The Ashimmy Blog: patching

37 posts categorized "patching"

February 14, 2007

Protecting against the latest Microsoft vulnerabilities

So, another patch Tuesday and another flood of press releases announcing that these great security companies protect against them. We used to do this at StillSecure, but realized that our customers expected us to provide protection against these almost as soon as they came out. Is it really worth putting out a press release over, month after month? Is it newsworthy? Does it influence you in any way? I don't think so. I would like to see a company put out a press release that they don't protect against the latest vulnerabilities. That would be news.

Guys lets save the paper. Protecting against the latest vulnerabilities by Tuesday night is table stakes to sit at the table. Not anything to jump up and down about.

Happy Valentines Day!

Posted at 09:30 AM in microsoft, patching | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: alan shimel, patch tuesday, vulnerabilities

January 23, 2007

Is self-remediation the answer in NAC?

I was reading a press release by a UTM vendor today, whose latest box now also claims to perform network access control by combining layer 2 switching with UTM functionality. Interesting to see yet another player jump on the NAC bandwagon, though the details of what they do were kind of vague. Anyway, the thing that caught my eye about it was they made such a big deal out of their ability to provide self-remediation. They claimed that it was key to cutting down on help desk calls and thereby reduce operating costs. Sounds logical doesn't it? Wrong!

This is a common misconception in the NAC market. Frankly, it shows that the marketing and product management team have not yet spoken to a lot of real life customers about the issue. Hey, we had the same notion here at StillSecure and still of course do offer self-remediation. However, experience has shown us a couple of things. One is that outside of the IT department, very few employees in the enterprise are capable of actually self-remediating their computer. Even something as simple as updating their anti-virus dat file is a daunting task to the folks over in the HR or finance departments. Another thing is having one page that contains all of the various places one goes to update (one site for AV, another for windows, another for applications) can be confusing to users. The bottom line is that self-remediation often leads to increased help desk calls and so higher operating costs. Not to mention that many enterprises already have patch management solutions deployed and unmanaged users should not drain your help desk resources.

The bottom line is that self-remediation is not the slam dunk that some johnny-come-lately to the NAC market would have you believe. Your NAC solution should also offer you the ability to have automated remediation including integration with your existing patch management product.

Posted at 11:30 AM in NAC, patching | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: alan shimel, NAC, patching, remediation, safe access

December 12, 2006

This Patch Tuesday is screaming for a 3rd party patch

With the Patch Tuesday release today it seems that Microsoft is up to their ears in fixes. However, two of potentially the biggest were not included in this fix. I am of course referring to the two MS Word holes that were found and have been exploited in the wild already.

Just a few months ago Determina, eEye and ZERT were falling over themselves to help us all with 3rd party patches to hold the fort down until Microsoft got around to it. Now when it would seem the need is extreme, they are no where to be found. Maybe they realized it is not a profitable business? Maybe it is really hard to patch these? I don't know, but this is part of the reason why I think the whole VA thing is dead as a stand alone strategy.

Posted at 04:01 PM in patching, vulnerability management | Permalink | Comments (2) | TrackBack (0)

Technorati Tags: 3rd party patches, microsoft, patch tuesday, patching, vulnerability, word

December 11, 2006

Vulnerability Assessment is dead, can I sell you a scanner?

Taking a page from the Richard Stiennon playbook, let me make an outrageous statement/prediction, that if it pans out will result in me being labeled a visionary (yeah right). I say now that vulnerability assessment as it has existed for the last 5 or 6 years is dead! I think everyone familiar with the VA market has been pussyfooting around this issue for a while now. To understand why I say this, you need to take a look at the evolution of the VA market.

When StillSecure first entered the VA market back in 2002, the state of the art was that there were scanners out there that would scan your network for vulnerabilities and give you a report on what was found. Players such as eEye and ISS sold commercial scanners and the open source Nessus scanner was by many viewed as the equal or superior of them. There was another category of vulnerability assessment that was performed via an agent like NetIQ and Pedestal Software (acquired by Altiris). Essentially, one was network scanner based, the other agent based but doing similar things. The scanner based versions then matured to include distributed systems that allowed large enterprises to be scanned in a timely manner and centrally managed.

