SCCM as a Security Compliance Tool? You can Bank on it.

June 23, 2016

Duncan McAlynn | Principal Security Engineer & Evangelist | Ivanti

In this session, 6x Microsoft MVP and Sr. Solutions Specialist, Duncan McAlynn, will have a discussion with Logun Baker, Senior Systems Administrator for The Huntington National Bank, regarding the challenges of 3rd party application patching within their enterprise and how they have solved those problems. During the webinar, McAlynn will also be demonstrating how PatchLink natively plugs into the SCCM Admin Console, providing seamless integration into existing patch management workflows without any additional client deployment, infrastructure requirements or added consoles.

Transcript:

Thank you, everyone, for your patience. We are going to go ahead and get started. I'd like to welcome everyone for joining us today. My name is Melissa Russell. I'm the Unified Endpoint Management marketing manager with HEAT Software and I'll be your moderator for today's webinar. Just a couple of housekeeping things before we get started, we do have a lot of content to cover today and we do hope to allow some time at the end for some questions. There is a questions box and we will be addressing those at the end, and if for any reason we are unable to get to your questions at the time during the live session, we will follow up with you. A couple of other things, we are recording the webinar and we'll distribute the recording once it is able to be distributed. And we also will distribute the slides. So, we will make sure those are sent to you in a follow-up email. So, let's get started.
 
Just a quick introduction as to who HEAT Software is, we are an organization that is actually the formation of two companies that have come together which was FrontRange and Lumension from the...we are a leading provider of hybrid service management and unified endpoint management. In between the two organizations, we have over 20 years of technology leadership in endpoint management, endpoint security, and ITSM. We have both cloud and hybrid deployment options in on-premise as part of our solution set. We have served thousands of customers with over 700 partners worldwide, we've serviced millions daily service transactions and over 20 million endpoints are being managed through our solutions. Our organization is based in Silicon Valley but we have, between our offices and partners, over 45 countries worldwide and our employee count is growing faster than I can keep up, which is more than 500 people. Just to give you a quick representation of who our customers are and who you might know, this is just a small sample of who our customers are. They cross over industries and countries. So, just to give you an idea of who we serve. 
 
And now I'd like to introduce you to our presenters today. Our present...our presenters are Duncan McAlynn, he is a HEAT Software senior solution specialist. He is a 6-time Microsoft MVP and has over 20 years consulting with Fortune 500 organizations and SMS and SCCM. We are also very pleased to be joined by Logun Baker. Logun is the senior systems administrator for Huntington Bank and he is a network systems administrator specializing in desktop and directory engineering and he is joining us today to share their story. So, at this time I'd like to go ahead and turn it over to Duncan. Duncan, go ahead.
 
Duncan: Thank you. I appreciate the introduction and everybody on the webinar, really appreciate you taking time out of your day to join us. So, hopefully, you'll gain some benefit from the next hour on what we're discussing here. So, let's briefly talk about the problem as it exists today in 2016 and what we're seeing in the landscape. So, what you guys are looking at right now is an actual screen capture of the Jigsaw malware, or RATs is the way I should refer it to as. And this is actually a capture of the infected system showing, you know, that threat message, the countdown, and demanding that Bitcoin payment. This is why we're here today. This is a discussion that we need to have in being able to protect and defend our systems against these types of malicious attacks and, you know, putting your systems at risk. So, really as SCCM admins, I've been where you're at, I've seen the void in the product and really when it comes to being able to use SCCM to help defeat these types of attacks, there's tools and resources at our disposal and that's what I'm planning to be able to share with you guys today. So, let's take a look at some of the facts around ransomware and what we're facing as, you know, organizations.
 
Recent reports revealed that with the recent ransomware attacks, they've basically doubled in 2015 with a 6-fold increase over just a 2, two-and-a-half year span, Cisco is also reporting that 60% of the exploit lit Angler, which some of you may be familiar with, but those payloads are actually ransomware and 8 out of the 10 vulnerabilities in the past year using those exploit kits were Flash-related, so being able to generate drive-by attacks with nothing more than some embedded Flash code. One of the other things I find almost amusing is, you know, there's an app for it, you know? If you want to be able to start serving up ransomware in some of these ad networks, there's actually an iPhone app that has little slider controls and everything to determine how much you're going to demand, how many days they have to pay, a text box for what your correct message should be and, of course, you know, what the Bitcoin payment address is. So, you know, it's become a business, an industry, you know, serving up this ransomware. And, of course, it's happening because it's profitable for these actors. But now we are also seeing the latest threat is really JavaScript is making ransomware portable to any platform or device. So, it doesn't matter if it's Windows, Linux, Mac, iOS, Android, etc., all these platforms are now susceptible to these types of ransomware attacks. So, what is the actual impact? 
 
