Solved

Enterprise Level: Automatic assessment and patching tool - crossplatform

Posted on 2003-11-06
13
562 Views
Last Modified: 2010-04-11

Hi all,

This question is related to a few queries I have had from large customers who are looking for the following:

 - a single appliance or application that can scan a network (pref. agentless) for unpatched systems on multiple platforms (especially MS & Solaris)
 - can then be told to apply patches to a beta subset of those systems
 - can then be told to distribute the patches to the entire network - pref with use of distributed repositories etc
 - will generate good reports during all phases

They are not looking for these guys:

 - SMS
 - Tivoli
 - Unicenter
 - etc etc etc

We are talking about something that can be implemented quickly and relatively *painlessly.*

I know there are a bunch of great tools for finding unpatched systems, like Nessus & Retina, however it is being able to fix-after-find that has become important to large organisations due to the manpower required to keep their systems up to date.

Can anybody help me with this - discussion on this topic is appreciated!

Thanks...
0
Comment
Question by:ferg-o
  • 4
  • 4
  • 3
  • +2
13 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9699571
Have you looked at windowsupdate.com?

;-)

ISS has some fairly copius output on resolution of found vulnerabilities and in using it (and nessus and microsoft's tools) found that few (if any) enterprises have the kind of homogenous instrastructure that could withstand automated updates.  The sort of decisions that have to made before deploying patches involve a sort of fuzzy logic that require regression testing and assesment of risk and sms, zen or marimba-like rollout tools integrated into the package which would allow rollback and crossplatform compatability.

A killer app to be sure, but I don't think it's out there.
0
 
LVL 6

Expert Comment

by:durindil
ID: 9700849
The reason that SMS,Tivoli, etc. are so expensive is that they can push updates out after checking.  You have to have an infrastructure in place, which includes a client on the host to accept the updates.

Both Windows and Solaris have automated patch checking utilities, but they push all of the patches out, not just the ones you want.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9700909
"... not just the ones you want"
there's the rub - the effort in vulnerability management is examining the patches to make sure they're not going to break something
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9701579
You can do this yourself if you are skilled enough in scripting. Now I don't know about Solaris but MS has the QFECHECK utility that you can run both localy and remotely to find out what hot fixes have been applied to what pc's. If you have an administraive point on your network to house all of the possible hot fixes you want to make sure the pc's have you can then write scripts that will go out and find out what all of your pc's have on them. Your script of course will need to dump the info into a database which you can then use to script applying the hot fixes from your admin point to where ever needed.
0
 
LVL 4

Author Comment

by:ferg-o
ID: 9705158
I don't mean to be ungrateful but *all the above "answers" are crap and do not answer the question!*

Chicagoan - windowsupdate.com? That is a great cross-platform tool - and Microsoft has never released an update to fix a problematic update have they? Well done - get yourself a beer.

Durindil - missing my point - my clients are looking for a management system - not a bunch of scripts etc..

TooKoolKris - obviously nobody is as skilled in scripting as yourself. READ MY POST - this is something two of my clients have requested. One of them is a global investment bank and the other is a major shipping company. I am not an end-user.

Ideally a system like this will operate in a similar fashion to McAfee's ePO enterprise AV management system. New DAT files can be treated as beta, eg rolled out to the IT department, and when they are considered safe they become current - and then distributed to the entire network. The current dats become "previous" and it is a simple matter to roll back after that.

I am asking a question - not looking for a lecture! Can we get back to this question please - 250 points for an expert - not for an opinionated punter.


0
 
LVL 18

Accepted Solution

by:
chicagoan earned 100 total points
ID: 9705532
If you weren't looking for a lecture, you shouldn't have posted a flame.

When you said "discussion on this topic is appreciated!" I took it to heart.

As far as the windoze update comment goes, the punctuation characters following it denote an emoticom "wink". For those in the know it means the comment was tongue in cheek and was expressed to convey the sorry state of security today as is an example of an automated system that usually works but has failed miserably on occasion crippling many machines and is not blindly relied upon by knowledgable administrators.

I know you pay for your points, one way or another, and deserve serious treatment by knowledgable professionals. I've been involved in security since gopher was a big deal and you had to pay for Netscape. I have worked within an  enterprise for the last eight years in the education community that is straining the limits of a class B network and has every conceivable operating system hung on and have had the luxury of being courted by every security vendor with something to sell.

My contribution to the discussion was that in my experience a fully automated black-box cross platform vulnerability management tool does not exist. Too few enterprises have the sort of homogenous environment where such a system could begin to be deployed without wreaking havoc.

McAfee operated within a thin slice of the enterprise, it is not valid analogy.

"A bunch of scripts" IS a system, and would incorporate a particluar environment's peculiarities as well as a skilled operator using SMS, Tivoli or any other management tool. The thing your missing is the effort involved in assessing the effect vulnerability mitigation will have on system where hundreds or thousands of applications are deployed.

