Advertisement

Patch Management is Easy Until You Have to Prove It

brockmann-chriss

brockmann-chriss While at Interop, I met with Chris Schwartzbauer, VP Field Operations for Shavlik Technologies, the Roseville MN vulnerability remediation company. The company has over 10,000 customers, employs about 100 people and has extensive OEM relationships with major security and OS vendors. Chris and I spent about 30 minutes on the scope of the company and catching up on what's going on.

Key products include:

  • NetChk Compliance – policy management and IT audit readiness assurance.
  • NetChk Protect – Automatic Assessment, Remediation and Management of OS, spyware, malware and unauthorized software.
  • NetChk Protect Audit Edition – Application for auditors and consultants, reporting on the security state of a network.
  • NetChk Analyzer – commandline patch scanner and scripting tool

Shavlik has an great view of making security policy enforcement on servers – simple. Starting with the scanning of an OS (Windows, Linux, Solaris), Shavlik products can report which patches ought to be deployed, offering the opportunity for remediation and then providing the auditable trail of control demanded by the ever-sensitive IT policy management types.

Initially I thought this was a great solution for the companies driven by Sarbanes-Oxley compliance, but then Chris began to point out that this is a particularly useful capability for assessing, remediating and managing desktop compliance too. 

Furthermore, the company also scans and remediates against adware and spyware and works with network access control systems. The key goal however of the company is embodied in the tag – "Simply Secure".

As I review this capability, it strikes me that this functionality addresses quite a bit of the challenge that the Network Access Control vendors (Cisco and others) have been arguing for some time. But as a matter of performance and poor user experience that the policy scan has got to be a huge productivity drain for users and a huge processing pain for the enterprise. Remember that most users attach to the network early in the day and disconnect at the end, like at 8 am. So if everybody's pausing while policies are reviewed… Windows is slow enough at boot and awakening from sleep as it is.

A more statistical or periodic/scheduled policy review is probably a better balance of the practice than at every network attachment. Surely the risk of being out of policy degrades over time as the non-compliant users are shepherded into the fold. Chances are they will stay in compliance most days anyways since I would think that it's a drift problem with a few users and not an epidemic.