What’s in a Name: Why We’re Changing Our Name (and More) in 2017

BLOG-whats-in-a-nameIn the timeless classic Romeo and Juliet, Shakespeare wrote, “What’s in a name?”

This famous line implies that names are simply labels that don’t really matter. After all, Juliet posits, “A rose by any other name would smell as sweet. It’s a nice sentiment, but perhaps (like Juliet) a bit naïve.

If a rose were called skunk weed, you would expect a very different experience when you smelled it. And as Romeo and Juliet’s tragic tale demonstrates, names can unite or divide us.

Names matter.

So what does this have to do with Shavlik?

We’re changing our name in 2017.

As you know, Shavlik was acquired by LANDESK a few years ago. LANDESK is a strong, stable and well-respected company in the IT industry. Our technologies are known for just working. This means being reliable, easy to integrate and use alongside other IT systems, and giving IT the ability to get the job done—whatever that job is—particularly when it comes to operational IT and remote enterprise systems management.

Add to that the fact that our staff is known for being friendly, willing to listen, and quick to act to make our customers’ lives easier, and we’ve got ourselves a great name and an equally great brand reputation.

So if the name is so great, why would we want to mess with it?

We wouldn’t, except that…

In recent years, LANDESK has continued to organically develop and enhance our technology, extending and integrating it in the directions of unified endpoint management (the management of traditional and mobile devices from a single platform) and endpoint security configuration management.

In addition to Shavlik, LANDESK has acquired several companies that have significantly expanded our focus to include IT disciplines such as:

  • IT service management (TouchPaper)
  • IT asset management (Managed Planet)
  • Patch management (Shavlik)
  • Enterprise-class, ruggedized mobile device management and application streaming (Wavelink and Naurtech)
  • Mobile email security (LetMobile)
  • Business value dashboards and reporting for IT (Xtraction)
  • User environment management for physical and virtual devices, as well as application management and privilege management (AppSense)

They’ll all change too. All these companies will have only one name in 2017. Does this change our relationship with Microsoft? Nope. Not at all.

Over the next several months, you will start to notice changes in LANDESK and the brands we’ve acquired. We are evolving. Refining our focus. Transforming in ways we never have before. And we want to bring our customers with us, continuing to help you along your organization’s journey to IT maturity.

We will still be the great company you’ve come to know and trust. We will continue to develop and maintain the world-class IT solutions relied upon by organizations across the globe. But we will be coming together in new ways, under a new company name, and with a new focus.

CyberSecurity Awareness Month: CyberSecurity Tips for Road Warriors


Security Tips for Road Warriors

A couple months ago one of our product evangelists reached out to me and asked how to better protect himself and his personal information in his travels.  As he settled into a hotel and a day later saw it in a headline as one of the latest exposed to credit card theft he felt a bit exposed.  I would have loved to tell him some magical tips that would 100% safeguard him from that day forward, but in short, you cannot prevent it.  There is no way to know who the next breach target it or when the breach could have been occurring.  The only guarantee you have is that another breach will occur and odds you will have used your card there at some point.  You can, however, reduce the impact when any of your information does get nabbed.  Now, you can go to extremes.  Cancel all credit cards, just use cash, close all of your social media and online accounts of all kinds, but nobody wants to live that way either.  The key is balancing the risks.  I talked to many road warriors within our own company and we have some tips and tricks that can help you out.  Our road warriors range from my light 16-20 weeks or so of travel per year to Simon, Doug and Rob who spend more than 50% of their year on the road and take us to all parts of the globe.  Here are some of the tricks we use to safeguard ourselves and to mitigate the impact if our information becomes exposed.

Phil Richards, Chief Security Officer:

I recommend reporting your credit card as stolen/lost/missing to the credit card issuing company at least annually.  This allows you to receive a new credit card number, and invalidates the old one. Many hotel chains and retailers that have had credit card info breaches. For the road warrior, it is highly likely that your card is among them.  By changing the CC number, the stolen information is useless and cannot harm you.

Rob Juncker, VP of Engineering:  

I never go anywhere without my HooToo.  It’s a wall charger with 2 USB ports, an Ethernet port, a fully portable charger (so it’s like a power brick) and embedded router.  The best part about this device is it has full router capabilities.  I have it setup so my computer always connects to it, and then I bridge the hotel Wifi to my personally secure wifi, or use the Ethernet port to plug into the hotel jack.  – I have it set by default to disable all inbound and just allow outbound.