Let's take a look at a couple examples more recently. In Tewksbury, Massachusetts Police Department just outside of Boston, you know, had officers for five days pulling over vehicles on the side of the road and unable to run Watson [SP] warrants checks on those individuals or even known if that vehicle was stolen. The reason being, their systems were attacked for ransomware and obviously, you know, they were working with their own agencies, state, federal government, FBI trying to get these systems back online, and finally after five days they simply paid the ransomware to get the decryption key. So, what kind of message does it send when law enforcement is paying these criminals for their activity? Not the right message in my mind. Another example and probably even more critical is the Hollywood Presbyterian Medical Center, where for nine days they were back to pen and paper. Not even able to properly handle intake of new patients or monitor critical health systems for these patients in critical care. You know, that could be your child, your mother, your brother, that's sitting in that hospital and these systems are offline and unable to monitor their health and well-being because of these types of attacks. So, what's the solution? I'm going to reintroduce Logun who again is with Huntington National Bank and one of the HEAT passionate customers who's been a very good advocate for us. So, with that, Logun, good morning.
 
Logun: Good morning. How are you?
 
Duncan: I'm doing well. So, if you don't mind, I'd like to just give those that are in the webinar a little bit of background on your organization and, you know, who Huntington Bank is. You know, correct me if I'm wrong on any of these facts, but basically your company was founded in the 1800s, currently you have $73 billion in assets, you're a member of the S&P 500 which is fantastic, as well as Fortune 1000. Unfortunately, you know, for yesterday your headquarters in Columbus, which took some tremendous storm so I'm glad you're able to join us this morning, I know you got some of your own issues that you're dealing with, but let's just talk, if you don't mind, what the impact has been of utilizing our solution within your environment. So, I understand that you guys have an SLA currently for handling zero-day vulnerabilities. Can you describe what that SLA is and what that has been like for you guys previously and how you're managing it today?
 
Logun: Sure. Yeah. So, here at Huntington, we instituted a 72-hour SLA for our Information Security Department and that was to fully patch our workstation environment in the event that any type of zero-day vulnerability happened. Those that are on the call may remember or recall that there were quite a few Flash zero-day vulnerabilities that were instituted last year. So, that all kind of played into it, right? But prior to implementing the HEAT PatchLink desktop software, we would work around the clock for 72 hours straight. I mean we would...we got the recommendation from Information Security that, "Hey, we need to get this zero-day vulnerability patch out there." We're working all through the night to try and get this type of stuff remediated, and that's simply because it took quite a while to manually package up the application, make sure that we did all of our testing with it to ensure that we weren't going to, you know, break anything or cause any issues, right, for our end users, and then go through some application testing and whatnot. So, we had 72 hours. And although that might seem like a decent amount of time, we would end up spending…you know, the majority of that would be overnight hours and, you know, just long hours for those of us who have to work during the day as well. 
 
Once we found the HEAT PatchLink desktop software, which was actually just because we were already actually a customer of the company at the time, it really just changed our entire outlook on what we have to do for a zero-day vulnerability. We basically program. Now we're able to receive tests and begin the deployment of that vulnerability patch in less than 24 hours after we actually get the [inaudible 00:12:33]. So, although we have a 72-hour SLA to get things worked out, to get our workstation environment patch, we can start that whole, entire process in less than 24 hours and that's without having to work the overnight hours. So, a huge improvement there. 
 
And mostly by the time our…yeah, in most cases, by the time our Information Security Department has even had time to fully review the vulnerability that's been released and see all the information, determine whether or not we are impacted and if so how badly, HEAT's already packaged up the software and it's already available for us to start working with. So, by the time we even make the decision that, yeah, we got to start the 72-hour process, it's already there and it's ready and the majority of the work that we would have to do is already done for us.
 
