News

Configuresoft Security Patch Management Software Updated

• By Scott Bekker
• November 13, 2002

Security Update Manager 2.0 became available on Monday. SUM 2.0 is a module for Configuresoft's Enterprise Configuration Manager. Configuresoft's approach to security and system availability is to report on and automate the configuration of Windows machines in enterprise networks. "Over 90 percent of vulnerabilities are due to misconfigurations," asserts Configuresoft CEO Alexander Goldstein.

ECM, the company's flagship product, collects tens of thousands of configuration variables from agents on workstations and servers and consolidates them in a SQL Server database for reporting and analysis.

But Configuresoft also recognizes that patch management is a time-consuming and expensive problem for the enterprise. The company cites a Gartner estimate that correcting a security vulnerability at a company with 1,000 servers can cost $300,000.

Configuresoft's value proposition with SUM is to combine the massive store of data it collects through ECM with some extra work its engineering staff puts into Microsoft security bulletins, of which there have been 64 so far this year.

Configuresoft analyzes each security bulletin for the services and software it affects. Run against the centralized SQL database maintained by ECM, the Security Update Manager can immediately give administrators a very fast and specific report on exactly which machines need patching.

Running the query against the database instead of querying the network provides authoritative vulnerability assessment results in seconds rather than hours or days. "Most of our competitors are using some sort of real-time querying in order to assess which machines are vulnerable. Usually only 95 percent to 99 percent of servers are up, and with workstations it's difficult to connect to more than 70 percent to 80 percent of workstations at a time," Goldstein says.

It also greatly reduces the number of machines that need to be checked against the patch requirements. For example, early in 2002, Microsoft and the rest of the industry released fixes for a problem in the SNMP service. Configuresoft learned from its customers that only about 5 percent to 7 percent of their Windows 2000 systems were actually running the service and needed the patch.

"These patches are not productive. They are never tested to the extent that you would like them to be tested. The idea here is to do no harm," Goldstein says. "In reality, this has the impact of doing two things. One: It substantially diminishes the number of patches that have to be deployed. Two: It makes the workload easier."

Much of that fine-grained assessment of system vulnerabilities that allows for targeted lists of affected systems is new to the 2.0 version of SUM. Other new features include push-and-pull patch deployments and role-based administration. The push-and-pull feature allows administrators to push patches to a network location at remote sites so branch office machines can pull the patches down locally rather than over a wide area network. The role-based administration allows delegation of subsets of SUM 2.0 management powers to local staff and lower level administrators.

SUM 2.0 starts at $25 per server and $5 per workstation on top of the base cost of ECM, which starts at $995 per server and $30 per workstation.