Doug Knight, VP of Systems Management:

For the record, I told Rob about the HooToo, but since he beat me to it here is a tip for additional layers of security and anonymity if your travels take you to countries where you need some extra protection and ability to bypass some levels of content filtering. I subscribe to a VPN service called Private Internet Access.  I setup a L2TP and then run their default client on top of that.  The IPSEC client gives me encryption and some anonymizing and the L2 VPN even allows me to get thru (pretty reliably) the “Great Firewall of China” to reach content that may otherwise be blocked. For the server setting in the L2TP VPN, it’s best to enter the IP address for the server locale you wish to access instead of the DNS name. To obtain an IP address for this purpose, you can ping it or you can go to http://www.ping.eu/ping and enter the server name to be able to get IPs for the server you would like. Do this before you leave the country.

Simon Townsend, Chief Technologist:

I don’t just evangelize about the great security solutions we have at AppSense.  I use them regularly.  I run as a standard user on my Windows machine and have a local admin account that is used only for installation and initial setup.  I run AppSense Application Manager on my system and by default cannot install or run anything that I download under the context of my own LANDESK account.  If I need to install something locally I use RunAs or AppSense self-elevation to give myself temporary permission to perform those actions.  If I need to do something that is only going to be temporary I will bring up a VM snapshot that is NAT’d.  This provides a Deep Freeze style solution that I can revert easily and separates the task I am performing from local data as it would not be exposed to the VM.

Chris Goettl, Senior Product Manager:

You never know what is observing traffic on public wifi or if the connection you are on has been compromised.  Early in my career I connected to a hotel wifi and their router had been compromised.  My Gmail session was hijacked by a man in the middle attack and within a few hours suspicious email began flooding forth from my account.  Needless to say I changed my password, enabled two factor authentication (also highly recommended) and became infinitely more paranoid during my travels.  Now wherever I go, after connecting to the hotel wifi I immediately connect to the corporate VPN before connecting to email or opening my browser.  The VPN tunnel provides an additional layer of encrypted protection from prying eyes.  I have also just ordered a HooToo and will be adding that to my travel defenses.


October 2016 Patch Tuesday


October Patch Tuesday will see some changes to how Microsoft and Adobe will be distributing updates.  There is a lot of buzz regarding Microsoft’s servicing changes to pre Windows 10 systems. October Patch Tuesday is the first release under this new servicing model, which we will talk about more in a moment.  There are a few changes for Adobe Flash Player starting this month that you will need to be aware of. We are expecting a Google Chrome release today and Oracle’s Quarterly CPU next week, so plan on updates for Java JRE and many other Oracle solutions.

Regarding Microsoft’s servicing model changes, Microsoft has basically consolidated all IE and OS bulletins into a single update. This will be served up in one of two ways: as a security only quality update or a security monthly quality rollup. The biggest difference between these is the security only is bundling each month’s security updates only. The rollup includes non-security fixes as well as being cumulative. I recently spoke with LANDESK CSO Phil Richards about this change and he provided some good feedback as far as the challenges companies may face. In last week’s Patch Tuesday Forecast, I also talked about some recommendations on how best to choose between the security only and the rollup options.

Adobe has changed their distribution for Flash Player, so you would need to get an agreement in place with Adobe to be able to get access to the Flash Player distribution page. Today also marks the final release of Flash Player ESR. So instead of a current branch and stable branch, Adobe will just have current branch. Since they are doing fewer feature changes to Flash Player, having a single branch simplifies their release model. The new distribution page included this notification:


Oracle’s Quarterly CPU is coming next week on the 18.  Oracle releases on the first month of each quarter on the Tuesday nearest to the 17, which typically falls the week after Patch Tuesday. Watch for an update next week for Java and many other Oracle products.

Google Chrome should be releasing today. The Dev channel for Chrome Desktop updated late last week which usually indicates a Chrome release on Patch Tuesday or soon after. With a Flash Player update, they will be releasing to support the latest plug-in, but likely will have some additional security fixes as well.

Let’s break down the more severe of these bulletins.

Looking at the infographic you would see that Microsoft has released 10 bulletins today — five of which are rated as critical — and there are four unique Zero Day exploits across five of the bulletins. Now there are 10 bulletins, but the actual number of deployable packages is less. There will be the security only or security rollup, which will bundle MS16-118, MS16-120, MS16-122, MS16-123, MS16-124, MS16-125 and MS16-126 together in a single installer. For systems where you have installed a newer version of .Net you will have the .Net Rollup. Skype, Lync, Office and Flash are separate updates yet. So you could have as many as seven packages to deliver to some endpoints, but most will be getting around five actual packages to test.

