Your Security is our Top Priority - Third Party Patch Management

September 23, 2014

Today, organizations work with large volumes of sensitive information, which unfortunately is often a target of malicious attacks. According to key security experts 10 new vulnerabilities are discovered each day. In order to protect against potential harm in the most efficient and cost-effective way possible, companies need a standardized, automated and constantly updated patch management solution. In this webinar we will show you the benefit of our solution and demo the features LIVE.


Marek: Good morning everyone. My name is Marek Woda and I will be your host for today's presentation from the cycle presented, HEAT Client Management. Today, we will be dealing with advanced batch management model. And the main subject of the presentation is "Your Security is Our Top Priority," presenting aforementioned "Third Party Patch Management." Before we get started, I would like to familiarize you what you may expect from the session. So at the beginning there will be a number of the slides as to familiarize you with the basic concepts of the patch management in general, also some technical details and functionalities which are available in our APM module. Then I will try to show you the live demonstration of the product, how we can deal with assigning the patch policies and how it works in general. And at the end, I would like to ask you to send some questions that I will try to answer and if there will be some questions, I will try to do, as much as possible, to clarify all your doubts or anything which might be interesting to you. And I would like also to remind you that will be also a reminder at the end of the presentation that we will have two additional sessions planned for tomorrow and the day after related to the HEAT Client Management.
Okay, let's get started. How many businesses challenges IT departments should face on a daily basis? You should probably know about it. So there are thousands of clients in your organization number of patches and different configurations, applications, various problems on a daily basis. And there are also some exceptions for the different devices, departments, users. Generally, there is a huge complexity in the organization. So it's no wonder keeping control of your network may be quite challenging especially with the globalization [SP] of the next generation devices such as smartphones in the corporate environment.
When you add some virtualization and at the advent of cloud computing into the mix as well, and the potential number of errors may increase greatly. So what we have to do is just to employ some kind of the control into organization tools that help you out to deal with the complexity of the IT environment. Let's just pay attention of this slide. This is just a survey from the computer world [SP]. The question was, "Please describe your organization's current approach to client management in each of the above areas." Our respondents were around about 180 and was taken last year.
And at the top of the list, the primary concern for the IT department, IT administrator, is patch management. And as you probably have noticed already, the patch management is not fully automated at most organizations. Patching is a core remediation function in the risk management lifecycle and it needs to be also part of the end-to-end client management [inaudible 00:03:46] management approach.
Before the increase of numerous compliance regulations and the rise of malicious code targeting known vulnerabilities, patch management was not a top issue for many organizations. Today, patch management must be a top priority to mitigate the continuous threat of malicious code [SP] and compliance failures. As it was mentioned before, nearly half of the surveyed organization are applying patches monthly. One part are doing it on a weekly basis. Like we discussed, many do this manually and don't feel very confident in their organization, if their organization is fully protected.
Let us just familiarize you with some features of Client Management from FrontRange. Patch management and security configuration management is just one part of our overall Client Management suite which contains all tools to manage and control clients of all kinds from a unified [inaudible 00:05:01] console that will be presented later on. Desktop and server management helps you out in various areas, for example, software packaging, MSI repackaging, software profile management, device driver management, or, for example, Citrix or server management.
There are many functionalities but the main focus will be paid on security configuration management. If you are interested, in particular, the client management suite, please feel invited for the tomorrow's session which will be entirely devoted for that. Security configuration management allows for the…on different things with the end user regularly downloading and installing software, application copies can occur very often, ultimately reducing user productivity and increasing IT operating costs due to security incidence and helpdesk overhead.
DSM policy is based on making sure that system configuration policy and monitoring and reporting is always in a compliant state. That's why we always encourage our user to automate daily routine using our policy management feature which is the main feature of the DSM which we'll be also presented in a few minutes in the live demonstration.
Let us proceed to the next slide. Let's compare the traditional task-based approach versus policy-based approach which is available within our desktop and server management suite. So what we can offer, at the beginning we might create special groups that will be under special scrutiny, looking for, by agents, looking for vulnerability. Now based on the vulnerabilities, system generates the required patch packages which will be automatically downloaded and applied if only we would like to do it automatically. Or the patches could be only downloaded and then administrator or operator of the DSM can apply this manually.
And once these patches are applied [inaudible 00:07:35] the complex overview of what had been done, what were failures, potential failures, how many devices are already patched and so on. And that could be some kind of the lifecycle that we can scan it again and cycle starts over and over. And that's a very intuitive once the policy is set, that it's being run under the hood and the operator should only see the reports.