The next step in the evolution of VA occurred when some of the pure scan and report vendors started adding workflow and vulnerability management to the mix. StillSecure's VAM and Foundstone were early entries in that space. The next big trend in vulnerability assessment was its integration with other security and network management tools. Integration with patch management, trouble ticket systems, asset inventory systems, network management, etc. began to integrate vulnerability assessment products into the larger fabric of IT management. At the same time integrating and correlating vulnerability data with other security technologies also came into vogue.

The next big thing in VA was risk management/compliance (some might say it was all about risk management from the beginning). Expanded, customized reporting that allowed administrators to manage their risk month to month and generate reports for auditors and geared towards compliance issues were a new way for VA to offer more value.

Over the past year, many have asked what is next for VA. I think we are seeing the answer. The answer is VA is morphing into security configuration management. Ron Gula and the Tenable team have been pushing this with Nessus and their commercial products for a while now. Now nCircle announces today their Configuration Compliance Manager. At StillSecure we have had this ability for some time and our newer tests are more geared to this type of test and policies. Our customized reporting lends itself well to this task. I am sure we will see the rest of the VA pack hopping on this bandwagon soon.

Why is vulnerability management in this torpid state and morphing into configuration management? There is no easy answer. First of all, even though it is not growing as fast as it was or is as cutting edge as it was, it is still a widely deployed and used technology and will continue to be so for years to come. Much as IDS is dead, but alive and well in networks everywhere, vulnerability assessment will continue to live on. However, it has seemed to loose some of its appeal. The reasons for this are many. One is the natural evolution of the security market. Another is the basic fact that vulnerability assessment and the patch management market it works with is a hamster wheel game, bad news generator. You scan, you find bad stuff, you fix, you scan again and again and again. Can you ever get out ahead with that strategy? I think the market is looking to break the cycle and find a more efficient way of dealing with the problem. In the meantime the security configuration management space is not an end game for VA, just a another step on the road. The problem with using these tools for security configuration management is they do not have any enforcement or teeth. Unless combined with some sort of NAC solution (that is where this stuff is really going), configuration scanning is just good for generating reports. The market will demand action if these products are going to succeed. Look for that action coming soon.

At StillSecure we already have this. We call it the policy driven network and we are implementing it with a large government customer. This is the future of VA. In the meantime remember you read it here first, VA is dead!

Posted at 10:26 AM in NAC, patching, VAM, vulnerability management | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: alan shimel, nCircle, nessus, richard stiennon, stillsecure, VAM, vulnerability assessment, vulnerability management

October 13, 2006

Toto, you are not in Kansas anymore

Seems Greg Toto, VP of Product Management at Big Fix, took a little offense to my comments regarding patch management and Big Fix. I would normally leave his comment condemned to right hand column purgatory, but Greg obviously feels pretty strongly about his position and frankly I think he is dead wrong. So I am going to publish his comments into the middle column along with my response. Of course, I will give Greg a chance to respond as well. You should also know that I have spoken to Greg a few times in the past and though he is passionate about his product, I have nothing personal against him. However, Pride is one of the 7 deadly sins. Interestingly enough it was St. Gregory the Great who originally introduced the 7 deadly sins and he lists Pride as the first and most deadly. It would appear Greg has not read his namesakes work and is certainly guilty here. Lets look at what he has to say:

Alan,

Nice piece about patch management consolidation. I think you
addressed the inaccuracies in the SearchSecurity article well. However,
I think you missed the mark on a couple of things.

One is that scanning based vulnerability assessment vendors have any
long-term future at all – with or without remediation. I think they are
fundamentally doomed. Sorry, but the laws of physics are against the
network-scan paradigm. You cannot expect to control something (risk
profile, configuration, compliance, whatever), any more tightly that
half as fast as you measure it, and that assumes you can make your
measurements – vulnerability scans for example – accurately and
completely. Accuracy and comprehensiveness (can we say “mobile
assets”), are not hall-marks of scan-based VA.

Now on to BigFix. You mention that we have “tried to position”
ourselves as “so much more” that patching and may be left out of this
“feeding frenzy”. Oh Alan, how much you miss! You have confused our
point of entry into the enterprise market (patch management), with what
BigFix is - a disruptive platform for managing the health and security
of enterprise computing assets – anytime, anywhere – in real-time. And
note, I didn’t say “Windows assets”, I said “computing assets” - these
days every asset that connects to your network is part of your risk
equation and ultimately your management headache.