Duncan: I'm glad to hear that. I am. It's quite a testimony there. So, I know you guys have a very mature vulnerability management program. How is HEAT plugging into that now with PatchLink?
 
Logun: Sure. So we struggled for quite some time to continuously patch all of the third-party applications that exist out there in an environment. I mean, yeah, you have some of the more common ones like Java vulnerabilities and Adobe Flash and Shockwave and all those third-party applications, but there's even small ones too that people are less familiar with, things like Notepad++ and Wireshark, and in smaller applications that maybe have a smaller footprint but are equally and sometimes more dangerous than the ones that we're familiar with the most.
 
Duncan: Right. [inaudible 00:14:10] 
 
Logun: Yes. Yeah, exactly. So, we spent quite some time trying to patch those up and work on reducing the vulnerabilities in our environment. We had some dedicated resources to it who basically just works, you know, countless hours packaging up all of the required [inaudible 00:14:29] to the system, and if anybody out there is worse in this particular area and in your company, you may very well be familiar with the same struggle that we had where you'd start to package up something and before you could even get it packaged, a new update for the same product was already available. So, you just turn around and say, "Well, I got everything when I did [inaudible 00:14:47]," and you start all over again.
 
Duncan: Exactly.
 
Logun: That process can be very, very painful. But through the relationship with HEAT Software now, it's changed literally everything. I mean the expectation was set that we could really save hundreds of hours of work and a lot of headaches while we obviously lessen the attack vectors here at Huntington, and that's exactly what the product has been able to do for us. The amazing statistic that I boast to everybody all the time, both internal and external, is that we were able to reduce the number of third-party vulnerabilities on desktops, so specifically those third-party things, not Microsoft related, but a [inaudible 00:15:30] product does, we were able to reduce the number of those vulnerabilities by 75% in the first 90 days of implementation. So, we're not talking just like some small, little work over time, it was a very quick and very rapid introduction to the environment that allowed us to just drastically reduce those vulnerability numbers. So, it was a huge, huge change for us.
 
Duncan: That's impressive. Really. Thank you for sharing that. So, obviously that's what we feel is the appropriate solution, and I really do appreciate you sharing that success story with us and taking time out of your day to join us here. So, you know, a virtual round of applause for Logun there. So, let's talk about bringing it all together. You know, this is basically how do we use SCCM as a security compliance toolset and coupling it with other capabilities that are provided free from Microsoft as well as obviously plugging in the HEAT PatchLink solution. So, it is a multi-pronged approach, right? We're not just a magic bullet. There are other things that need to be focused on in order to be able to protect and defend yourselves, or at least know what your compliance state is. So, we're going to cover several of those tool sets. Sorry, this doesn't build out as nicely as it could, but basically there's about three or four different things that we're going to be looking at this morning. So, I'm really excited to be able to share this with you guys. So, first and foremost, obviously I have a vested interest in HEAT PatchLink DeskTop so I'm going to give you guys a brief introduction into it and be able to talk to what some of our differentiators are in this particular marketplace. I'm sure many of you on the phone are using System Center Update Publisher today to be able to inject Adobe's catalog into your WSUS environment and ultimately the entire SCCM. I want to talk about the difference there.
 
As we all know, the root of everything within SCCM begins with software and hardware inventory because that's how we're going to build collections, maintenance windows on those collections, target those systems for advertisements, past sequences, client policy, everything. So there's obviously tremendous value in that initial data from the software and hardware inventory. Same rules apply for software updates. If you don't have good data to work from, it makes it much more cumbersome to be able to handle these updates. So, you can see on my screen here, hopefully, that, you know, what you're getting from the Adobe catalog is very lightweight. The description might as well not even exist. It says this release addresses security vulnerabilities. Well, thank you, Captain Obvious. Can you actually tell me something about this particular update, you know, what is its criticality rating, what is the impact, are there CVE IDs associated with it, or is there superseding information? Is this an update that I even need to be focusing on? Has it already been superseded by a newer update that's probably more secure? So, we provide enhanced security metadata for each one of our updates with CVE-compatible and certified IDs that you're able to rationalize back to those national databases and other security programs that you may be working with, with your set ops group.
 