Let us just proceed and see why do we need a really advanced patch management. Only in 2013, there were over 55,000 unknown vulnerabilities in the software from different vendors. And only…maybe only…2,000 vulnerabilities from Microsoft products. And that constitutes less than 6% of all vulnerabilities. So on just patching the Microsoft products is not good enough.
Let's take an example of the Java runtime [inaudible 00:08:51] which everybody certainly uses on a daily basis. According to the portal, over 500 known vulnerabilities was found only in the first months of 2013 which is more than in entire 2012, but also more in all the previous years than this software existed on the market. So we can observe that a number of vulnerabilities is increasingly rapidly from year to year and that's the potential danger rises that we have to be aware of that we are also in jeopardy.
If we take a look at the current situation, we have the following picture. According to McAfee study exists right now over 60,000 vulnerabilities and exposures in the computer system. Over 5,000 new ones were just 2013. So this means since 2000, on average, 10 per day become known so that's not surprising that almost 80% of companies surveyed had to be reported service with security incidents. Many companies are vulnerable because the use of outdated software which is not being patched at all. This is because these companies have no automatic patch management solutions in this. The manual approach is not good enough.
Let's just see what we can do with our advanced patch management. So we are not only dealing with regular Microsoft patches for different products from their portfolio but we are just [inaudible 00:10:50] that all…almost known vendors from the market, starting from Adobe Reader and many more which are on the list. And so right now, let's just take a look on the few slides what the client management can do for you in terms of the patch management.
First, we have Microsoft patch management only because. This is a smaller version of the advanced patch management which is only dealing with the Microsoft as one vendor. So this is very similar to Windows updated services that allows us to schedule when machines can be maintained, when the patches can be downloaded and installed. We get a complete overview of what's happening in the organization, along how many patches are downloaded. We can also speed up on the download process very easily.
APM is extended version of the regular patch management that includes all known vendor patch management and also I will just demonstrate in a few minutes and the demonstration [inaudible 00:12:13]. So what are the strengths of this product? This is a complete policy-based product so once we just set up the policy, we may almost forget because the DSM will take care about download of the unknown…patches for the known vulnerabilities, will scan, let's say, hourly, daily or weekly basis depending how we would like to do it. And then also apply ultimately all the patches. We also notify if something went wrong using the Report Manager.
Going forward, we got highlights of the APM. As you can see on the right side, the other will be shown later on, that we have complete list of the software not only from the Microsoft but also from the different vendors that has been currently detected in the organization that we can easily select which patches we manually update. This is just overview for the administrator because automatic routine will be run at the background and we'll just find and add newly found software to the list.
We can have a complete overview for the group's particular devices of the known vulnerabilities found. And yet again, vulnerabilities are being found on a regular basis so they schedule the scan every hour to be aware whether we are under any threat or not. And then we may also create a policy to download particular patches to be covered instantly or maybe in a day or something like that. And, additionally, we may create some kind of a controlled pilot installation for the groups. So if we are succeeded for that group, the entire organization can be patched.
APM allows us also to classify different…which patches should be downloaded and how often these patches, new patches, should we look for. We are also create…we are also allowing to create a new routine of download or application of the new patches for different products or also for all of them. There's a sample view of how the patch roll-out policy is being created so right now all the critical updates and service patch are only being downloaded with the different severities and also for all selected languages, not just the four of them.
Definitely, all of the flavors are available and there is a policy activation offset. That means that as soon dispatch is downloaded, it's being applied for the group which this work is being assigned to. Then what we can do is also automatically enable the patches from Microsoft. So Microsoft allows to download patches for their product. We have also, at the same time, available to download for our system and also allowed to connect to the different vendors. So we are not covering ourselves, the software patches, but we are just connecting to the known vendors whenever the patches with their software is being available or we can easily schedule download and install in our organization.
That's also a quite interesting feature that we can just see which computers for the particular patches are affected if it's on the current stream. So we have to just select the patch and then we click the affected computer stack and we can easily see what's going on.
How the APM, in fact, works? So that's our DSM Advanced Patch Management System. There is a service being run on this machine and this unbroken line depicts our server or our infrastructure. And there is an advanced patch management catalog on our premises, FrontRange premises, where the APM asks for any new positions on the catalog. This information is being sent out. The APM is being updated, the list of available software patches. And this list is being available for the local agents. These agents are usually being distributed to the machines, not only for desktop. It could be a virtualized machine. It could be a server firms, Citrix environment and so on.