If when Code Red was discovered your uber-vulnerability-mitigation system had simply sent out a patch to IE preventing .exe's from being parsed, you would have broken about half of the accounting systems in use at the time, NNM and countless other web based applications. So when those of us who had to deal with it went to work we had to analyze each machine and decide how to protect them. So we had to approach those systems differently by restricting access, renaming system files and working around the problem to keep the applications working, it's an organic process sometimes.

So there's labor involved, skilled professionals have to assess threats and the potential costs of actions and make business decisions on how to expend resources. Tools can help, but the landscape is constantly changing and no tool is going to do it all. For any given enterprise if you could get the cooperation of business decision makers, develpors and systems people you could build a system with whatever tools you had expertise in. It wouldn't be pretty, you couldn't order it from Egghead. There is no panacea, it's painfull, just try to take it like a man.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9707399
Get bent buddy! The only sentence in your post that was phrased in the form of a question was:

"Can anybody help me with this" Followed directly by "discussion on this topic is appreciated!"

You got what you asked for now deal with it.
0
 
LVL 4

Author Comment

by:ferg-o
ID: 9712133

Agreed on many points Chicagoan. If the clients listened when I told them that they need to be vigilant with patching and that they should allocate resources accordingly then we wouldn't be having this discussion.

Kinda similar to when we speak to them about having an organic information security policy ratified by the board of directors. Chances are?

My apologies if I came off as an ass with my last post. That's what you get when you hop on your computer after 12 hours of drinking, rugby and Keith Richards defying old age.

To get back to the McAfee analogy - their product has an agent which is installed with local admin rights and can deploy or update software whenever it is told. Which is why it is the market leading enterprise anti-virus management system. Would be a good way to achieve the goal.

As far as thin end of the enterprise wedge there is no technology that permeates an enterprise more fully than anti-virus. Not particularly glamourous but vendors have no problem getting people to fork out cash for it. And to be honest with you at the moment I don't care about anything that clients aren't willing to fork out cash for!

All this being said I have two clients who are looking for a patch management system. This means that they will pay for one. This being the case then either there is a product on the market that will do the job or there should be. One of these organisations is all Windows. They are not interested in scripting, they don't even know what Kix is. They want an appliance or a piece of software that checks their network for unpatched machines and patches them.

But it doesn't look like there is one. Oh well.

And if it wasn't Monday morning "TooKoolKris" I would be well and truly bent...




0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9714509
Been there - done that - got the t-shirt

If I had a beer for every time I smashed my head against a keyboard after coming out of an IT Steering Committee meeting where the topic was "do we re-allocate the security line item in the budget to flat screen monitors or a live band for the Christmas partry?" I'd be playing on the Betty Ford croquet team.

0
 
LVL 9

Assisted Solution

by:TooKoolKris
TooKoolKris earned 150 total points
ID: 9714687
Not a problem man, I know how it is sometimes believe me. Just ask any of the admins on this site. I give them hell all the time :)

My suggestion for scripting came from the frustration I had when trying to find network tools to do specific tasks. Some programmer informed me about scripting my own tools. Ever since then that's what I've done, when I need an automated windows management tool I simply write one myself. Within the boundaries that scripting allows anyways. It starts out as a slow process because obviously there is a learning curve involved, however after you write a couple of things it becomes more like second nature.

See if this may help,

http://www.shavlik.com/pHFNetChkPro.aspx

Anti-Virus software is not enough. Find out why HFNetChkPro is the real lifesaver.
HFNetChkPro is an automated patch management tool that makes it easy to stay one step ahead of the latest Blaster worms on the horizon. It's the easiest way to keep an eye out for important patches such as MS03-039 and others that will be released to protect your network.

In minutes, HFNetChkPro scans and pushes patches across your network so you can concentrate on other tasks, and breathe a little easier. No time-consuming agents to bog you down either.

Here is a link with a few more that you can check out as well,

http://www.windowsecurity.com/software/Patch_Management/

Good Luck
0
 

Expert Comment

by:Novasurfer99x
ID: 9776775
Does Citadel security, Landesk and/or patchlink provide many of the patches and paths to remediation, I just do not know which one is the best, since one could spend more money than they care to. Pacifica Technologies is an automated assessment systems that can plug in patch management solutions and several of the scans from Nessus, Retina and ISS and Sanctum's application scan.
Citadel is vulnerability remediation, which, I guess, is the large umbrella over patch management - that was the spin I was told about them.

0
 
LVL 4

Author Comment

by:ferg-o
ID: 9794896

Yeah - interestingly enough Citadel's Asian disti had a stand next to ours at the HK InfoSec summit on Monday and Tuesday and their product Hercules *looks like* it is exactly what I was after. I will start testing next week...

Not cheap though!
0
 
LVL 4

Author Comment

by:ferg-o
ID: 10421427
turns out it is crap - based on .net and therefore buggy as hell...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now