- US Army Website Hack Claimed by the Syrian Electronic Army
- China Expected to Have a Hand in the Office of Personnel Management Breach
- White House Orders Federal Agencies to step up their Cybersecurity game
Scary stuff, right? Unfortunately, this should all sound very familiar as there has been a steady stream of headlines around the rising concerns of securing U.S. federal agencies from cyber attack.
I recently had a conversation with Ben Tacheny, the U.S. Federal Territory Sales Representative here at Shavlik. Needless to say, Ben has been very busy as of late. He had a lot of really good insights and guidance that I wanted to share.
Q: Ben, what kinds of security problems are federal government agencies facing today?
A: IT security has never been a more prevalent, everyday conversation than right now, and the battle is being fought on multiple fronts – authentication, cyber security policies and practices, privileged user management, mobile device management and, at the top of that list, patch management.
Just look at the recent hacking of OPM and the U.S. Army website, as well as the recent White House call to “tighten cyber defenses immediately” by specifically “patching critical-level software holes without delay.”
And then you have Terry Halvorsen, U.S. Department of Defense CIO, who just spoke publicly at the AFCEA Defensive Cyber Operations Symposium in Baltimore on June 16, who’s first major point in his presentation was stressing the need for all federal agencies to do a better job with patching and said that the industry needs to help the DOD do just that – be more efficient and help ensure that the patches themselves have a high degree of trust.
Q: And Shavlik can assist with this?
A: It’s exactly what we do! As you know, many DOD branches now have an enterprise license of Microsoft SCCM for their patch management needs. But SCCM only patches Microsoft applications, not the hundreds of “third-party” applications like Adobe, Java, etc., which are the most actively targeted applications, according to vulnerability experts. These patches are currently being built manually within the DOD, and DOD admins are struggling to keep up with the number of patches released and the deadlines set to be patch compliant.
Shavlik Patch (a third-party patch data plug-in for SCCM) will help increase both federal end-users patch management efficiency and accuracy, while at the same time drastically reducing the man-hours needed to complete a successful patch management process for over a thousand third-party applications/versions. We also guarantee that the patches we test will be the same patches our clients download direct from the vendor.
Shavlik Patch will enable federal end-users to further enhance their investment in SCCM and those admins to patch their entire networks within the SCCM framework with no additional infrastructure needed (no consoles, agents, training required) and also will work within the DOD IAVA framework (helping DOD admins search and patch by IAVA bulletin numbers).
Q: What if the federal agency or organization doesn’t have SCCM?
A: We have another purpose-built patch management tool for those clients as well. Shavlik Protect is our own on-premise console with agentless capabilities that allow you to scan and remediate all the physical and virtual machines in your environment, including online or offline VMs, VM templates, and hypervisors, all with full scheduling automation and reporting capabilities, as well as our built-in IAVA cross-reference reporter.
Q: I hear that, depending on what part of the federal government companies are with, certain processes and approvals are required to be able to even purchase a product. What are these roadblocks and how do we help companies out there?
A: Each federal organization is unique and although that can be somewhat discouraging for some vendors, that’s where Carahsoft, Shavlik’s exclusive Federal Distributor, has been able to help us so much. Whether our prospects are required to get multiple competitive open market quotes or purchase on GSA, SEWP, etc., we make it as easy as possible to allow our federal clients to purchase our Shavlik patch management offerings however they need to.
Q: Federal agencies need to ensure that the security products they use adhere to certain standards. What are we doing at Shavlik to ensure our customers can be confident in our solutions?
A: We have one of the best product management teams out there and they are constantly at work updating our current federal product certifications as our development team releases updated versions of our software. They also pursue new certifications as they’re adopted and required by our current and prospective clients. Currently, Shavlik is Common Criteria Certified and has additional certifications with all individual DOD organizations (current US Army CoN, US Navy DADMS approved, multiple individual AF ATO’s in place).
Both Ben and the team at Carahsoft are ready to answer any questions you may have. The Carahsoft team has provided some excellent guidance on 8 easy ways to lock down your agency’s cybersecurity systems. You can also view the OPM.Gov Cybersecurity Action Report which shows what steps the OPM is taking to prevent future incidents.
For more details on how Shavlik can help you can take a look at our solutions on our federal government landing page.