MS16-118 is a critical update for Internet Explorer. This bulletin resolves 11 vulnerabilities including one Exploit in the Wild (CVE-2016-3298). There are multiple vulnerabilities in this bulletin that are user targeted, meaning the attacker can convince a user to open specially crafted web content to exploit the vulnerabilities. Several of the vulnerabilities can also be mitigated if the user is running as less than a full administrator, the attacker would only gain equal rights to the user reducing the impact if exploited.

MS16-119 is a critical update for Edge browser. This bulletin resolves 13 vulnerabilities including one Exploit in the Wild (CVE-2016-7189). Many of the vulnerabilities resolved in this bulletin are user targeted. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-120 is a critical update for .Net Framework, Office, Skype for Business, Lync and Silverlight. The bulletin resolves seven vulnerabilities including one Exploit in the Wild (CVE-2016-3393). This bulletin includes vulnerabilities that are user targeted. An attacker can host specially crafted web content or specially crafted document file designed to exploit the vulnerabilities. One of the vulnerabilities (CVE-2016-3396) can also be exploited through the Outlook Preview Pane. Users running with reduced privileges could reduce the impact if exploited.

MS16-121 is an important update for Office. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-7193).  An attacker could craft a file to send through email or by specially crafting web content designed to exploit the vulnerability. Users running with reduced privileges could reduce the impact if exploited.

MS16-122 is a critical update for Windows. The bulletin resolves one vulnerability. An attacker could exploit this vulnerability by convincing a user to open a specially crafted file from a webpage or an email message. The Outlook Preview Pane is an attack vector for this vulnerability. Users running with reduced privileges could reduce the impact if exploited.

MS16-126 is a moderate update for Windows. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-3298). This is the same CVE ID as the Exploit in MS16-118 for Internet Explorer. To fully resolve the vulnerability, both MS16-118 and MS16-126 must be installed. For Windows Vista and Server 2008, this means installing two separate packages. For newer Oss, both will be included in the security only or security rollup package.

MS16-127 is a critical update for Flash Player for Internet Explorer. This update resolves 12 vulnerabilities in Adobe Flash Player Plug-In for Internet Explorer. To fully resolve Flash Player vulnerabilities you must install updates for Flash Player, Flash for IE, Flash for Chrome and Flash for Firefox, so this could be multiple installable updates on a single system.

APSB16-32 is a priority one update for Adobe Flash Player. This update resolves 12 vulnerabilities. Many of the vulnerabilities are user targeted and, if exploited, could allow an attacker to take control of the affected system.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.



Patch Tuesday Forecast October 2016


October is here already and should be an interesting lineup of updates coming in the next few weeks.  There are also some things you need to know about servicing model changes from Microsoft and on distribution changes for Adobe Flash. Oracle is also going to be dropping their quarterly CPU this month.  Read on for more details:

On the Horizon

This is the month Microsoft will have its first delivery under the new servicing model and there is a lot of uncertainty amongst companies as to what really is going to change. I interviewed LANDESK CSO Phil Richards on the subject and he had a lot to say. You can check out the full interview here, but it boils down to this:

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

Oracle will be releasing their quarterly critical patch update this month. I always try to emphasize this as they will not release on Patch Tuesday, but on the following Tuesday. Oracle’s release schedule is the first month of each quarter on the Tuesday closest to the 17, which falls to Tuesday October 18 this month. The Oracle CPU always brings a lot of fixes for some pretty nasty vulnerabilities. Take July’s release for JRE. This update included 13 security fixes, nine of which were remotely exploitable without authentication. Four of these updates were rated as CVSSv2 9.6, are exploitable remotely without authentication, are rated as low complexity, meaning they are easier to exploit, and rate as high for confidentiality, availability and integrity. According to analysis by Verizon’s 2015 Data Breach Investigations Report, these would fit the pattern of vulnerabilities likely to be exploited within two weeks of release from the vendor.

Adobe has changed availability of Flash Player for distribution. This change has been looming for some time now. We first caught wind of this late last year and since they have pushed the date multiple times, but September 29 they finally took the plunge. From the distribution page you now get two directions to go: for consumers and for companies wanting to distribute. Follow the link to request approval for distribution. I personally went through the process and it was quick and painless and, once approved, you will receive details on how to access the enterprise-ready version of Flash Player for distribution in corporate environments.

Patch Management Tip of the Month

In a conversation I had yesterday with one of our customers, we shared details of the change Microsoft described in its blog and through other sources like the customers Microsoft TAM and talked through some scenarios to figure out a plan to proceed this month and going forward. Here is where we left the conversation understanding full well that “No plan survives contact with enemy.”