Next is our fingerprinting technology, and this is where we take the vendor's installer and whatever applicability rules they may have and really go above and beyond that, making sure that you're not targeting, you know, let's say a 32-bit system with a 64-bit update because of a malformed collection. We're also going to look at the file and folder structure to make sure that the binaries actually exist and that they pair up with that particular update, and we're going to redundantly make sure that by validating version control information within the inside of the registry. And the way that we do this is so you may know that it has actually been patented. So, it is not just superficial means, there's a lot that's not shown here on the screen that goes on underneath the covers. Oops, it looks like we have a duplicate side there. 
 
Next is our range of content. So, this is just a small sampling of the hundreds of vendors that we include in our catalog. If by chance there is a particular product you're interested in patching that's not already in our catalog, we handle those requests from our customers on a weekly basis. And a lot of the logos that you see up here are a direct result of us adding that based upon customer request. So, when it comes to enterprise applications with the highest number of vulnerabilities, we do have the broadest range of content available. 
 
And lastly, as far as the differentiators, our Patch-Smart Technology, and this is where, again, it's part of that wrapper installation, we're providing some automated command line arguments for you guys to be able to utilize as part of your patching process. So, in there, you'll see a lot of the things that you would typically expect to see like install, update, reinstall, but there's a couple differentiators that you see there at the bottom like AutoUpdate=Disable. What we're doing there is allowing you guys to control the application landscape and disable the vendor's auto update, so endpoints are not just reaching out to the cloud at will and pulling down these updates because that makes it much more difficult for you to be able to support and manage and patch, moving forward. So we give you that option. Lastly, the CloseIfRunning=True, going back to Logun's example of zero-day vulnerabilities, if you guys are under attack with something like a zero-day vulnerability, you need to get that update out there as soon as possible. So, using the CloseIfRunning=True option allows us to forcibly close down that application and get it fully patched.
 
I think of it like Java, for example. You know, Java has hooks into other applications as well. So, when you utilize that capability, because of our application awareness and relationship with these vendors, we know other applications that might also need to be closed as well. So, we can handle, you know, not just the infected application but also any that it has hooks into, again, so that that update can be applied as quickly as possible without having to wait for users to reboot their systems. 
 
So, from an infrastructure standpoint, basically I'm just going to advance this and show where our solution sits. So, basically we have a very lightweight installer that goes on top of your software update point, and from there we get the hooks into WSUS to be able to inject our metadata. It also registers a desktop plugin at that point so that you're able to see our hooks inside of the SCCM mapping console. So, everything that we do is native to SCCM. There is no separate client, there's no separate infrastructure involved, there's no separate console, no new skills that you guys need to learn to be able to immediately implement the solution and be successful with it, like Logun was talking about with that first 90 days, being able to reduce their number of vulnerabilities by 75%, or at least the third-party vulnerabilities. So, there's nothing else that we're adding to your environment other than that service on top of the software update point and our plugin inside of the console. 
 
So, with that, I'm going to jump right into demo and hopefully these screens will transition nicely for everyone. But obviously, this isn't a live demo just because of the platform that we're using for this webinar, but it's going to appear as live as possible just based on click-through slides. So, we're going to talk about several things but first I'm going to introduce you to HEAT PatchLink to be able to take care of the third-party products because in reality, 85% of all of the vulnerabilities over the past 3 years have been the third-party products, not the Microsoft platform. So that 15% that you guys are dealing with very nicely using your existing patch management framework, that's great, but the lion's share, that other 85% that we have to get a handle on because that's where these vulnerabilities are coming at us from.
 
So, this is basically our console. You can see we have a node that we add inside of SCCM. And basically I'm going to show you what our setup looks like without, you know, the things like where would you like the binaries installed. This basically mimics what our setup looks like. So, here's the welcome screen. I click Next, here's where we're able to specify the proxy server if there is one in the environment. Click Next again. And now it sees my local site server so it's already populated the name there. If it's a remote, you just provide the fully qualified domain name along with any credentials and click Next. At that point, then make sure that they can communicate with the software update point because that's, again, how we get our hooks back into WSUS to be able to do our metadata injection. Everything's good there so I click Next. And now it's asking for the serial number for activation. 
 