Nor is BigFix overly concerned about being acquired. We have the
right technology and team to upset the systems management apple-cart in
large enterprise (and I include security in that cart as well). But
don’t believe me, just ask BigFix’s global enterprise customers that
are now replacing SMS, and Tivoli, and Radia, and Altiris, and McAfee -
and their gaggle of point tools – like PatchLink - with a BigFix’s
security configuration management solution that covers network
discovery, inventory, software distribution, anti-malware, and yes,
patch! Like TRW Automotive, Pitney Bowes, Countrywide Financial and 500
more.

Regards,

Greg

OK, lets dig in here. First of all to Greg's point about scanning based vulnerability assessment having a bleak future. Greg's reasoning is that they are fundamentally doomed due to the laws of physics. Greg sites what I guess is the Toto Law of Special Relativity, that says you cannot control something, any more tightly that (sic) half as fast as you measure it. I assume he means any more tightly than half as fast. In any event, I remember taking some physics in school. I do remember some physics theories by a guy named Einstein and some laws by Newton, but I don't remember any by Greg Toto and I don't remember any law of physics anything like he is talking about. Now maybe I was out in the Rathskeller that day drinking beers and missed it, but I doubt it. So Greg I have to call BS on your laws of physics. Next, what difference does it make anyway. Are you telling me that your law would only apply to vulnerability scans but somehow host based assessments would be immune from this law of physics? Are your host based assessments not subject to the laws of physics or do the laws of physics cease to function when applied to Big Fix. Somehow, Greg says, that because I have an agent on a machine, the information I will receive from the assessment it does is of a higher accuracy, faster and more comprehensive than a network based scan. Greg, maybe you should go to talk to Richard Stiennon and let him tell you about how you cannot believe an endpoint to honestly report on itself. You probably need both views at certain times to truly deal with this problem.

Then Greg you point out that network based scans might have a problem with "mobile assets". Glad you brought it up. Yes if the device is not on the network at that time, it cannot be scanned. Let me throw one out at you, can we say "unmanaged mobile assets". Yeah Greg, what do you do when you can't put your software on the device to test it. Don't start rambling about your partnerships with Infoblox and such who can put it in quarantine. That is diminishing productivity. Greg, you can jump up and down and rant all you want. Fact is that putting agents on every single device is never a complete answer in todays dynamic environments. You are going to have devices that you cannot install software on and then what do you do? On top of this, last I looked there was not a very big fan club of putting yet another agent on machines to manage. Frankly I don't care if you have agents for Windows, Mac, Linux, OS/2 or the microwave oven for that matter. The more agents, the more overhead!

I think any rational security expert without an ax to grind or a product to sell, will tell you that you need both host-based and network based security in place. You need to make sure you are getting an independent view of what is coming on the network and what its posture is. In fact much of today's security technologies come down to network based and host based approaches. Though our products are clearly network based, I am not too proud to say that they are all you need. There is certainly a need for host based security. But Greg don't be so prideful to think that the reverse is not also true. I find it hard to believe you would not agree with that Greg.

Next Greg takes out the marketing hose and starts spraying Big Fix marketing hype all around. So lets put our boots on and wade on in. It seems Big Fix can do it all. Greg I think you left out access control, I know you claim to do that as well. In fact Greg, Big Fix does so many things it is sort of the Popeil Kitchen Magician of security configuration. Maybe you can get Ron Popeil to put you guys on after the Showtime BBQ rotisserie. It could be a new distribution channel for you. Remember the old saying though, jack of all trades, master of none!

Are we to believe that Big Fix is so disruptive that Microsoft should stop selling SMS, IBM better not bother with Tivoli and HP should just junk Radia, not to mention Altiris, McAfee and the rest. Please Greg, like the title of this article says, you are not in Kansas anymore son. Don't come out here spewing marketing spin and expect to score any points or fans. When you are taking on companies like this, you are playing in the big leagues and a little humility may do you some good. These are all companies with exponentially more resources, experience, sales footprint and distribution models than Big Fix. You tell us about a few customers, last time I checked Tivoli and SMS had a few customers too. Greg, your pride is showing through and blinding you to common sense. But lets be real, at the end of the day you are not in their league fella. Big Fix's bread and butter is still patch. When you get big enough to become a blip on the big boys radar they will swat you like a fly. At that point I suggest you put on the ruby slippers, click your heels three times and wish you were just a patch manager again. It may be to late.