Based on the known vulnerabilities for the APM catalog, the local agents scan the…all the machines and they compare the list with the list of vulnerabilities. Based on that, it kinda require unknown vulnerabilities to be patched. So then DSM starts a procedure of the download of the patches from the vendors of this software. When the patches are available, they are being passed to the local agents of the machine and the patching starts. Once the vulnerabilities are closed, we are getting feedback…sorry, we are getting feedback to the DSM where the list of the machines is available for review for the administrator or operator. And then we have a complete overview whether we are secure or not yet.
What are the key benefits of having DSM Patch Management? So FrontRange customers decrease their risk of exposure to hacking and malware by reducing the time to install patches by almost 80%. This is based on our customer base so far and reduce this risk of exposure to hacking…was made by…this survey was made for all our customers and there were some questions or quotations from, example, ROI assessment on the customer side. There were sample questions like for our quotations from weeks, months, to install to the same day, significantly reduce our exposure risk from 5 to 10 minutes per patch to 0. That was quite a nice one. Save one hour per patch per machine, that's a significant reduce. Just concluding, FrontRange Client Management improves the security compliance and cost effectiveness because on saving you time, saving you money.
And we reached the moment that is high time to familiarize you with the HEAT Advanced Patch Management console and the functionality in flesh. So let me just put on hold the presenting mode. I will just switch to my virtual machine, if you bear with me. I will just switch and we will be back in a moment. I'm starting my VM. You should see the desktop on the Windows 2000 server R2 where the DSM console is being installed. Let me just start DSM right now.
So this is a huge switch but we will be just paying attention to the APM feature in it. So it's being loaded up then we will be able to see some results in a moment. Now all the views are being refreshed and let me just open the computer's end-user part that you can see the entire organization with all your devices, mobile and stationary ones. They are just a reflection of the AD structure, also some additional groups which are called static and dynamic that allows us to gather some devices based on our criteria that we just get.
Let's just see on the demo devices that I would like to show you today, so there is some kind of the org structure, some entries there. So we will just be dealing today with the two devices. One is Windows 7 based and our also Windows 8.1. Let's just focus on Windows 8.1. So what we can see here is just a software policy, namely the policies which are installed. So the operating system is being installed on the APM agent and also some software.
Let me just check the patch management then we can see also what patches are being applied so far on this machine. So let me just scroll down and see whether there is something that requires installation. No. That means that all the policies are in compliant state as you can see here as they're doing indicator. However, we may just take a look on the vulnerabilities because since this last scan, the vulnerabilities list could be even longer. Let's just scroll down to the same end.
As you can see, some patches are not being installed and some products from one which are installed is not covered by the patch policies. What we have to do is just launch this machine and allow to do the rest by APM. I would just do it in a moment but I would like to direct your attention to some basic principles or the advanced patch management works. And so we have to just decide which computers will be encompassed by advanced patch management. Not necessary must be whole group, so whole organization. We may just decide that the program is going to have a number of the test machines to undergo pilot installation.
For that reason, I have created APM test machine group that allows us to find the patches for the machines which are in this folder and download immediately the patches and remediate all potential security risks. As you can see, I just press this folder and we have the list of the devices. As we can see, these two devices are already covered for compliance in the policy of the APM but the [inaudible 00:24:56] server is not. Let's just see here what are the problems.
It looks like that some policies are being delivered. This is just a green envelope along with the patches, so meaning on that…its meaning of the envelope is as follows: these patches which are in yellow are already transferred to this machine so as soon this machine is online. But, again, these patches will be installed. Let's just see. There are more than…only this patch is to be covered. So as you can see, only one is so far installed. And we may also find out whether this patch is already downloaded so it just requires to go to the missing patch and then we can see that download that is completed.
Let's just see what are…the other things that might be interesting. This is a complete lifecycle of the package that is already downloaded. We can see that also it's distributed to the depot server where all the patches are being stored. This package could be also manually installed for the different machines. So now we are ready to deploy it everywhere. And there is aforementioned affected computer stuffs that allows us to see all the machines, not only these which are assigned this patch to install but all the machines in the organization that has a security, a hole that could be covered by this patch. That's quite handy because we can easily get oriented how many machines are vulnerable and whether we should patch them immediately or not.
Let's just see how it works. So first of all, these machines have the agents that runs some kind of the schedule that we assigned to that we'll be…demonstrate in a moment. Let's just see…there are just the compliance view. There is just a compliance view. As you can see, all the machines are compliant with these policies so we shouldn't be bothered. It means that the agents that do their scan and download are there.