So, anybody on the webinar that would like to trial our product and, you know, "Take the tires and light the fires," as we like to say here in Texas, we're more than happy to give you a trial license, full catalog for 30 days. You just type in that serial number here and click Next again. And that's basically it. The last thing that you would see in our setup is the option to go ahead and manage your products. So, that's the same thing as if I go to the catalogs item in our node and click the Manage Products. From there it's going to...oops, let me go back, load up and basically…let me collapse this. I'm going to first show these software updates. So, this is basically where you would go in and choose which vendor, which products, and which versions of those products you want to start seeing in front of the SCCM admin console. This isn't going to automatically deploy them or anything like that, you still have full control over which updates you're pushing out to, which collections at which time. All this is doing is saying which products you actually want to start patching using our solution.
 
So, one of the other differentiators is the ability to auto subscribe. So, as you can see on the bottom of the screen, it says Auto Subscribe. It basically allows for, I can't read it because it's so small, but what it allows is for you to be able to automatically get any new version information for that particular product automatically imported into SCCM. So, you don't have to remember if Adobe comes out with Flash Player version 23 next week to come back into this console and tick the box next to version 23. It'll happen automatically for you, which is great because then you have things like automatic deployment rules that can be applied based upon new content coming into the environment. I'll show you that in just a minute. 
 
So, one of the other outlets that we provide is the ability to... Excuse me for a moment. I forgot to silence my other phone. And yes, I do have the "Game of Thrones" as my ringtone. We provide for our customers the ability to also do migration packages in full-blown installers. So, those are a couple of the other items here. For the migration, we provide that for Java Runtime environment. So, if you guys are able to get to version 8 and standardize on that, we give you the ability to use this package to go ahead and drop the bits for version 8 while also removing the attack surface of downloadable versions like 6 and 7. Because if you install Java 8 and those already exist on the system, it's just going to do a side by side install. This package will allow you, if you're ready, a lot of organizations aren't, but if you're ready to go ahead and migrate to version 8 and remove those other versions so you only have one attack surface and one product patch moving forward. 
 
Additionally, we have full-blown installers for a smaller subset of our vendors and these are some of the more common type applications that everybody has deployed in their environment. So, these are basically a way for us to trick SCCM and WSUS into believing that these are software updates, but the actual binaries and command lines behind them are the full-blown product. So, we've gone through all the application packaging and testing to be able to provide these for you for a lot of the main vendors like Adobe, Apple, Google, Microsoft, Oracle, etc. So, again it's a courtesy that we provide to our customers and helping you with your application management and security. So, with that let me get out of this and show you guys what it actually looks like inside of the SCCM admin console.
 
So, here if I go to our software library, choose Software Updates and expand it to All Software Updates. You'll be able to see that now I have all this third-party content inside of my admin console and if I continue to scroll down, you'll see I have Adobe, Apple, keep going, there's my Microsoft updates as well. So, I can now use all my existing skills or framework, patch management processes for being able to manage these third-party updates just as natively as you handle your Microsoft updates today. So, I can do a mass selection of all the different vendors and products, be able to go through, you know, download, create software update groups or simply step through the deployment wizard and start going through that process. 
 
But speaking of software update groups, I want to show you guys one of the tools that I find very useful in my own environment and recommending it to our customers as well. But this is a free product. It's a community-driven tool. It's available online and basically, it allows you, using PowerShell as the back end but with a really nice GUI, to be able to automatically create software update groups including Microsoft content, or as I'm about to show you, our third-party content as well. So, it's basically a right-click tool against the software update group item in the software library. You choose the Create Software Update Group, and it brings up that GUI front end for the PowerShell back end so you can provide a name for your a software update group, choose whatever particular product you want along with the date and/or start date and end date so you can search based upon, you know, the past month showed me all the updates for Flash because we're about to go through a patch cycle. And go ahead and click Add for the Flash Player. And now I'm going to choose Security Updates and add that as well. And then it's basically going to automatically create that software updater for you. So, it's a really quick and easy way to be able to generate those software update groups and be able to use those for your deployments. 
 