Posted at 03:15 AM in other security companies, patching | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: big fix, patch, shimel, toto

October 06, 2006

Patch Management coming to a large security company near you, soon

Dennis Fisher over at SearchSecurity.com has an article up about patch management vendors under seige. The gist of the article is that like Mike Rothman, Dennis believes the Citadel-McAfee deal is going to set off a feeding frenzy for stand alone patch managers, as the large security behemoths seek to add patching to the stable. Where Dennis I think, is a bit confused, is that he must of drank a double dose of Patchlink CEO, Pat Clawson's Kool Aid. I have to question Dennis's knowledge of the space when he says things like "The space is populated mainly by a handful of large players, such as CA Inc., Symantec Corp.'s BindView offering and PatchLink Corp., in addition to myriad smaller, more specialized vendors, including Altiris Inc., Shavlik Technologies LLC, BigFix Inc. and St. Bernard Software Inc.". Large players such as Patchlink, in addition to the smaller more specialized vendors like Altiris? Dennis, take a good look at Altiris's market cap and you tell me if they are a small vendor versus Patchlink. Maybe it was Pat Clawson's spiel about being on an acquisition spree that fooled Dennis. The only acquisition spree they are going on at Patchlink is maybe at the 99 cent store. Pat looks like he is following the same strategy he followed at Cyberguard, from which he came. Bottom fishing for distressed companies that might have some salvageable technology he can grab for next to nothing, to stack up and make it look interesting to a prospective buyer.

Make no mistake about it, Dennis and Rothman are right. We are going to see consolidation here. Dennis has Symantec's BindView as a large player in the patch field. I think he is wrong again. Bindview is a vulnerability assessment player (and not a great one at that, never understood why Symantec picked them) that actually would benefit from a patch acquisition by Symantec. I think the folks to acquire patch vendors are the vulnerability assessment players. Look for IBM/ISS to make a move here. Possibly look for Qualys or nCircle (if they are not acquired themselves) to either try to acquire or forge a strategic relationship here. I have always wondered why Cisco is not a bigger player in vulnerability management. Maybe even eEye will make a move. I do think Patchlink will be the next to go though. With their founders lawsuits hanging over their heads, Clawson's track record and the company size, they make a good target. One company I think may get left out in the cold on all of this is Big Fix. Because they have tried to position themselves as so much more than just patching, they may have positioned themselves right out of this feeding frenzy.

Important thing to remember though is that at the end of the day, there is a giant 8000 pound gorilla in this space who will ultimately own it. Whether it be WSUS, SMS, Windows Update or their next version, Microsoft is the player that keeps the rest of the guys up at night.

Posted at 12:52 AM in patching, vulnerability management | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: citadel, mcafee, patching, patchlink, symantec

October 04, 2006

McAfee scoops up Hercules

Yesterday it was announced that McAfee acquired Citadel Software for 56 million dollars. I have known the folks over at Citadel for many years. Congratulations to Steve Solomon, Carl Banzhoff, Michael Hall, Michael Wiser and the rest of the gang over there. If you are not familiar with Citadel, let me tell you that in the federal market place they are a powerhouse and they probably have the largest library of patches and remediations available. AT 56 million it seems like a bargain for McAfee. Not sure where there stock was before this, but at one time Citadel was trading for many times that number.

McAfee has now bought Preventsys, Foundstone and Citadel. If they can put them together without to much overlap it could be a great combination in vulnerability management.

Posted at 08:21 AM in patching, vulnerability management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: citadel, mcafee, vm

October 02, 2006

3rd party patching - Pandora's box is opened

So it seems the genie is out of the bottle on 3rd party patching. With the new IE vulnerability that became public last week, it has been reported that both ZERT and Determina have released patches until the official patch is releasd.,currently scheduled for the regular Patch Tuesday release for October 10th. This is on the heels of a previous ZERT patch for the VML flaw a few weeks ago, a Patchlink workaround for the same flaw and of course eEye's 3rd party patch of a few months ago. I still think that Ross Brown is right on with this one. 3rd party patching is not a business. I think the ZERT guys are looking to do this to make a statement and their commercial aims are less clear. I think commercial companies release them from time to time but quickly find out the gain is not worth the risk. However, we are going to continue to see one company after the next experiment with these and more people are going to give them a try.

