Вы находитесь на странице: 1из 8

Corporate Software Inspector

W H I T E PA P E R

– Bridging Vulnerability
Management Gaps
Bridging Vulnerability Management Gaps

Corporate Software Inspector –


Bridging Vulnerability Management Gaps
Executive Summary
The objective of this white paper is to show how Flexera Software’s Corporate Software Inspector addresses
important gaps in traditional vulnerability management tools: the assessment and remediation of vulnerabilities
on software and systems running on clients and servers. It closes the gap between IT Security and IT Operations
to allow full lifecycle management of vulnerabilities across the organization. These gaps expose organizations
to the risk of security breaches that can lead to loss of confidential data, hacker control of internal systems and
other negative consequences. Closing these gaps is of critical importance to mitigate security risk.

IN THIS PAPER WE WILL COVER:

• Introduction to Vulnerability Management


• Importance of patching and remediation as part of a complete Vulnerability
Management process
•R
 easons why organizations need to invest in developing their vulnerability management
processes and implementing technologies to support those processes
•O
 ur solution to close the patch assessment and remediation gaps: What makes
Corporate Software Inspector different from traditional vulnerability scanning
technologies and how it delivers accurate patch assessment and remediation to support
the entire lifecycle of managing software vulnerabilities

2
Bridging Vulnerability Management Gaps

Secunia
Research
Asset Inventory /
Manage Workflows
Discovery
Continuous Reporting
New
Assess and
Vulnerability
Prioritize Risk
Verified

ASSESS

ork-around
TE
VE

GA
RIF

rW
Veri

ITI
Y

no
yM f

t io
it i g

ia
io

ed
at n m
Re
p ly
Ap

Figure 1: The Software Vulnerabilities Management Lifecycle

What is Vulnerability Management? Vulnerability Scanning ≠ Vulnerability Management


While vulnerability scanners are a widely adopted
“Vulnerability management is the “cyclical practice of
technology, and play an important part of the vulnerability
identifying, classifying, remediating, and mitigating management process, they don’t drive remediation of the
vulnerabilities”, especially in software and firmware. most common issues— the patching of vulnerable software.
Vulnerability management is integral to computer You may ask, why is that?
security and network security.”1
Vulnerability scanners assess the presence of vulnerabilities
Managing vulnerabilities means executing the full in network appliances, user passwords, and Operating
lifecycle of assessment, mitigation, and verification to System configuration. However they are limited in their
keep the business safe from the consequences of the ability to find software vulnerabilities on desktops and
exploitation of vulnerabilities. In today’s complex servers, and most important, they don’t have the capability
environments, vulnerability management requires to patch these issues.
consideration of multiple devices, platforms, and
technologies. Yet, the basic steps of the lifecycle Many businesses rely on vulnerability scanners as the
remain very similar: main – and often only – technology to support their
vulnerability management processes, leaving critical
•A
 ssessment phase includes discovery of insecure
gaps in the assessment and mitigation phases,
applications and systems, evaluation of criticality
particularly when it comes to applying security patches.
and risk, and determination of the action required
to mitigate that risk
•M
 itigation phase is the implementation of the
actions determined in the assessment phase,
normally it means applying patches and other
“Gartner clients find the coordination and
workarounds to remediate the vulnerability.
orchestration of vulnerability remediation
•V
 erification phase validates that mitigation actions
are implemented, the threat has been removed and efforts a perennial point of operational failure
doesn’t reappear later.
for vulnerability management projects. Success
The different activities associated with the lifecycle often
requires coordination between IT security
require collaboration between professionals across
multiple departments. Also, for different types of devices and IT operations for activities such as patch
and platforms, different approaches, processes and
management and configuration hardening.”
2
technologies are needed.

1 Source: Wikipedia (https://en.wikipedia.org/wiki/Vulnerability_management)


2 Source: Gartner, “Threat and Vulnerability Management Primer for 2017”, January 2017 3
Bridging Vulnerability Management Gaps

The Importance of Patching vast majority of first known exploitations of vulnerabilities


Applying software security patches to software with known happen, on average, 30 days after the patch is available.3
vulnerabilities is the most effective way to protect the
organization from a vast array of attacks by hackers. What this data suggests is that it should be possible for
organizations to apply security patches before exploits are
Vulnerabilities – old and new – are exploited to initiate even available for the vast majority of the vulnerabilities.
attacks as well as to escalate privileges during the course
of an attack. Yet, why do we continue to see security incidents and
data breaches associated with exploitation of well-known
The majority of exploitations use well-known vulnerabilities vulnerabilities?
for which a patch is available. And research shows that the

THE MAIN REASON IS THE GAP BETWEEN IT SECURITY AND IT OPERATIONS

IT SECURITY IT OPERATIONS

 ormally, those in charge of


N Technology integration IT Operations teams often
scanning for vulnerabilities is commonly poor so it is do not have performance
(IT Security teams) are impossible to build reliable measures associated with
not in charge of applying processes using disparate applying security patches,
patches (typically done by technologies and do not have tools to
IT Operations); therefore, it support making the right
is common that both groups decisions when it comes
don’t understand each to applying patches;
other’s challenges and the prioritization of patches is
gaps in the technologies key to remediating the most
they use critical vulnerabilities first

3 Source: “2016 Data Breach Investigation Report” Verizon http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016


4
Bridging Vulnerability Management Gaps

Bridging the Gaps


Corporate Software Inspector is designed to close specific gaps in vulnerability management processes.