So, going back to my example of being able to use this mixed level of content with different vendors and products, being able to go through those deployments, you know, if you guys have deployment templates, we'll plug seamlessly into those as well as any maintenance windows that may be tied to them. So, if you wanted to start patching servers as well using our product, more than able to do so. You know, I'm not going to bore you guys with stepping through a deployment wizard, you guys know how to do that stuff, but basically just know that we plug seamlessly into those deployments just as natively as a Microsoft update. Same thing applies for automatic deployment rules, like I was talking about earlier. So, if you want to use our product and be able to automatically send any new updates to a pilot collection, I recommend using an automatic deployment rule for that where you would say the software updates are, in this example, from Adobe Systems, the product's Flash Player, it's been released in the past day and it's not superseded, go ahead and deploy it to your collection. And in this example, I'm using a collection that was based upon systems missing that particular update or a series of updates from Adobe.
 
The other thing that I like to show is how we play into the audit compliance and using security baselines. Now, here's where I'm actually going to introduce another product that's available from Microsoft. It's free. This isn't officially supported, it's like pretty much anything Microsoft provides free of charge. You don't get a whole lot of support, but I have learned from one of the content manager product group members that there's now a V team or virtual team assigned to this product. It has budget behind it now so it is going to continue to live and breathe. And as you can see, it handles creating security baselines for all the major Microsoft operating systems and many of the server products like SQL, IIS, Exchange, etc. So, think of this tool as a Microsoft Hardening Guide, which if you guys on the phone have ever read one of those, you know it is boring as all [inaudible 00:34:53]. Typically they're anywhere between 250 and 500 pages of just, you know, deep tissue security recommendations for hardening whatever the particular product or operating system is. What this tool allows you to do is automatically generate configuration baselines inside of SCCM that you can use to assess the compliance state with those recommended security approaches. 
 
So, let me just show you what this looks like, for example, used in the Windows 10, 1511 is the latest one that we have here, but it will provide you all the necessary guidance, the security guides as well as all these different configuration items that are included as part of the recommendations from Microsoft for hardening in that platform. So, here you'd come in, make whatever selections you want, choose…you know, whatever you guys assign is going to be your approach for each one of these configuration items. You don't have to go through and change, you know, 500 and whatever number of settings, you can come in and selectively make those updates and then export it as a CAD file that then gets imported into SCCM. 
 
So, let me just go through that real quick. So, here, right click Configuration Baselines and we're going to create a new configuration baseline now using our products. This is where you're able to come in, give it a name, in here I'm just calling it third-party product updates, select Add, and then choose Software Updates. From here we're going to expand the Security Updates and then get right down to the specific vendor, and in this case I'm going to pick on Flash again because it's, you know, the main vulnerability, it seems like, today. So, I'm going to choose several of the updates relevant to Flash Player. Now, each one of these are going to become a configuration item, just like you saw on that security configuration or compliance vendor product. And essentially we're going to target systems and evaluate what their compliance state is with each one of these updates and be able to report back to the site server if they're compliant or not. We can add some categories. Like you see there, I've added patch management and security. Those categories we'll be able to use later in things like recording, alerting, etc. But there's my third-party update compliance baseline, and now all I have to do is right-click and go through the deployment.
 
In the deployment, basically all you need to do is specify which collection you want to have evaluated. So, here I'm choosing a device collection for all desktops and server clients and then specifying OK. From here I can also do things like generating an alert. So, I can say if 90% of the systems aren't compliant by this date and time, then go ahead and generate an alert. If you have ops managers in your environment, you can also generate an alert inside of the Ops Manager console where then you can take corrective action or put it for your workflow or whatever the case may be. 
 
Now on the client side, so obviously there's loads of reports that you can run for these compliance baselines inside of SCCM. But you can also look at it from a specific client. So, if you have a help desk call and they're stating they can't traverse the intranet site, for example, this is a really quick and easy way to see if maybe they're out of compliance with a required update for that particular functionality to exist. So, here's an example of what a localized report looks like on an endpoint from that compliance space on, and in this case the system is compliant because these updates aren't applicable. It probably means that I've already got a newer version of the updates, say Flash Player 22, installed. But as I scroll down in this report, you can see the metadata that we provide for each one of these updates. That metadata also includes relevant CVE information that you can use for, you know, searching for that particular vulnerability with some of those national databases. Like, in this case, you can see there that MITRE is one of the first one that comes up, NIST, the vendor themselves, but again just demonstrating that all of our content is CVE-compatible. 
 
