Agentless or Agent-Based Patch Management: Which is Best?

December 21, 2009 · Filed under 1, Endpoint Security

There has been a lot of debate over what type of technology is best for a patch management solution.  There are positives and negatives to each type of technology and security concerns to each as well.  There is also a group of products out there who claim to be agentless, but act more like an agent.  So my first order of business in this discussion is to set the stage as far as the definition of each. 

An agentless solution is able to remotely detect current patch status and push tasks to the target for execution without the need to setup services, install software, or push policy to the machine through any means such as GPO etc.  So the control and all action is executed from a central point of management. 

An agent-based solution requires that some level of software, service, etc. is installed on the machine that needs to be managed, and from that point on tasks are queued or policy is defined and the Agent checks in and pulls down these tasks\jobs and executes them as defined.

Definitions now cleared up, which of these is the ideal solution to implement for any given environment?  To understand which solution best fits an environment, we will discuss some of the benefits and drawbacks of both options. 

-Agentless solutions are typically faster implementation and have a lower learning curve to fully understand the technology. 

-Agent-based solutions can get around some of the port and protocol requirements of agentless or at the very least offset these requirements by making them configurable. 

-Agentless technologies allow you do more effectively discover machines in the environment where agent based machines you need to deploy the agent to the machines through specific delivery mechanisms.  What if you bypass the delivery mechanism? Ex: agent delivered by OU falls short for my handful of non domain machines.  

-Agentless solutions need to have access to the machine at the time of the task to be executed.  Agents can be configured to catch missed tasks and execute them again at an alternate time (on next reboot etc). 

- Agentless solutions typically can reach Domain, multi domain, and non-domain machines more effectively for a single management console than some agent based solutions. 

-Agent-based solutions can manage highly mobile machines more effectively.  They can also offset bandwidth constraints for both scan and deployment side. 

-Agentless solutions have no persistent footprint on a machine and for the highly regulated can bypass some very tedious software certification processes to get an agent approved to run on machines such as servers.  One can argue an agentless solution requires opening up to many security risks, like file and print sharing, remote registry, etc.  These requirements can be locked down to reduce the risk. 

-Agent-based solutions can miss a machine altogether because it did not get the Agent or the Agent failed in some way, which is as great a security risk to the environment if it goes unpatched.  However, it would be a greater security risk to address a security hole that requires at least admin authentication rather than addressing a different hole in the network that lets the end user to elevate their privilege at will, which is a greater risk in the end.

The debate could go on much longer, and has for that matter, but I think we have enough of an argument built up to come back to the original question.  Which solution is best, agentless or agent-based?  It is arguable that neither solution can stand on its own without at least part of the other.  The best overall solution is one that utilizes the strengths of both agent-based and agentless solutions.  Most organizations need to be able to do some level of agentless discovery especially in this day and age of Virtual technology.  With an agentless solution, an IT admin can provision and deliver a server anywhere in the world in minutes.  How easy is it to do so and miss a key step like adding the machine to the correct OU or installing a specific agent to manage the machine?  It happens more than most would like to admit. Believe me, I have been part of installs where discovery scans have raised interesting questions and opened several eyes.  We also need products to handle the mobility of today’s world.  An agent-based solution makes more sense for these machines, as an agentless solution cannot manage laptops effectively on its own.  You can get creative with configuration and mitigate the issue, but you cannot eliminate it altogether without the help of an agent.  Shavlik NetChk Protect started as an agentless technology and added an Agent to manage some hard-to-reach places for agentless solutions.  Most partner and customer implementations that I manage with Shavlik today involve both the agent and agentless capabilities of our product. 

- Chris Goettl

Leave a comment »

Resellers of Security Solutions: Do you *really* have the customer’s attention?

September 3, 2009 · Filed under Current Threats and Vulnerabilities, Partnering / Reseller Marketing, Solution Providers

Security of systems, whether comprised of datacenter mainframes, desktop workstations, laptops, or thumb drives and cellphones, is paramount. Maintaining security across these more diverse architectures is becoming increasingly complex and as such more difficult to manage to a “perfect” protected environment.  And the ways and means available for attackers to gain entry to systems are ever more sophisticated as they too take advantage of the improvements in technology.

So why are there still large numbers of corporations that believe protecting only a single group of their assets, for example Window based servers, with freeware scanning tools is even remotely sufficient to ensure the integrity of their corporate environment?

OEMs and Resellers need to do a better job at scaring the $%^* out of the upper management of these corporations.  They’re living in a fantasy that also believes locking the front door will keep burglars from considering entering through an open window, a basement crawlspace, the chimney, and so on.  Protecting only one of the many entry ways into an enterprise is tantamount to not really protecting it at all.

The first point to clarify is attacks on their enterprise is not limited to Windows based systems.  Attackers are targeting anything that can store or move a file, any device that can be touched from the internet (including cellphones and printers).

OEMs/Resellers should take a position of Trusted Advisor and offer the insights that only partially protecting the enterprise and hoping nothing gets through is truly gambling the future of the company.  While it may be that protecting one part of total infrastructure will reduce the “statistical probability” of loss/corruption, from a Corporate Security viewpoint the only statistics that matter are actually binary.  Either the enterprise can be compromised, or it can’t.  Offering strategies that protect the full enterprise are valuable services corporations will be willing to pay for.  But first, you have to wake them up to the realities that bits and pieces of freeware is not a prudent long term strategy to ensure the survival of the company.