  • For systems currently in operation plan to test and rollout the October security bundle, which will include updates for IE and the OS in a single package. This package should be security-only updates and also should not be cumulative. In other words, if you need to exclude this bundle for any reason, you should be able to take November’s security bundle without it forcing application of the October security bundle. Expect to take the security bundle each month until you hit a situation where non-security updates (bug fixes) would force the need to apply the cumulative rollup.
  • For new systems implemented after the servicing model change, they are planning to start with the cumulative rollup until a point where they hit an exception, in which case they would switch to the security bundle for those systems until the event which caused the exception can be resolved, allowing application of the cumulative rollup once again.

And I will re-emphasize last month’s tip which is to expand your pilot group for application compatibility testing. Getting power users from the parts of your organization that rely on business critical apps will help you to ensure that these larger bundles of updates do not cause impacts earlier in the test process.  Many companies have test systems, but only validate some high level functionality like login to the system and basic data rendering. Many issues could occur deeper in legacy apps from rendering of PDFs to printing documents, etc. This year alone we have seen both PDF and GDI updates nearly every month from Microsoft. These are common components to be updated as they are high profile targets for user targeted attacks like phishing scams. A vulnerability exploiting a user is often the first point of entry into a company’s network.

Your Patch Tuesday Forecast

From this point on you can expect an average of three to four Microsoft updates. Under the new servicing model, we will typically see the Security Bundle (IE and OS updates), Flash for IE, .Net, Office and occasionally Sharepoint, SQL, Exchange and other applications.

Oracle will release on October 18, so expect a critical update for Java and many other Oracle solutions.

Adobe is due for an Adobe Acrobat and Reader update, so I am forecasting at least two bulletins from Adobe this month. Adobe Reader and Flash Player with likely use Acrobat as well. If Flash drops we will see the Flash for IE bulletin from Microsoft and plug-in updates for Google Chrome and Mozilla Firefox.

It has been nearly a month since the last Google Chrome release on September 15. They did a re-release late in the month, but with only a minor change. The beta channel for Desktop was updated yesterday so we are not far off. There is a good chance we will see a Chrome update on or before Patch Tuesday.

And as always, watch for our Patch Tuesday update and infographic next Tuesday and catch deeper Patch Tuesday analysis on our monthly Patch Tuesday webinar next Wednesday. Sign-ups and info can be found on our Patch Tuesday page.

The CSO Perspective: On the Upcoming Microsoft Service Model Change


The CSO Perspective: What Does the Microsoft Servicing Change Mean?

October is CyberSecurity Awareness month. It’s also the month that Microsoft will implement the new servicing model to pre-Windows 10 systems. Yes, that’s correct. Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 will all be moving to an update servicing model similar to Windows 10. Microsoft first announced this change in June and described it as follows:

  • Internet Explorer and Operating System updates will be packaged in two ways.
    • Security Bundle—All OS and IE (Security only) updates for the month will be bundled in a single update. This is not cumulative: the November Security bundle would not include the October Security updates.
    • Cumulative Update—All OS and IE updates for the month for both security and non-security are included in a cumulative rollup each month. The November rollup would include the updates from the October cumulative update.
  • .NET Framework will be a separate Cumulative Rollup. This update will be a single package no matter how many .NET versions are currently installed on a system. The installer will detect and update the installed versions. It will NOT install net new versions.
  • Adobe Flash for IE will be a separate update.
  • Office, SharePoint, Exchange, SQL, and other products will still be separate updates each month.

I’ve had questions from customers, prospects, writers, vendors, and partners about the real impact of this. I’ve posted my thoughts, but today I thought we would catch up with LANDESK CSO Phil Richards and get his.

Chris: Phil, thanks for taking the time to talk about how you see this change and the improvements and challenges we’ll face in the future.

Phil: Thanks, Chris. This is an interesting development from Microsoft that has potential security improvements, and potential issues, depending on how we, the consumers, respond.

Chris: Phil, Microsoft’s change was prefaced with a message of “You asked for it, we delivered.” They didn’t really say what we “Microsoft customers” asked for. So, based on the changes, what was it you think we asked for?