Now, you can actually take these CVE IDs that are inside of the updates and search directly inside the SCCM admin console for that particular CVE ID. And in this case we're going to find out by plugging in that particular ID that it's not just Flash Player that's impacted, but it's Flash Player as well as Google Chrome. So, again as Logun was talking about earlier, his set ops group, you know, doing the background work, Logun's able to already find out that we're providing an update for that known vulnerability before they even put it into 72-hour go ahead. So, in this example, not only are you able to react to that particular vulnerability that they alert you about in Flash, but you may actually be able to go back to them and say, "Hey, with that CVE ID, we also have updates available for Chrome," because the same vulnerability exists across those applications. So again, it's just ways that because of the unique nature of our metadata and how we're exposing that within the console, that you're able to take action.
 
So, let's go into some of the reporting elements and where we're able to, again, extend and enhance native capabilities of SCCM through our content and the metadata that we're exposing. So, one of the reports that I'd like to show is this software updates compliance report based upon updates by vendor, month, and year. So, if I run this report and specify the value for the collection, here I'm going to choose All Desktop and Server Clients. Next, we can either leave all the default values or go right into a specific vendor like Adobe, for example. But I'm going to leave it set to all values from the report and be able to see here that first, we have, you know, obviously in alphabetical order, all the Adobe Acrobat stuff but as I advanced through, you can see that there's additional information here for the Microsoft updates as well. So, you're getting this uber report of your overall compliance stature for all of the updates that you've been managing all along. So, this is a great report for auditors or one to hide from the auditors, but basically it does give you that bird's eye view of your overall security posture within the organization. But again, you can get right down to a specific vendor as well. 
 
Now, of course, all of this is SSRS-based or SQL Server Reporting Services. So, again we can extend and enhance native capabilities of SCCM with things like dashboards that show a much more, let's say, management-friendly view of the same data. It's just represented slightly differently. I was a presenter at MMS, you know, back in May. You can use custom logos, different titles. As we scroll down you'll be able to see that we have bar charts, you can use pie graphs, etc. Again it's just because it's all SSRS space, but we're able to provide this level of detail for you about your third-party patching and also hook in the Microsoft updates as well. We'll have click-throughs where we can get into more detailed information about those graphics that I was just showing, and again be able to continue to click through and drill down into these reports right back into native SCCM reporting. So, again just being able to provide you the visibility of what your security posture is within the organization whether we're talking third-party products, Microsoft updates or a combination thereof. 
 
So, with that, in having a few minutes left in the hour, just want to again kind of summarize what we've been talking about, but basically the main takeaway is that we're able to provide this enterprise-class patch and remediation for your environment without having to introduce any new infrastructure, separate client, agent console experience, etc. I want you guys to be able to utilize your existing skill sets and infrastructure to be able to take on this lion's share of the vulnerabilities and to be able to do it with the effectiveness that Huntington Bank is now being able to realize today. What kind of impact would it have on your organization or you as a, you know, professional, to be able to say the same thing after 90 days of implementing this, you were able to reduce your third-party vulnerabilities by 75%. That's just a tremendous value add. But again, there's also some other capabilities from other products like the security compliance manager tool, like that software update group toolset, and being able to use those to help strengthen, secure your overall environment like using SCCM as that overarching security compliance toolset. So, with that, I want to thank everybody for joining us today. I know we have a lot of questions in the window so I'm going to go ahead and start looking at that and addressing these in order.
 
I'm sorry we missed the first one at the start of the hour with, "What is the dial-in number?" I hope that person was able to identify it. How many backups are there? There's one question about, "Backups of SCCM do you have and how do you accomplish that?" That one I think we might need to take off online and get a little bit more detail about what you're trying to ask there. Another question, "I am currently evaluating a couple of vendors, why would I choose your product over let's say Secunia. What sets you apart?" Hopefully, and that one was asked at 22 minutes after the hour, hopefully, I've been able to articulate that through this session. But essentially, we're not requiring a separate console experience. Secunia does have a manual process for deploying patches one by one whereas we're able to step through the deployments just like you saw using software update groups and, you know, normal deployment wizard type of activity. So, hopefully, that'll work. 
 