Leave a comment »

The Silent Failure that leads to the Destruction of the System

September 2, 2009 · Filed under Endpoint Security

Like most people I expect, the notion of securing my laptop or workstation seems to be a simple thing; an automatic daily occurrence that just “happens” for the most part.  And rarely do we see any indication that the security being administered is actually doing anything.  But that’s the goal isn’t it?  No news is good news?  If the dashboard in my car shows “all clear” I reasonably presume everything is as it should be.  No brake warning light shining means I must have functioning brakes to stop the car.  Or, does it really mean that my brake warning indicator light may or may not be working, and that I actually may or may not have functioning brakes?   Still…  I get in the car and drive off feeling safe and confident.  So, if I get no pop-ups on my screen telling me the website I just went to is trying to download something unexpected onto my laptop, I can presume no one is actually attempting anything nefarious?   Given a few moments of thought, I come to the conclusion we often trust the simple $2 indicators (or lack of them) far more than we question whether the underlying complex mechanisms which use those indicators are in fact functioning.  No news is still good news, yes?  No, not really, but it is easier for most of us to handle.  Soon, we depend on this being absolutely true that we no longer can envision how it might not be true; that the defenses around my computer systems, whether at home or in the largest corporate data centers, could ever be breached without my being made aware of the attack.

But as it turns out, defenses are not insurmountable nor ever totally repairable.  Even the attempts at “air gapping” between networks can be overcome by a human and an USB thumb drive.  This inescapable fact is at the very core nature of these battles around our data.  Neither side ever keeps the “high ground” long before a new battlefield of submitting malware, viruses, and the programmatic vulnerabilities that allow them to enter a system is established.  So we cloak our systems with ever more sophisticated software and analysts to work to stay one step ahead of the next attack or attempted violation of our data.  But how do we effectively monitor our systems to know when a silent failure has occurred in this software we are entrusting to always work?

One basic thing you can do is ensure you in fact have the best technology in place to provide protections.  After all, if we are going to end up assuming everything is working unless it isn’t, that software must be the strongest, most rugged, current protection available.  We want the best insurance policy we can get.  Note, that may also mean the best is not freeware either.  Freeware will guard against some things, but it doesn’t necessarily have the engineering investment to keep it both current and increasingly sophisticated against the growing sophisticated attacks it is meant to defend against.  After all, it only takes one clever bug to get past the “basic” protections of freeware to corrupt your enterprise.  Better to pay for products from companies that do this sort of security for a living. And there are several out there.  So which one is really going to be the best for your circumstances?  You need to talk to the vendors specifically and ask the hard questions.  Be certain you develop the highest confidence in not only what the vendor says they do, but in “how” they provide the protection, “how” they create and maintain the data and signatures to know when something bad is occurring.  By learning the details of the software you are considering, you can build that needed level of confidence the likelihood of a silent failure will be virtually nil.   Once you have your “short list” of products, construct the most evil scenarios you can devise and put the products through their paces. Test them extremely.  In the end, the more ways you devise to break the software, and the more times the software rebuffs being broken, the higher degree of confidence you will gain for entrusting that software as the gate keeper of your systems.

Each of us owes it to ourselves and those whose data we are charged to protect to re-examine what the basis of our defenses are and really take the time to understand if we are as well protected as we hope we are.  It is now time to discover if our “free or old” patching / compliance / Anti-virus / Anti-malware software products have been silently failing exposing our systems to unknown assailants allowing access to our most precious assets; our data.

Leave a comment »

Quant Project: Figuring out what Security REALLY costs

September 2, 2009 · Filed under Endpoint Security, Solution Providers

Today, an Information Technology (IT) Manager (or CIO) in even Small-to-Medium businesses (SMB) often must oversee networks of 100’s of systems, components, and resources (e.g., people).  Every item (asset) has its own expense-to-the-company profile from sorting out the Return on Investment (ROI) to understanding the Total Cost of Ownership (TCO) over however many years the asset will be employed in the total infrastructure.  And the color of money factors in also; some things can be paid for from CapEX (capital expense funds) and others paid for from OpEX (operational expense funds).  Normally money cannot move between categories, therefore both budgets must be managed.  All of these calculations and presumptions must roll up together to allow for projecting the total IT Budget.  Miscalculate or underestimate one cost, and some other needed asset goes un-purchased, or unsupported, or a person let go.

A first cut at itemizing the many factors and considerations for pricing out system scanning for software and then patching software as required to maintain a level of security was released on July 27, 2009.  The Version 1.0 model, an ongoing effort from the Quant Project begun in late 2008, provides a bridging between hard number expenses while beginning to address the myriads of factors that can be combined for any given circumstance.  More so, the model is crafted to provide the needed flexibility of adding or ignoring factors for an individual circumstance allowing it to be readily customized for a broad variety of analyses even beyond its original purpose of patch configuration management.

PatchCycle2

Leave a comment »

Follow

Get every new post delivered to your Inbox.