Phil: Enterprise-level patching is far more complex than patching your personal computer at home. There are three main improvements customers are looking for over today’s patching processes: simplification, quality, and security. I think a good portion of the consumers are looking for a simplified patching experience. The complexity of patching—understanding precedence requirements, identifying installed components that require patching, and anticipating future patch needs—makes the patching experience somewhat painful, error prone, and manually intensive for IT professionals. Unfortunately, this is a double-edged sword: when Microsoft bundles the patches, making the customer interface more simplistic, they increase internal complexity of the patch package. he bundled patches must respond correctly to more configuration permutations. While many customers don’t like the complexity associated with multiple patches, I believe they will be unable to support patch bundles across the entire set of systems that require patching. When an IT department has a particular server that needs special handling because of software that will not work with a specific patch, it’s faced with the very real challenge of not applying the entire patch bundle on that system. Over time, we will see many systems that are not able to take patches at all, lowering the security readiness of the enterprise.

Customers are also asking that Microsoft improve the quality of the patches. But increasing the complexity of the patch package by bundling patches raises quality of the Microsoft package at the cost of adversely impacting other sensitive applications on the system.
Finally, customers also need improved security from their patches. With this new patching delivery method, updates are more frequent and potentially more comprehensive. Unfortunately, security updates often create new security vulnerabilities as quickly as they patch old ones. They are, after all, software. While this happens much more frequently with other providers, it has occurred with Microsoft patches. Another security issue has to do with the volume of patches and the possibility of missing one or more them in your environment. By bundling the patches and providing a cumulative update, IT professionals have the ability to make sure their servers are up to date. Again, the downside is that if I am unable to patch a particular server because of one component, the server remains vulnerable to all threats in the whole patch package.

Chris: Seems like, even with Microsoft’s good intentions, there could be challenges. Digging deeper into some of your points, let me throw a hypothetical situation at you and see how you’d handle it. Let’s say you have a legacy application in your environment that’s critical to your business and very sensitive to patching. You know that each month the security updates need to be tested and often result in one or two OS updates you have to mark as exceptions because they conflict with this application.

If we look at September’s updates and apply the details Microsoft described, the 14 bulletins become 4. The largest is for IE and OS updates. It rolls 10 bulletins and 31 vulnerabilities into a single bulletin. There is another for Office, one for .NET, and one for Flash Player for IE. One of those OS bulletins for September is for the Windows Graphic Components. Under the old model it’s bulletin MS16-106, which resolved 5 vulnerabilities. In this case it will be in the bulletin that includes 31 vulnerabilities, including a Zero Day that was resolved in IE. This GDI change breaks the legacy application and will cause a major disruption to the business. You have to choose to make an exception or break the application and wait for the vendor to fix it. What would you choose to do?

Phil: If I choose to run the critical business application and keep my business afloat, I have to choose not to install multiple patches, which poses a very real threat to my business. If I choose to patch, I have to stop running the application, which poses a very real threat to my business. To address this issue, I’d try to get the vendor of the application to make modifications to support the Microsoft patch. I’d also look at other technologies that will allow me to further isolate the offending application, so I can patch the operating system, or apply network configuration changes to decrease the attack surface of the server. Major technologies in this space include containerization to isolate the application or web application firewalls to decrease the attack surface. While there are workarounds to patching issues, these require heavy lifting by an already overburdened IT organization. These workarounds aren’t efficient and will increase complexity of the environment overall—which is exactly what Microsoft is trying to avoid in the first place.

Chris: Let’s take this scenario one step further. The legacy application is from a vendor that’s no longer in business, so there’s no fix forthcoming. This leaves you with a known exploit for IE exposed in your environment, which is unacceptable. What steps would you take to protect the systems that require this application?

Phil: At this point, the best that can be done is application isolation through containerization and network isolation through a combination of segmentation, firewalls, and web application firewalls. The amount of work involved in this one-off solution is significant, and it’s brittle. I believe this scenario will happen multiple times for customers that have special apps not supported by vendors that are running significant portions of the business. Once the workaround solutions are in place, there is no incentive to fix the underlying problem. It just becomes more walled off, creates higher technical debt, and because of the brittleness of the solution, remains a high risk area of the infrastructure. The problem also compounds. Since the patches need to be cumulative in nature, there is the possibility that by skipping the patch bundle for October, you might not be able to take patches in the future, which increases the network configuration pressure, increases the brittleness of your workaround, and makes it all the more difficult to extricate your business app from the vicious cycle.

Chris: Great feedback, Phil. Thanks again for your time and recommendations. It appears that we should all expect some changes in the near future and some hard questions may come up, but I think you have provided some great takeaways from this discussion.

  • Microsoft’s change, while well intentioned, will impact many companies and could lead to some hard decisions.
  • Application compatibility is going to be the most significant of these changes. Most companies know what products are sensitive to updates already, so it may not be a bad idea to reach out to those vendors in advance and start asking if they understand the changes coming and potential ramifications.
  • While there may be some hard decisions in the future, with planning and other security measures the problems can be overcome.

