Tool automates remediation tasks

Whenever the Defense Department's Computer Emergency Response Team Coordination Center sends out a vulnerability alert, each DOD systems administrator must acknowledge it and respond with a plan for closing the hole.

'The notification and response is becoming more automated,' said a security manager at a DOD software development shop, who contacted GCN and asked that neither he nor his agency be named in print. 'The problem is that the remediation is manual. When you get two or three alerts an hour, it gets out of control.'

Studies repeatedly have shown that the majority of network exploits are against known vulnerabilities for which fixes are available.

The DOD security manager said he uses the Hercules automated remediation tool from Citadel Security Software Inc. of Dallas to cut the time for fixing flaws in multiple machines from weeks to days or hours.

'There was a lot of gnashing of teeth in getting the purse strings loosened' to buy the software, he said. Now his headquarters recommends it to other agencies because 'it's a great force multiplier.'

Vulnerability remediation is a two-step process. First comes an inventory of hardware and software and their vulnerabilities. Then somebody must decide what to fix, prioritize the jobs and make the fixes. The DOD shop began using Stat Scanner from Harris Corp. of Melbourne, Fla., to automate the first part of the process, the security manager said.

'It can tell us where we are vulnerable, but we still had to remediate manually. Harris told us, 'You really need to look at an automated remediation tool' and recommended Hercules.'

Citadel chief technology officer Carl Banzhof said Hercules integrates with third-party scanning tools such as Stat to map vulnerabilities against a library of remediation signatures. Hercules typically runs under Microsoft Windows 2000 but can handle remediation on various Windows and Unix platforms, he said.

The administrator picks the fixes and schedules them. Hercules' automated agents then do the work and report back.

The remediation signatures update regularly over a Secure Sockets Layer connection. About 20 percent to 30 percent of vulnerabilities come from software flaws that require vendor patches, said Jack Doxey, Citadel's marketing vice president.

'We don't provide patches, we provide links to the vendor's Web site,' Doxey said. Once downloaded to the server where Hercules resides, the patches are pushed out to other devices, with check sums to guarantee their authenticity.

But 70 percent to 80 percent of vulnerabilities come from misconfiguration, back doors, unnecessary services and unnecessary accounts. Those require the administrator to reconfigure systems.

Saving time

The DOD shop tested Hercules 1.9 in December with Stat Scanner, the security manager said, running it against 10 out-of-the-box PCs. The standard practice with new machines is to establish a baseline software configuration, then remediate any vulnerabilities, he said.

'It chews up a lot of time,' he said. 'It normally would take us about a week to get 10 machines updated, patched and out on the floor. We were able to do it in a matter of hours.'

He said he has used Hercules on a network of about 300 systems running Windows XP, some Windows NT and other operating systems, plus 40 servers running Windows 2000 Server. It also covers several remote sites with a total of 80 workstations and 15 servers.

'The tool does exactly what we were led to believe it does,' the security manager said. 'But this is not the be-all and end-all.'

On several occasions, he said, patches failed to install properly or froze up the computers on which they were installed.

'We were able to go back to the Hercules log and find out what went wrong,' he said. 'It tells you everything that got changed on the machine, right down to the directory.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above