Let's just see under the Software Park in the Patch Library how it looks like. So starting from the beginning, let's just cancel all the filters. We may just see all the patches which has been already downloaded and are ready to install. There are not too many of them because these are only dispatches that we explicitly decided to be downloaded. And there are this several folders here, the meaning is as follows: prerequisites, that means there are just things that should be automatically downloaded on this…on any machine, that policy should start working, meaning that simple agent, they are with different flavors [SP]. It allows us to scan and detect unknown vulnerabilities.
We may create some different templates, meaning for the different machines, how the patch management agents should act so whether only apply the patches when the user is logging off or maybe starting the machine or instantly cover the patches and so on. Then we can just narrow the selection to the download completed patches after the program's selected day. So we can easily see what are the patches recently downloaded and ready to download. And we may also see whether there are some patches awaiting to download, so meaning if we just see in our organization vulnerabilities and these patches are not downloaded, then we can see a list of them and then we can enforce their download.
How the synchronization without APM works? So we have to just do it either automatically or manually using this entry that we can just click it. And then we just enforce, looking for new patches. Normally, we can schedule it. It's being done usually on daily basis. We may just shorten this period to hours, let's say every hour or every half an hour. As you can see, there is nothing new yet but there is downloading progress. That means, as you can see, there are quite a lot of new patches from a recent synchronization.
We may also narrow the patches for a different criteria. In this folder, we can see only the patches which are applicable to Windows 2012. As we can…we are able to see the definition of the filter. There is a quite nice query editor that allows us to create a quite compound query to narrow the selection to this which we are really looking for. It is very easy just for the family Windows server 2012. Similarly, we have a different one for different operating systems.
Few words about configuration, I mentioned that we have some kind of the groups as it was here. So we have the APM test machines and there is a different one. That's just the one Windows 7 machine. And for these groups, we may assign a policy that is being defined here. We have currently two working policies as the name indicates. There is a typo. Pilot test installation for test machines, just to install immediately. Let's just see the definition. So this rule is active. It's continue evaluation after the first one so it's just our first one disables all the problems that we don't want to be covered by the patch management. That might be some kind of the exception.
And as you can see, what we are patching, we are including all vulnerabilities. We don't exclude any folders to download. We cover all the languages and we cover all the classification and severities available. And what we have to do is just download and assign the patches immediately. There is no offset in hours so…and the policy is active. And what's the difference here? So we are just covering Windows 7 and Windows 8 patches and we are obviously also the products from the different vendors. So all the classification is yet again selected so we can see known Microsoft security updates is also covered. And we wait seven hours to install after download.
Okay, let's just take a look on the machine, Windows 8 machine. I have to just start it then we can just see what's going on. And you will see in a moment what actions are being taken. I will scroll to the machines that the [inaudible 00:33:29] probably in a moment when the machine is online, the installation process will start. We will see in a moment when the DSM agent will start. It's being loaded up, not in the stealth mode so we see the icon. Here it is. So when all the services are started, the actions should be…some kind of the actions are related to the patch management we'll be undertaking.
So what I can just do is to execute changes right now because this machine is under some kind of the different schedule. So namely this one, daily in the afternoon [SP] all patches are being installed and downloaded and installed. And we would like to enforce to be right now. Well, let me just do that. As you can see, instantly, DSM runtime agent has started and probably the install process also started so we have to be patient in a moment. So I will just enforce the installation of the policies just to make it quicker. And as you can see, the policy has changed from the green to partially yellow because this machine was [inaudible 00:35:07] as online and we have seen these vulnerabilities which were not covered.
Recently, when this machine was offline, all these known vulnerabilities were not present here. That's why its state was in green. So we were just waiting a moment until the patches are installed. In the meantime, I will just start Windows 7 machine, one moment. That allows us to see this machine has Windows 7 installed but no patches are yet there. So that this machine, as you can see, there is a patch tickbox here, no patches whatsoever. No vulnerabilities detected because the machine is not part of any APM groups. I will just drag it in a moment and we will see the results, how it goes.
Let me just log into the system and in a moment we will just…using just simple drag and drop, we will just assign this machine a policy. Here it is. And in a moment, as you can see, instantly, as this machine was dragged onto this folder, there is a client…IPM client package scheduled to install. And once this goes to green, that means that the policy is compliant and since now this machine has been encompassed by all the policies assigned to this group, so scan and immediately for all known vulnerabilities from all known vendors.
So let's just see. Here is the process of installation and they're going. So once the patches are being installed and any of this requires an installation where we'll see the next screen asking us to reboot. And after reboot, the policies will be….now the list of the known vulnerabilities will be refreshed and then we'll see different states. So there are quite a lot of the patches to be installed. As you can see, for right now, this list increased so these patches are being recently installed. Envelope means that it's already there and the agent are installing. Now we are waiting to be patched up. Mozilla Firefox will direct and patch so that should be some kind of…let's just see what that's gonna be.