IT SECURITY IT OPERATIONS

Gap Corporate Software How it Works and


Inspector Feature that Associated Business Value
Closes the Gap

Patch Assessment Comprehensive and There are different methods to assess the patch status of software
accurate discovery of and systems. Our technology is capable of detecting programs
unpatched applications based on actual data on the file system. It is extremely reliable as
and systems compared to making assumptions based on inaccurate/out-of-date
information, stored e.g. in the Windows Registry.

Corporate Software Inspector utilizes Flexera Software’s proprietary


vulnerability database to detect and assess the security state of
over 20,000 applications. This database is the foundation of
our solution and provides insights into software vulnerabilities
not provided by vulnerability scanners. All the intelligence in the
database is assessed and verified by Secunia Research.

Prioritization Vulnerability criticality Corporate Software Inspector provides a criticality rating


rating based on determined by Secunia Research to help quickly understand
Secunia Research data how a vulnerability can be exploited and the possible impact of
exploitation to determine which patches to apply first. The product
allows organizations to determine overall criticality based on the
criticality it gives to the application, the system or the asset.

Remediation Linking of patch Corporate Software Inspector delivers pre-packaged patches


assessment and associated with the patch assessment results, making it possible
remediation; delivery of deploy the right patches faster and more reliably. This helps
pre-packaged patches organizations apply patches in a timely manner, ahead of the
availability of exploit kits for known software vulnerabilities.

Patching of Delivery of patches Corporate Software Inspector leverages Windows Server Update
Non-Microsoft for non-Windows Service (WSUS) and System Center Configuration Manager
Applications on applications (SCCM) for the deployment of security patches.
Windows Systems
WSUS and SCCM are widely used to manage patching of
Windows environments, but they lack support for non-Microsoft
products for Windows. Corporate Software Inspector closes this
gap while integrating with existing technologies and processes,
speeding up adoption and reducing the need for extensive training.

5
Bridging Vulnerability Management Gaps

Our Customers Patch More Frequently Using Software Inspector deploy patches daily or weekly, while
Less Resources this percentage is 25% for non-customers. At the same time
Customers of Corporate Software Inspector patch their 86% of users claim they use 2 staff days or less a week for
applications in shorter cycles with fewer resources. researching vulnerabilities and patching, while 50% of non-
Research conducted with customers and non-customers customers use 3 staff days or more to do the same job.
reveals that 58% of organizations using Corporate

How frequently do you deploy patches?


80%
70%
60%
50%
40%
30%
20%
10%
0%
Daily Weekly Monthy Quarterly

Non-Customer Customer

How much time does your company spend on


patching per week?
80%
70%
60%
50%
40%
30%
20%
10%
0%
1 staff/day 2 staff/day 3-5 staff/day 1-3 staff/week 2+ staff/week None

Non-Customer Customer

Conclusion About Corporate Software Inspector


Corporate Software Inspector is an essential tool for Corporate Software Inspector empowers IT Operations
organizations that want to have much more comprehensive teams to continuously identify vulnerable applications
vulnerability management processes. It allows organizations and apply security patches – before vulnerabilities that
to dramatically improve their ability to apply security lead to costly breaches can be exploited. The solution
patches, in a timely manner, to mitigate the risk of a leverages verified vulnerability intelligence and assesses
security breach. over 20,000 applications, delivering tested patch packages
for non-Microsoft applications, accelerating identification
Implementing Corporate Software Inspector makes of vulnerabilities, driving their prioritization and reducing
it possible for organizations to bridge common time to patch. Corporate Software Inspector is the preferred
organizational gaps between IT Security and IT Operations security patching solution for more than 1,000 enterprises
by delivering accurate patch assessment for security worldwide. They benefit from our seamless integration with
purposes, and packaged security patches and tools for Microsoft products to simplify assessment of security status
operations to perform remediation. and patching of critical, non-Microsoft applications.

6
Bridging Vulnerability Management Gaps

About Flexera Software


Flexera Software helps application producers and enterprises
manage application usage and increase the value they
derive from their software. Our next-generation software
licensing, compliance, security and installation solutions are
essential to ensure continuous licensing compliance, optimize
software investments and future-proof businesses against
the risks and costs of constantly changing technology. Over
80,000 customers turn to Flexera Software as a trusted and
neutral source for the knowledge and expertise we have
gained as the marketplace leader for over 25 years and for
the automation and intelligence designed into our products.
For more information, please go to:
www.flexerasoftware.com

Next Steps:
For a more product information or to begin a free trial,
visit www.flexerasoftware.com/enterprise/products/
software-vulnerability-management/trials

7
Flexera Software LLC United Kingdom (Europe, Australia (Asia, For more office locations visit:
(Global Headquarters): Middle East Headquarters): Pacific Headquarters): www.flexerasoftware.com
+1 800-809-5659 +44 870-871-1111 +61 3-9895-2000
+44 870-873-6300

Copyright © 2017 Flexera Software LLC. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners.
CSI_WP_Why-CSI_Feb17