As always the team here will be keeping a close eye on the situation. As we near October Patch Tuesday we will have more details to share. Make sure to sign up for the October Patch Tuesday Webinar; we plan to cover the new servicing model changes in detail once we see the first month of the new model in operation. www.shavlik.com/Patch-Tuesday

How to Achieve and Sustain Secure Agility

GettyImages-532034284The long-term success if a business depends on its agility – the ability to sense and adapt to changes within the industry in order to stay competitive. The same can be said for your IT operation, but it’s not as daunting as it sounds.

Start at the bottom—and at the top

An agile enterprise requires agile, user-centered, comprehensive, integrated security. If security at your enterprise isn’t already all of those things, start making it all of those things.

For most of you, that effort can and should begin with patching your key applications, operating systems, client systems, and servers more consistently and regularly than you are now. As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

As you and your colleagues get patch management sorted, you should be looking for other opportunities to establish, improve, and extend security policies, practices, and technologies that improve agility across the enterprise.

Secure agility can be built from the ground up, but the will and commitment to become and remain securely agile must come from enterprise leadership. That means executives, IT, security, and business unit leaders must be visibly and demonstrably behind security- and agility-enhancing initiatives.

Walk the talk

Declared commitments to secure agility must extend beyond platitudes and media quotes. Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise. This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Every strategic plan, every set of operational practices and principles, and every solution chosen for deployment must reflect and support that commitment for it to mean anything to your enterprise.

This means that every such resource must incorporate processes for regular review and the opportunity for revision in response to corporate, marketplace, or regulatory changes.

Build it in

Every process and control upon which your enterprise’s competitiveness depends must incorporate security- and agility-enhancing elements.

This means those processes and controls must be driven by and measured against your enterprise’s performance requirements and goals. They must also incorporate specific features for integration with and support of efforts to achieve and sustain user-centered security.

Controls and processes that do not include these characteristics will likely contribute little to your organization’s agility, and might even impede it. (This means all controls and processes must be reviewed and tested regularly and designed to be easily modified or retired as changes demand.)

Show your work

It’s not enough to preach the gospel of secure agility. It’s not even enough to achieve a sustainable level of secure agility. For your efforts to have maximum business value, you must show and tell all of your most important stakeholders the details of those efforts and their effects. This means that consolidated, integrated, timely, business-driven reporting of all things related to security and agility should be a critical element of your secure agility efforts.

Be securely agile everywhere

Pursuit of secure agility may begin in one or more departments or business units, but for maximum business benefit, it must be pervasive.

For many enterprises, the best way to make this happen is to start with IT. IT powers most of the services that run an enterprise’s business and is already focused on (if not preoccupied with) security. Secure agility initiatives that prove successful within IT can therefore likely be incorporated into the delivery and management of other business services.

This means that a single, integrated, process-driven platform for service management and security management can be a powerful enabler of enterprise agility.

Secure agility is an operational and competitive requirement for every successful enterprise. By taking concrete steps toward inculcating a culture that is focused on user-centered security and enterprise agility, you can accelerate your enterprise’s journey to true, sustainable, secure agility.

If you choose or are forced to remain focused on reactive firefighting as an operational approach to security, neither secure agility nor your career are likely to advance much further at your enterprise.

Moving to a proactive, holistic approach to user-centered security and enterprise agility, however, will have salutary effects on your enterprise and your career.


Reshaping Your Enterprise With Agility, Resilience, and Trust

GettyImages-537708180It is critical to understand that success in establishing and cultivating ART-fulness (agility, resilience, trust) at your enterprise—like success in establishing and cultivating comprehensive security—is largely an outreach-driven effort.

Both require consistently high levels of internal marketing, sales, and evangelism.

These requirements may constitute the bulk of your challenges as you seek to establish, grow, and promote both ART-fulness and security at your enterprise.

Fortunately, there are some straightforward steps you can take to tame these challenges, steps based on some fundamental, consistently successful marketing and outreach techniques.

How to Make Your Enterprise More Secure and More ART-ful

  • Engage

Security and ART-fulness are things you simply cannot achieve and do not even want to attempt without lots of help and support. Identify the influencers, leaders, and stakeholders who matter most to your efforts. Then, make sure their voices are heard and matter, and make sure that they know these things are true.

  • Inform

Once you’ve identified those who matter most, get and stay in touch with them. Tell them what you’re doing and why. Tell them how their support is contributing to your efforts and why those contributions matter. Regular, non-disruptive, nonintrusive communications, perhaps via a short e-mail newsletter, a dedicated internal Web site or portal, or both, can be low-effort, high-impact tools here.

