Shavlik Protect is A Best of VMworld 2016 Gold Award Winner for Security

VMWorld2016_GoldAwards_11x17_Security

We are happy to announce that Shavlik Protect wins the Gold Award of VMworld 2016 for the Security category by TechTarget’s SearchServerVirtualization.com. We whole heartedly agree with their choice, but let’s give our perspective why Shavlik Protect is a winner.

Patch Management = Security Foundation

In today’s security landscape, there are an abundance of products that promise insight into the latest threat’s. With all of the flash and hype, many overlook the security of patch management which eliminates vulnerabilities and the countless threats that target each vulnerability.

There are many patch management products on the market, but Protect is particularly suited for virtual environments for a couple of reasons.

Virtualization Focused

VMworld is synonymous with virtualization and this is one of the great strengths of Shavlik Protect. There are many capabilities that make Protect a must for patching virtual environments including:

  • Online and offline virtual machine patching
  • Virtual machine template patching
  • Snapshot critical assets for superior rollback
  • VMware vCenter integration
  • VMware ESXi Hypervisor patching

The reality is that Protect seamlessly patches virtual environments making it a prime choice for the datacenter.

Just Say Yes to Agentless

Protect can use agents to assess and deploy patches, but our datacenter customers love our agentless capabilities for many reasons:

  • Assess and deploy patches
  • Minimize impact to server workloads
  • New virtual systems are never missed

Robust 3rd Party Patching

Too many organizations only focus on the operating system and turn a blind eye to the 3rd party applications that also create vulnerabilities on systems. Shavlik Protect in an industry leader with an immense catalog of 3rd party applications that is constantly expanded to cover new products and versions.

Just Add Water and Stir

Enterprise software has a bad rap for being very difficult to install and configure. With Protect, you can have the product installed, scanning for patches, and actually deploying patches in half an hour or less! Our engineering team has put a lot of effort in making Protect easy to install and use so you can get value quickly. Now don’t equate ease of install and use with simple. Protect has the capabilities to work in large and complex environments, but you can get started fast. Don’t believe me, try it for yourself.

Windows 7 and 8.1 servicing changes!?!?

Keep-Calm-and-Carry-OnI have had this question come at me from a dozen directions today, so I thought I would provide my thoughts on these changes in a more consumable and easily shared format.

First off, lets summarize the changes. Microsoft has announced that it is changing the servicing model for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.  There will be a monthly roll-up similar to Windows 10 where all security and non-security updates will be bundled in a single cumulative update.  This means that starting in October the OS and IE updates will consolidate from several individual updates into a single cumulative bundle.  Come November the next cumulative will include the October updates as well and so on.

Microsoft is also going to provide a security only bundle for each month which is a little different.  The security bundle will allow enterprises to download only the security updates, but it will still be a single package with all security updates for that month bundled together in a single package.

.Net Framework will have a separate monthly roll-up and security only option that will update only existing versions of .Net installed on the system.  This update would not upgrade the .Net version to a newer one.

FAQ:

We will start with my favorite one.  Q: Did this change surprise you?

Chris: No, I actually made a prediction internally and had a bet with one of our content team members.  The prediction occurred when Microsoft first released the Convenience Roll-up.  I predicted that Microsoft would make this change before the year was out.  It just seemed like a logical next step.  Tylere owes me a six pack of good craft beer now.

Q: Why did Microsoft make this change?

Chris: They state similar reasons in their blog post that I linked to above.  I will state one other reason that I expect had a little something to do with it.  This was one of the final barriers to many companies making the switch to Windows 10.  Being able to pick and choose which updates to deliver to systems, especially in the case where something breaks had many companies holding back from moving to Windows 10.  Moving to the bundled approach has removed this convenience, although they are providing the security only bundle for each month.  One thing to note, in the write-up Microsoft did not state that this security only bundle was cumulative so we will have to wait and see if they are cumulative or not.

Q: Why is the cumulative bundled approach a deterrent for enterprises?

Chris: The biggest challenge with the cumulative roll-ups is that any breaking change in the environment means you need to choose between the cumulative bundle which may include many security fixes or breaking a business critical application if the two conflict.  On pre Windows 10 systems a single patch conflicting would mean making an exception for one patch instead of the entire months patch bundle.

If you recall the Windows 10 cumulative for January that broke the Citrix VDA client, Microsoft and Citrix had to coordinate a window of opportunity for Citrix to release an update to resolve the issue.  In this case it was a pretty quick turn around and customers with the VDA client installed on Windows 10 were able to apply the VDA update a week later then apply the Windows 10 January cumulative.

It did not seem too bad with just one week of lag time, but what if the cumulative breaks an application that is home grown or one that is from a vendor who may no longer be in business?  If a fix is either not forthcoming or comes months later this means that you cannot apply the next months cumulative or the month after, etc until the issue is fixed.  I have talked to many companies about concerns regarding the cumulative bundled service model for this reason.

Q: What does this mean for the Shavlik or LANDESK products I use to patch my environment?

Chris: Like Windows 10 for us it is business as usual.  We will continue to support updates for these updates as they release.  It really is just a change from 6-10 OS patches each month down to 1 patch that needs to be applied for the OS and IE.  So expect a cumulative roll-up or security only bundle for the OS, a .Net roll-up, and other Microsoft apps like Office, SQL, SharePoint mixed in depending on the month.

As always, we will be keeping an eye on any changes that develop and providing guidance and recommendations.  Sign up for our Patch Tuesday webinars to keep up to date on the latest from Microsoft and 3rd Party Vendors like Adobe, Google, Mozilla, Apple, Oracle and more.  From our Patch Tuesday page you can find future webinar registrations, previous Patch Tuesday infographics, presentations, and on-demand webinar playback from previous months.

Do you know your Patch Management Posture?

How well do you know the security posture of your environment?  Do you know how effective your Patch Management process is? Can you provide stakeholders with a quick look at the state of your network and show how protected you are in real time?

In today’s world with so many devices connected to a network and with the BYOD option becoming more and more of a norm, it is now more important than ever to have visibility into security risks for an organization.

Visibility into your security posture is the key to providing the knowledge necessary to take action on security measures that you can control. So how do you get visibility into your current security posture and what are valuable insights?

What are valuable insights?

  • When were devices last patched?
  • What are the outstanding patches missing from a device?
  • How many and what are the severity levels of the patches needed?
  • What devices are non-compliant and of those, which ones are the most security risk to the organization?
  • How quickly are patches deployed to devices after each patch is released?

How do you get the visibility into your security posture that is meaningful to you? Xtraction

Xtraction allows an organization:

  • To decide what is meaning information
  • To provide access to that information anywhere from a browser at anytime
  • To report real-time results based on the current state of the production database

Xtraction for Shavlik Protect provides a number of default dashboards as part of the Report Bundle offering.

These dashboards have been designed to give visibility into the security posture of an organization and to provide the insight needed to aid in prioritizing meaningful action.

Since the release of Xtraction for Shavlik Protect Reporting Bundle, 2 additional dashboards have been created and are available on the Xtraction for Shavlik Protect landing page of the community website.

Visibility into Security Posture

August Patch Tuesday 2016

Patch Tuesday Infographic

Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.

Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.

Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.

The Five Critical Bulletins

MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.

MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.

MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.

MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.

MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.

For more details on Patch Tuesday, Patch Tuesday Infographics or to sign up for our Monthly Patch Day webinar visit us at www.shavlik.com/Patch-Tuesday.