Another problem is if you have multiple 3rd party patches for a given vulnerability, which one should you apply? How do you distinguish quality? I think it is going to be pretty much the wild, wild west out there and it won't get better any time soon.

Posted at 08:59 PM in patching, vulnerability management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: third party patch, ZERT

September 26, 2006

Third party patches and the layered security model

As I expected, Ross Brown responded to my question on 3rd party patches. His answer both surprised me in that I think we actually agree on some things and disappointed me in that for the sake of pushing Blink (that does seem to be his latest crusade) he seems to have taken a very narrow approach to risk management and security that goes against a best practices, layered approach to security. For this reason Ross wins my book of the month club award.

First, why I was surprised and agree with Ross. Third party patches are as he says, not a great idea and a necessary evil that should be used sparingly. I agree and said as much in my earlier article. The reasons Ross cites are exactly the kind of things that I and others have said from the beginning. To many moving parts and to much risk, not familiar with the source code involved. Ross flat out says it is not worth the return from a business perspective. This of course is a little different than what we heard from eEye a few months ago, but to be fair, Ross was not CEO then. I wonder how much the rise of ZERT has influenced this decision, if at all. I will leave it to you all to decide. Here is my question to you Ross, if this is not a business you want to be in, why don't you promote and help ZERT in their efforts.

Where I disagree with Ross is his answer to the zero day problem (oh no, not another answer to the zero day problem), Blink. In a nutshell Ross's arguments for Blink are similar to those made most popular by Tipping Point, but by others as well. Namely, that patching is a losing battle, that other security technologies are rendered superfluous by their favored product and that they have the magic bullet. Tipping Point claims digital vaccines and all kinds of other zero day protection, that will allow you to apply patches in your spare time, when you get around to it. Now Ross is giving us the same spiel. Anytime I hear the magic bullet speech, the hairs on my neck stand up (my neck is one of the few places I still have hair near my head) and I fight back the urge to puke. Ross says that in fact Blink is so good they are coming out with server versions next. Geez, maybe they should change the name from Blink to Stare, you know, always on versus on and off.

Sounds to me like eEye wants to take on ISS and Cisco in the host-based protection market. However, what Ross appears to be missing or at least is not saying, is that host based protection alone is never going to be enough. The same way network based IPS is never enough by itself, which is why you see Tipping Point adding UTM type functionality to their line up. ISS positions host based protection as just one piece of the total security answer. Frankly, the host based market has several good products. ISS, Cisco and McAfee are but three vendors that have quality offerings. However, none of them claim it to be the be all and end all. Ross, there is no Santa Claus, there is no Tooth Fairy and there is no silver bullet in security. You can tout your product as a great selection in its class all you want, but when you over promise, you can only under deliver. A good layered security model is still the best bet for anyone serious about reducing their risk and securing their network.

Editors Note: Of course I made this picture from the great book Blink, by Malcolm Gladwell

Posted at 09:53 PM in General Security, IDS/IPS, patching | Permalink | Comments (1) | TrackBack (1)

Technorati Tags: blink, eeye, layered security, patching

September 25, 2006

Who would you trust for a 3rd party patch?

I have been reading some more on this 3rd party patch from ZERT. Reading the ZERT Manifesto, it would appear that they are serious about providing protection for 0-day exploits. It would also appear that this is not a group that was formed for profit in releasing these patches. At the very least, not a commercial entity. Now the only commercial entity that has done 3rd party patches that I know of is eEye. I have been thinking that if there was a situation where I was going to consider deploying a 3rd party patch, would I want to use one from a non-commercial, non-profit type of organization or a commercial entity such as eEye? I know Ross Brown of eEye reads this blog. I would be interested in what Ross thinks. The obvious answer from Ross is the commercial entity. However, give me some good reasons why.

Is there a place where these two types of entities work together so that there is one 3rd party patch, tested and approved by non-commercial and commercial entities alike. I think 3rd party patches to be successful are going to have to be rarely used and of top quality. It should be interesting to see what type of 3rd party patch provider you would prefer. Maybe we can get someone from ZERT and eEye on the podcast one night. Anyway, which would you use?

Posted at 11:25 PM in patching, Security Incite | Permalink | Comments (0) | TrackBack (1)

Technorati Tags: eeye, vml, zert

The Ashimmy Blog