For years, companies have had to deal with the threat posed by vulnerabilities in installed software. Now, help is within reach, with Secunia providing a simple solution for dealing with unpatched vulnerabilities.
Today, the Secunia Corporate Software Inspector (CSI) 4.0 will be released, after two months of beta testing (closed and public). It is the first of its kind in the market, securing all software programs (Microsoft and 3rd party programs) in a simple way, and, thereby, ending the days of time consuming, labour intensive, and troublesome patching. This novel end-to-end scanning and patching solution will enable IT departments to come full circle in their security operations, providing them with:
Simplified and automated process of securing Microsoft and third party programs, with the Secunia CSI 4.0 enabling accurate assessment and deployment of the latest security patches
Comprehensiveness and solution-orientation, with the Secunia CSI 4.0 relying on Secunia's world-leading Vulnerability Intelligence from the Secunia Advisory and Vulnerability database
[Quote: "We are in a unique position for doing this, due to the comprehensiveness and quality of our Vulnerability Intelligence (VI) and our unique scanner technology, which together with Microsoft WSUS and SCCM, allow us to provide a solution that enable companies to come full circle in relation to patch management. The value lies in the comprehensiveness, reliability, and action-ability, provided by combining the best of two solutions; Microsoft WSUS and SCCM, the most renowned and used tools for MS patch deployment, with Secunia's unique scanner technology and world-leading VI" (Niels Henrik Rasmussen, CEO Secunia)]
Companies will now be able to complete full patching cycles with just a few clicks, with the Secunia CSI 4.0 following a four step process: 1) Conduct a full scan of all hosts, 2) Review missing security patches, 3) Automatically create, approve, and deploy the patches, and 4) Re-scan hosts to verify that the patch process has completed successfully.
[Quote: The Community and the customers have actively participated in developing the Secunia CSI 4.0 solution that is being released today. We had more than 1,000 participants in the public beta, counting security professionals, techies, and enthusiasts from across sectors and industries, including the financial and governmental sectors. We are happy that so many beta testers have expressed excitement over the direct integration to Microsoft WSUS (and SCCM), as well as the ease of which the Secunia CSI is able to create and deploy third party patches to Windows based computers" (Niels Henrik Rasmussen, CEO Secunia)]
I Secunia goes simplified PM today
From today, patching will no longer be renowned as a tedious task, and unpatched vulnerabilities residing on local hosts will no longer be able to hide from the IT department.
Today, Secunia releases the newest addition to its portfolio of vulnerability management solutions, the 'Secunia Corporate Software Inspector (CSI) integrated with Microsoft WSUS and SCCM for 3rd party Patch Management' (Secunia CSI 4.0), providing a one-stop, end-to-end patching solution.
[Statement:"Future techies will be rightfully incredulous that there isn't a single software updating system for all the installed software. Imagine there were gas stations for General Motors, Toyota and Volvo cars and that owners of those cars could only be serviced at stations dedicated to them. That's the disgraceful system we all live with today." (Michael Horowitz, Columnist, Computerworld.com, December 2009)]
[Quote: "WSUS and SCCM are practically installed in all companies worldwide today, and now all these companies are given the opportunity to further ensure their IT-security and end the threat posed by vulnerabilities, including those in 3rd party programs. Further, companies can benefit from this without having to radically change their existing infrastructure or invest in learning new tools, as the Secunia CSI 4.0 integrates with WSUS and SCCM" so business as usual (Niels Henrik Rasmussen, CEO Secunia)] II Altered Threat Picture " altered protection need
Over the last few years, the IT-security industry has seen a general trend towards cyber criminals using exploitation of vulnerabilities as the vector to compromise client systems. They have to a great extent abandoned windows, and it no longer appears to represents their first choice " rather, the cyber criminals go for the masses of unpatched 3rd party programs that are not automatically updated by for example WSUS.
This trend is supported by the fact that vulnerabilities in windows are discovered and patched too fast, leaving the cyber criminal with a limited exploitation time frame and scope; that is, a limited return on their exploitation investment (ROI). This is further supported by Marcus Alldrick, head of information security for Lloyd's of London, the insurance underwriting organisation, "Organised crime is putting in significant amounts of money to develop malware, and Web applications are increasingly being targeted (Source 1).
