Software patching gets automated
- By William Jackson
- Aug 08, 2003
Whenever the Defense Department's Computer Emergency Response Team Coordination Center sends out a vulnerability alert, each DOD systems administrator must acknowledge it and respond with a plan for closing the hole.
'The notification and response is becoming more automated,' said a security manager at a DOD software development shop, who contacted GCN and asked that neither he nor his agency be named in print. 'The problem is that the remediation is manual. When you get two or three alerts an hour, it gets out of control.'
The DOD security manager said he uses the Hercules automated remediation tool from Citadel Security Software Inc. of Dallas to cut the time for fixing flaws in multiple machines from weeks to days or hours.
'There was a lot of gnashing of teeth in getting the purse strings loosened' to buy the software, he said. Now his headquarters recommends it to other agencies because 'it's a great force multiplier.'
Vulnerability remediation is a two-step process. First comes an inventory of hardware and software vulnerabilities. Then somebody must decide what to fix, prioritize the jobs and actually make the fixes.
The DOD shop began using Stat Scanner from Harris Corp. of Melbourne, Fla., to automate the first part of the process, the security manager said.
'It can tell us where we are vulnerable,' he said, 'but we still had to remediate manually. Harris told us, 'You really need to look at an automated remediation tool' and recommended Hercules.' The product typically runs under Microsoft Windows 2000 Server but can handle remediation on various Windows and Unix platforms.
The administrator decides what vulnerabilities need to be fixed and schedules them. Hercules' automated agents then do the work and report back.
The DOD shop tested Hercules 1.9 in December with Stat Scanner, the security manager said, running it against 10 out-of-the-box PCs. The standard practice with new machines is to establish a baseline software configuration, then remediate any vulnerabilities, he said.
'The tool does exactly what we were led to believe it does,' the security manager said. 'But this is not the be-all and end-all.' On several occasions, he said, patches failed to install properly or froze up the computers on which they were installed. 'We were able to go back to the Hercules log and find out what went wrong,' he said.
At his shop, the security manager said, policy required turning off all user systems outside work hours. That had to be changed to leave systems on for automated remediation, he said.
William Jackson is a Maryland-based freelance writer.