impossible. Many organizations may
rely wholly or in part upon industry-standard
configuration models or best practices,
which again can be difficult or impractical
to actually validate.
Figure 3: This report indicates whether or not settings are in compliance.
Once again, cross-platform vulnerability management tools can provide
a solution. Again assuming an agent-based architecture, it becomes
pretty simple to inventory specific settings on each computer –
regardless of OS – and feed that inventory to a central console.
That console can then compare each inventory to the desired
policy-level setting, and produce a compliance report on demand.
indicate which ones are in compliance, and which aren’t.
Going Beyond the OS
We tend to focus heavily on the operating system when we think
about software patches and configuration settings, but that’s
hardly the only software in the organization. Applications – Java,
Acrobat Reader, Firefox, you name it – all present potential
vulnerabilities, and must be properly patched. They can be much
more demanding than operating systems, because they typically
are built to rely upon their own self-updaters – which users may or
may not turn off or allow to run on schedule.
For example, Figure 2 shows a checklist from the US National
Institute for Standards and Technology, listing several vulnerabilityrelated settings and recommendations. Note in particular the ones
for Microsoft Internet Explorer 8.
The recommendation provides several desired settings, provided
as Group Policy objects, human-readable suggestions, and in
other formats. Those resources can help make the settings easier
to deploy, but they don’t necessarily make them easier to validate.
Group Policy, for example, is a wonderful technology for pushing
out settings, but it doesn’t provide a feedback mechanism that lets
you demonstrate which computers actually took the settings and
are still using them.
While OS vendors have little desire or driver to focus on third-party
applications, a third-party centralized vulnerability management
tool certainly could. Consider Figure 4 as an example:
Such a report provides an easy way to see which patches are
available, which have been deployed, which systems are using the
patch, and which aren’t. You can get a quick look at your overall
patch compliance – the bar chart shown in the upper-right – and a
list of systems that need further attention in order to become
compliant. Rather than spending an inordinate amount of time
trying to find problems, you’re directed right to the systems that
actually need your effort.
But other tools can also consume those recommendations and
compare them to agent-acquired settings inventories. As shown in
Figure 3, such a tool can produce a report of desired settings and
2
WHITE PAPER
Management via CNN
That’s where online resources can come in handy, and a good
centralized vulnerability management tool can leverage those to
create an all-in-one, “breaking news briefing” to help you out. By
combining existing resources – such as bulletins from the Internet
Storm Center, Microsoft security bulletins, and so forth – with an
existing inventory of patches and configuration settings, you can
get a quick look at the condition of your
environment. Figure 5 illustrates how this
can help, by showing you a consolidated
view of current threats, which you can then
review in your patch management console
to ensure the appropriate fix has been
deployed – and quickly identify systems
that remain at-risk.
Too often, our first clue about a major new vulnerability comes
from the news media. Once they’ve picked up a story, though, it’s
probably too late. You’re not going to be worrying about how to
prevent that vulnerability, but rather worrying about whether you’ve
already got it covered, and how exposed you might be if you don’t.
Cross-Platform.
Centralized.
Managed. Informed.
Organizations have, for the most part,
given up on the dream of a completely
heterogeneous environment, particularly
within the datacenter. Instead, we’re
acknowledging that “the right tool for the
right job” is the best approach, and doing
what we can to manage the resulting boom
in OS and application variety. That needn’t
involve a lot of manual effort, though. With
the right tools and the right management
approach, you can manage a dozen
different OS’s, and their applications, all at
once. You just need a centralized
management system that understands
cross-platform vulnerability management.
Figure 4: Reports can give updates on various patches.
Lumension (http://lumension.com) is a
leader in the field of cross-platform
vulnerability management. Their Endpoint
Management and Security Suite provides
a range of unified, cross-platform
management options, including patch
management and configuration auditing,
that can help bring order to the chaos
of multiple-OS security management.
Visit their Web site to see what they
have to offer.
Figure 5: A report like this can help you indentify systems at risk.
Lumension, “IT Secured. Success Optimized.”, and the Lumension logo
are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.
3