Management demands drive administrators toward automation
SAN FRANCISCO'The task of managing patches, vulnerabilities, configuration and security policy is creating a market for more automated security tools.
"Automation is critical to the next step in the vulnerability management market," said Mike Jones, senior vice president of marketing for Citadel Security Software Inc. of Dallas.
Citadel, introducing a new model of its Hercules vulnerability remediation tool, is one of a number of vendors at this week's RSA Security Conference offering ways to automate the task of fixing security holes.
To what degree security processes should be automated is a matter of debate.
"Most administrators don't like full automation," said Ned Miller, CEO of Secure Elements Inc. of Herndon, Va.
Like most products, his company's Class 5 AVR (Automated Vulnerability Remediation) offers manual options for applying fixes or changing configurations on network equipment.
But Mark Shavlik, founder of Shavlik Technologies LLC of Minneapolis, said full automation is becoming increasingly necessary in some cases.
"Sometimes, the risk of not patching outweighs the risk of taking down a system" by applying a flawed patch, he said. "For a critical vulnerability on a critical system, you want to do it quickly."
Shavlik's flagship patch management product, HFNetChkPro, is being upgraded to address spyware and other security issues.
Automated security management is the result of the growing number of vulnerabilities being found in IT hardware and software, the shrinking window between discovery of a vulnerability and its exploitation, and the increasing use of mobile devices connecting to networks. Vulnerabilities on the inside of an enterprise make blocking malicious traffic from outside inadequate protection.
"We've already sacrificed the perimeter, so now we're looking at security from the inside out," Miller said.
Miller said the Federal Information Security Management Act was a major driver in the development of his company's Class 5 product, which is being rebranded at the RSA Conference as the C5 EVM (Enterprise Vulnerability Management).
The Transportation Department has a five-year blanket procurement agreement for the C5 as a patch management tool, Miller said.
"They quickly began to see the value it could provide under FISMA," he said.
C5 is a client-server tool, with a lightweight sensor agent that monitors up to 50 attributes on each client device. It also incorporates data from third-party vulnerability scanners, and a decision support server offers options for correcting problems.
Administrators then decide what patches to push out or fixes to apply. Full automation of fixes would be appropriate only for non-critical systems, Miller said.
Shavlik's HFNetChkPro is adding not only spyware detection and removal, but features allowing it to work with a full range of desktop platforms as well as with servers. "The big change is that people want to do 100,000 computers now, rather than 1,000 servers," Shavlik said.
The tool identifies network devices and scans for vulnerabilities. It can automatically roll out patches or prioritize groups for patching. The new version also offers the ability to let end devices pull patches down, rather than having patches pushed from the server. This is particularly helpful with portable devices, Shavlik said.
"The problem with portables is that they suddenly appear on your network," he said. "They are not predictable," and it can be more convenient to have these devices call for updates. Remote devices also can be quarantined until they can be patched when they access a network.
Citadel is moving its vulnerability management tool downmarket, from the enterprise to smaller offices. The new Hercules Security-on-Demand is being offered as a plug-and-play appliance that will enforce security configuration policies, fix existing vulnerabilities and scan for specific vulnerabilities.
The interface and functionality are being simplified for occasional use by operations without a large security staff or lots of expertise. It is being priced "by the drink," so that customers pay only for the remedies that are applied, without up-front costs.
The Solsoft Policy Server, from Solsoft Inc. of Mountain View, Calif., manages security policy on most firewalls, VPNs and routers. "We automate a lot of what you would normally do manually," said Jesse Anton, director of marketing.
In addition to supporting a broad multivendor environment, the Policy Server also has a graphical tool that lets an administrator apply policies by drawing connections between devices and locations.
The Policy Server is intended for large enterprises, said Joel Wolcott, director of federal sales. This has led to its use in the Defense Department, Postal Service and several other civilian agencies, he said.
A feature popular with federal users is workflow management, which lets one group create policy and another group apply it, Wolcott said.
"What we're seeing in government is the security team that designs the rules, and a network team that pushes them out," he said.