Here it is. That's the security hole for it. We might just take a look for some information. If some patches are not being installed, we may always take a look at the distribution tab. That means on which distribution point, these patches are not yet delivered. So if we have a lax organization, these patches have to be downloaded in their various locations, so this stuff allows us to get oriented whether these patches are available for end users in their different locations. And yet again, this is a fact that we already discussed.
And you can see on this patch, it's meant to be installed for machines which are in the group APM test machines and all computers. As you can see, there is no computer waiting for installation there. There is a white indicator. Let's just go back and see what's going on with Windows 7 whether the patch policies are being installed. Not yet because there is a maintenance [inaudible 00:39:46] does not allow installation right now. Let's try to execute changes right now, whether this has been installed in a moment. So hopefully in view management we will see some results.
Okay, in the meantime, Win 8 one is already for a reboot so probably all the patches are successfully installed. We may also suppress this reboot window, imposing the policy that the installation application of the patches will be only done when end user decides to reboot the machine or it's not longer logged in and machine is online. But for the sake of the presentation, I have just decided to be that way that we just decide to manually reboot this machine. So it's being [inaudible 00:40:55]. Let's just see whether this patch has been already delivered. Not yet, maybe that requires some filter attention. We're just emptying the cache from the previous patches and then forcing the installation on the package. And we'll just take a look on the Windows 8. It's not yet refreshed because agent probably didn't even deliver. Oh, it's delivered so now all the patches are applied, as you can see, although the main policy compliant indicator has changed its color to fully green.
And then let's just focus on the vulnerability if there are any more to be covered. Now there are just some of them so just these patches. Let's just see whether these are downloaded. So most likely when these are being just…as the screen indicates, working on updates, so these patches are probably are being applied on the environment so we have to be patient. As you can see, something has started already being done on this Windows 7 so in a few seconds we should see some changes in the Windows 7 101, too.
As you can see that's quite easy to handle the installation of the patch management. Once we have larger groups of the computers, we can easily see the compliance of the policy. So these are all the available policies for whole groups and we can also quickly get oriented whether everything is okay or not. And what's also important, there's a compliance view that allows us to get information of all available statuses from the…all the machines in the particular group. We are almost there. As you can see, all the patches, software patches, third-party patches or operating system patches are being applied so the compliance are 100%. Compliance is 100% so the total patches in whole APM test group is okay.
So let me just log in to Windows 8 and just take a look into status, view vulnerabilities whether these are covered or not. Just a moment. Just a few of them, probably the next round after reboot. Yet again, being installed so a group [inaudible 00:44:30] some kind of priority of installation of some patches imposed by the Microsoft. So in that order, that should be installed but definitely we have the latest Mozilla installed. Let me just see in a moment. Here it is. It used to be 32.0 and now we have the latest patch installed. Let's just take a look what's happening on this machine that's still being installed. As you can see, now we can see there's a plethora of the vulnerabilities because this machine has no service pack installed. And what is right now being done, these patches are being transferred and installed so we should see the results in a few seconds.
So that, I would…in that, I would like to conclude our live panel presentation and ask you for your questions. So let me just quickly unshare the screen and seeing the list of the questions that potentially arrived from you. So just a moment. Please feel free to ask as many as you like. So far there are not too many questions and, actually, there is no question so either that it looks like that I…everything was clarified during the presentation or you are an expert in the advanced patch management area. So if there is no questions, let me just proceed to the remaining slide.
So thank you for your participation and before we close the presentation, you may like to find some more information, the Heat Client Management, on our website And then there you will find demos, some free trials of all our HEAT solutions and also some cases studies, solution brief, white papers and loads of this stuff. And in addition to the presentation you have joined today, you might also like to listen the other topics from the client management series tomorrow. We have additional session from the HEAT Client Management called "Gain Control of Your Physical, Virtual and Mobile Devices." And the day after, there is HEAT Client Management Supports Mobility and Bring Your Own Device to organization. That will be entirely devoted to mobile device management from us.
And, lastly, you can also join our social media using the following links available on the screen. So…and that will be it. Thank you all for watching. Should you have any questions, you might just get in touch with us and require a personal demonstration of the product or free trial of any part of the Client Management suite. And, finally, your feedback is very important to us so please take a few moments to write the [inaudible 00:48:49] after it's over. And yet again, thank you for joining us today. Thank you and hopefully you enjoyed it. Bye-bye.