In a recent presentation by Secunia, some of the factors in the cyber criminal's ROI calculation were elaborated, supporting that criminals evaluate targets according to:
ROI = software popularity + ease of discovery + ease and reliability (exploitation) + 'window of opportunity' (duration)
Further, a recent Secunia white paper states that profit motivated cyber criminals increasingly focus on host exploitation due to (1) the variety and prevalence of program portfolios found on typical hosts and (2) the unpredictable usage patterns of users. Considering this in relation to the complexity of corporate networks, supports the interest that cyber criminals are showing.
[Quote: "In recent Secunia research conducted by Research Analyst Director Stefan Frei and Chief Security Officer Thomas Kristensen, we found that the typical private user has to install an average of 75 patches from 22 different vendors (source 4) " with this scoping the typical private user, imagine the patching requirements facing the corporate IT environments. I would not be surprised if even more vulnerabilities would characterise corporate end-points, with even more individual updating mechanisms being needed to ensure a secure and patched network" (Niels Henrik Rasmussen, CEO Secunia)]
As the scope and form of the threat changes, so does the need for new and adapted protection mechanisms. The traditional means such as anti-virus, firewall, IDS/IPS etc. are no longer sufficient in the fight against the cyber criminals.
[Statement: "These results have once again put the spotlight on the assertion that can be heard here and there from various security experts: anti-virus products are patently inadequate, and even IDS and Web proxies that scan content are not enough to protect a network from advanced persistent threats... The security industry's going to have to think about selling solutions that actually work with this type of environment," said Alex Stamos with Isec Partners. "Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer." (Source 3)]
[Quote: "I completely agree with the fact that the more traditional security means do serve a purpose on a corporate network, and companies should not do without these reactive security means. However, as it only takes one vulnerability for the whole network to be compromised, there is without question a need for the more pre-emptive means as well. Only relying on the reactive means provides a false sense of security, as you never know when one of the unidentified program vulnerabilities will invite a criminal into your internal network" (Niels Henrik Rasmussen, CEO Secunia)}
This supports the fact that more than ever there is a need for patching, and doing so in a structured and comprehensive way.
[Statement: "Managing the patch management process is no longer a little administrative chore that is fit In around more important work.; it has become one of the most pressing and difficult challenges facing security professionals... organisations need to accept that patching is a 'business as usual activity' part of a general maintenance regime that happens on a regular basis ." (Source 1).
[Quote: "Since we introduced the scanner technology in 2006, we have been able to see how patching has become more and more comprehensive for companies. We have interacted with the customers, understanding their pain, and evaluating potential best practise. It is the customers, as well as the community's, input to the existing scanner technology that has contributed to our understanding of the market pain and the subsequent opportunity for improvement" (Niels Henrik Rasmussen, CEO Secunia)]
However, with the existing solutions available in the market, patching remains a cumbersome task. It requires substantial resources, both in time and people, and further, the process is difficult to control, with no one knowing when patches have been successfully applied to all affected machines. This encourages companies to 'see through fingers' with the patching scope.
[Statement: "It can be difficult to get the business to accept the need for patching, because it has business consequences." Allrdick said, "Typically, companies that do patch will patch on the server side but don't give as much priority to the client side, even through that's where 95% of the vulnerabilities occur. But keeping clients up to date is hard. You have logistical issues to deal with, as well as people issues " users may delay the patch because they want to get on with their work" (Source 1)
[Quote: "Secunia has been trying to emphasise the threat posed by the vulnerabilities for the past eight years " we are pleased to see that the market is starting to digest our key message. Acknowledging it is the first step " second step is to adapt to the solutions that can deal with the more practical side of patching" (Niels Henrik Rasmussen, CEO Secunia)]
[Statement "If your security organisation says that patching all client side programs is simply too difficult, it has ceded significant territory in the internal network to the bad guys" (Source 2)]
[Quote: "This also supports why the initiative for Microsoft and Adobe to collaborate is a step in the right direction but not an alternative to continuously 'only' patch the software programs supported by Microsoft. There is a range of other third party programs, and once the cyber criminals start to realise that the vulnerabilities in Adobe are generating smaller 'windows' of opportunity' etc. they will re-direct their attention to other software" (Niels Henrik Rasmussen, CEO Secunia)]
III Simplified Patching
With the seamless Microsoft WSUS and SCCM integration with the Secunia Corporate Software Inspector, the patching process has been simplified and can literally be conducted with a few clicks - completing a full patch management cycle has never been easier and more straightforward :