  • Persuade

Use the activities and information with which you engage and inform your constituents to persuade them that comprehensive security and ART-fulness are essential to your enterprise’s success. Find and share supporting external examples of secure, ARTful enterprises.

Identify and tout credible data that underscores the business value of security and ARTfulness—and the costs and risks of not having enough of either. Free, simple, Web content monitoring tools such as Google Alerts can make finding such points of persuasion easier.

Also, when you and your colleagues successfully improve security, agility, resilience, and/or trustworthiness within your enterprise, promote these successes to as many stakeholders and influencers as possible. Nothing persuades like success.

  • Invite

This is one of the most critical and frequently overlooked elements of successful outreach. Every communication should include a call to action—an invitation to do something to continue the conversation. Ask your constituents for their opinions and suggestions wherever possible.

Hold events such as webinars and Tweet chats, and invite constituents to participate. Solicit success stories or even “epic fails” related to security, ART-fulness, or both, and share these with attribution. Welcome input and feedback, and incorporate these explicitly into your enterprise’s journey to greater security and ART-fulness. This is one of the most effective ways to turn the disinterested and skeptical into observers, stakeholders, and advocates.

An enterprise that is optimally secure and ART-ful is one that is well positioned for sustained success, whatever its primary business. But neither optimal security nor ART-fulness ever just happens. Each requires careful, consistent nurturing and support from a committed community of advocates.


Trust Us, the Cornerstone to Business Is ‘Trust’

GettyImages-77188102Let’s cut to the chase. There are likely no circumstances under which you would choose to do business with any person or entity you could not trust.

It is equally likely that every client (internal and external), partner, and prospect of your enterprise thinks and feels exactly the same way.

Trustworthiness is therefore at least as critical to your enterprise’s success as agility or resilience.

To quote perhaps the world’s best-known investor and businessperson, Warren Buffett, “Trust is like the air we breathe. When it’s present, nobody really notices. But when it’s absent, everybody notices.”

This is especially true for companies that sell products or services, which is just about all companies.

Trust and the Bottom Line

Stephen M.R. Covey is the author of the book The Speed of Trust: The One Thing That Changes Everything. He is also the son of Stephen R. Covey, who wrote the worldwide bestseller The 7 Habits of Highly Effective People, and CEO of the Covey Leadership Center. A central element of Stephen M.R. Covey’s thesis is that deals get closed faster and are more successful when those involved share high levels of trust.

Specifically, Covey argues that success in business requires a winning competitive strategy, and superb organizational execution—and that distrust is an enemy of both. He adds that while high trust levels won’t necessarily make a poor strategy effective, even the best strategy can be derailed by a lack of trust.

The bottom line? Edelman, the world’s largest PR firm, surveyed some 33,000 people worldwide for its 2015 Edelman Trust Barometer. Of those respondents, 63 percent said they simply refuse to buy anything from those they don’t trust. Further, 80 of those respondents said that they will buy only from those they trust.

Zig Ziglar, one of the best known and widely read sales professionals in the world, once said, “If people like you, they will listen to you. But if they trust you, they’ll do business with you.”.

How to Achieve and Sustain Trustworthiness

  • Know where you are. Bite the bullet, and ask your most important constituent groups (privately, of course) questions that help you assess how much they trust your team or company. At minimum, ask if they’d do business with your team or company again, if they’d recommend your team or company to peers, and why or why not.
  • Fix what’s broken. Use those questions and answers to identify any unsatisfied constituents, find out why they’re unsatisfied, and fix it. Every unsatisfied constituent is a detriment to trustworthiness, and you should assume that your constituents talk with each other.
  • Cultivate advocacy. Use those questions and answers to identify your happiest, most trusting clients and partners, then ask them to let you make them stars. That is, ask for their permission and cooperation to showcase them in your outreach efforts. Then, make it as easy as possible for them to be featured in the success stories, presentations, interviews, and other content you produce with their cooperation and support.
  • Show your work. It’s one thing to claim to be trustworthy. It’s another to be able to demonstrate and document trustworthiness credibly and on demand to any and all stakeholders—from customers, partners, and prospects to auditors and regulators. This is a major, long-term, continuing effort. And everything you do to make and keep your organization’s IT infrastructure comprehensively, demonstrably secure greatly aids these efforts. Comprehensive, proactive, user-centered security is a firm foundation for managing governance, operational transparency, and reporting. All of these, in turn, enhance your organization’s ability to both claim and credibly demonstrate trustworthiness.