Some of these questions that I'm seeing are relevant to the actual webinar interface so I do apologize that the screen was too small or fuzzy as a couple have stated but we will work on that for our future webinar. "WSUS and SCCM, what do you do to integrate special?" We…actually, that's kind of a great [inaudible 00:47:40] for another one of the competitive advantages. Every other vendor in this space has hit a hundred product category limitation that is part of a Microsoft hard-coded threshold for the WSUS API. Because of our relationship with Microsoft, we've been able to work directly with the product group to be able to get around that. So, as far as our special integration with WSUS, we don't have a product category limit. You guys can consume our entire catalog at will and you'll never hit that limit with us. So, that's one of the things. But ultimately we're just using published APIs from Microsoft on WSUS and doing our data injection there. 
 
"Can I still use this even if I don't use SCCM for patching Windows? Meaning can I continue to use my existing WSUS environment and use it strictly for patching third-party apps. Thanks." No. Obviously, we are a direct plugin into SCCM and we are dependent on the SCCM client agent for installing or mediation, reporting of their patch status. We're relying on the management point for policy notification to the endpoints of what updates are supposed to be installed, etc. So, no, it wouldn't work with just WSUS standalone. "Does your tool require its own endpoint agent or does it simply use the SCCM agent?" I think I've answered that one. Yes, we use the SCCM agent and do not require a separate client. "How is PatchLink licensed?" It is licensed per node or endpoint that you plan to manage with our product. We do not have a differentiation between servers or desktop-class operating systems so you can patch your entire environment using the solution. We do have either subscription which is one, three or five years or perpetual license where basically you buy then you own it for life with annual maintenance. 
 
"Does your software need to be installed on the SCCM server, KAZ or on the console only?" Our product gets installed on top of the WSUS/software update point and also installs the PatchLink hooks onto the site servers console there. So, you can either RDP in or if you do have remote SCCM admin consoles, you would simply run the same setup and choose the option to install the console plugin only. And lastly, "Your presentation answered all my questions. Thank you." You're most welcome. So, with that, I don't see any other additional questions in the queue. If you do have any, please feel free to add those now, but with that, I will turn it back over to Melissa for her to close us out.
 
Melissa: Thanks so much, Duncan. I just want to thank everyone again for their attendance and I do apologize about the screens. We were trying to address that with BrightTALK as they weren't seeing the same issues we were, but we have recorded the presentation and we will be distributing the link to the recording as well as the PDF of the slides. So, look for that either later this afternoon or tomorrow morning. And again, I want to thank Logun especially for joining us today and telling the Huntington Bank story and again, I hope everyone got a lot of information on this.
 
Duncan: Melissa.
 
Melissa: Yes.
 
Duncan: We do have one more question that just came in.
 
Melissa: Okay.
 
Duncan: And this is actually a pretty good one, "Right now, our environment is using HEAT EMSS," which is the Enterprise Management and Security Suite, "How is this plugin more effective than EMSS. Because ultimately the patch content and metadata is identical between those two systems, I can't say that it's really more effective. EMSS is a great standalone solution but it is a separate product to SCCM. So, for organizations that want to standardize on their management tools, we have had several customers migrate from EMSS to using the plugin so that they can reduce the number of management tools in the environment. But for those that don't have SCCM deployed, EMSS is a great standalone solution that will able to handle third-party patching. So, thank you for that question. We will leave this going for a few minutes. For those that want to drop off, feel free. But I'll stick around, Melissa will stick around and if there's any other questions, we'll address those.
 
Melissa: Thank you, Duncan. And again, if you do have any questions, go ahead and use the question console. And if you do have any questions for Logun, I think he's here for just a couple more minutes. So, we'll keep it open for just another minute.
 
Duncan: And that is a very valid point for those that are still on the webinar, if you do have any questions for Logun that are more real life scenarios of how they're using it or what they're achieving, feel free to ask those as well.
 
Melissa: So, at this time I'm not seeing any other questions so I think we're going to go ahead and wrap up our presentation for the day. Again, thank you, everyone, for joining us and we hope you join us again on our next webinar. Thank you so much.