Make the goal of trustworthiness a significant part of every plan, strategy, and process that governs your business, especially those focused on IT security, since the security of your IT infrastructure has direct and profound effects on your organization’s ability to be trusted. Include your internal and external clients and partners in this effort wherever practical. It may be the single most significant thing you can do to minimize time to success and maximize the number and value of constituent relationships, for your constituents, your team, and your enterprise.


Shavlik is Your Single Solution to Creating an ART-ful Enterprise

GettyImages-519491604While tools alone will not guarantee comprehensive, effective, user-centered security, the right tools can enable and accelerate your progress toward that goal.

Shavlik offers a number of tools that can support your efforts to maximize your organization’s IT security.

Shavlik Protect

When the majority of vulnerabilities come from third-party applications, patching operating systems isn’t enough protection for your organization.

Shavlik Protect is an effective, easy-to-use solution for automating the patching of everything from data center servers to client workstations and virtual environments. It automates patching of not only Microsoft Windows and Office software but also third-party applications from hundreds of vendors, including Adobe, Google, and Oracle.

Shavlik Protect can be configured to deliver agentless or agent-based patch management, and can patch both online and offline virtual machines, including templates and the hypervisor itself. It can even take snapshots prior to patch deployment, so you have a rollback option if something goes wrong. Other capabilities include a library of ITScripts (pre-created PowerShell scripts) that can be customized easily to automate scores of IT maintenance tasks, on demand or on a regular schedule.

Shavlik Protect is also intuitive and easy to configure and use. For many users, Shavlik Protect can be deployed and begin delivering value in as little as 30 minutes.

Shavlik Empower: Heterogeneous Patching in the Cloud

This cloud-based solution delivers patch management for and asset intelligence about Windows and Mac OS X devices. Empower sentinels scan for devices across your environment, then leverage Microsoft Active Directory to extract and map significant intelligence about your organization’s IT assets. Empower then deploys agents that enable comprehensive, flexible patching of Windows and Mac OS X systems, wherever they are.

A browser-based interface enables administrators to view and manage the information collected by Empower sentinels and agents from almost any Web-connected device. Empower can be deployed independently, or as an add-on for Shavlik Protect, Shavlik’s patch management automation solution for datacenter servers, client workstations, and virtual environments.

Fully automate Windows patching, with the flexibility to define policies that lets you filter what you patch by severity, vendor, product family, or product version. Employ the same workflows to manage Mac OS X patching (with some slight differences in filtering options). Minimize user disruption with flexible scheduling and reboot control. Create a firm, flexible foundation for pervasive, effective, transparent security at your enterprise with Shavlik Empower.

Shavlik Patch for Microsoft System Center

For organizations that already know and use Microsoft System Center Configuration Manager (SCCM), Shavlik Patch is an ideal add-on for enabling SCCM to patch third-party applications. Shavlik Patch delivers updates for more than 1,500 application versions from an easyto-use plug-in that snaps right into the SCCM console. Shavlik Patch enhances security and extends the value of Microsoft SCCM investments, with no additional infrastructure or expertise required.

Secure Mobile Email by LetMobile

LetMobile also supports comprehensive, configurable data loss prevention (DLP) filtering rules for both inbound and outbound traffic based on device, user, location, network and time. LetMobile also integrates with any incumbent corporate DLP systems to inherit existing rules and policies. It’s the best of all worlds for a “bring your own device” (“BYOD”) or “company owned, personally enabled” (“COPE”) environment, since it provides robust data security without interfering in any way with personal use of the mobile device.

The Shavlik Team: Your Expert Security Partners

The Shavlik website features authoritative, timely blog posts, as well as white papers, forums and security alerts. The site is an ideal go-to resource for your ongoing security education and promotion efforts.


5 Secrets to Achieving and Sustaining Resilience

GettyImages-608512524There is one thing you must do – and keep doing – to start down the path toward true enterprise resilience: Patch everything. All the time. Starting now.

To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are a few reasons:

According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years.”

Gartner analyst Anton Chuvakin addressed this grave security concern in one of his blog posts.

“Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today—and struggle mightily,” he observed. “In the darkest woods of IT, patching third party applications on a desktop remains a significant challenge for many organizations.”

By the way, the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST) states that some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.

Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers, and user devices are patched and updated consistently and in a timely fashion. Then begin the following actions:

  1. Plan – To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same—maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.
  2. Analyze – Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.
  3. Engage – To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such marketing and sales efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.
  4. Update – Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly and for regular review of all relevant policies, plans, processes, and procedures.

No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.

Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need and deserve.