No. Software vendors like Microsoft will try to do a better job writing secure code. But having been a programmer, I can say there is no software that is bug-free. Unless our methods of developing software radically change, there will always be software that is full of bugs, and that means full of security holes.
The initiative is welcome. [Bill] Gates is right on. But the reality is patch management problems won't go away. What Microsoft has done is taken some of the most obvious configuration settings and turned them off. Many of these are esoteric services that no one would run anyway. IIS comes more secure. They've reduced the amount of exposure out of the box, but everyone's needs are different. There are still an incredible amount of configuration changes.
As customers continue to experience potent virus and worm attacks, do you see a growing sophistication about how they approach enterprise security?
There are two extremes of customers. On one hand, you have very sophisticated people that have realized they need security internally, not just perimeter-level security, such as firewalls and intrusion-detection systems. They realize they need excellent internal security, such as configuration management. The way systems are configured has a lot to do with how secure they are.
On the other extreme, there are those who close their eyes and hope they don't get hit. Most people are in between. They've got pretty good external security (firewalls), antivirus software, and maybe even an intrusion-detection system. But internal security is weak. I like to say, 'hard shell, soft middle.'
What can you do that Microsoft is unable to do?
They essentially have three things. One is SMS [Systems Management Server], which can be shoehorned to do patch distribution. They have SUS [Software Update Services], which lets you run a local update service, and they have HFNetChk, a free utility that scans your environment. These are three disjointed pieces.
Microsoft will continue to put out a bunch of free utilities. They will do a little more each time. If you are willing to spend the time to pull it together, you might get somewhere. But the majority of customers will tell you they need a commercial product if you want to get the job done.
For companies that want to install something, scan their environment, get the latest and greatest patches and automatically deploy those with the click of a button, they need a commercial product.
Do you receive instructions or direction from Microsoft regarding best practices on how you can work better with their manageability platforms?
Well, we are members of their management alliance, so we work closely with them in terms of integration with [Microsoft Operations Manager]. So, what I see is more attention than I've seen before in terms of understanding the importance of systems management and security. They've released a number of security guides for ISVs and vendors. They've made a MOM SDK available. What security issues do people care about most, other than virus prevention?
One of the biggest is change management. In Windows 2000 Server alone, there are more than 400 configuration settings that focus on security. If you don't do a good job monitoring changes in those settings, you are vulnerable. So, internally, threats come from poor configuration [and] change management practices.
Also, 90% of break-ins could have been avoided if the company had loaded the latest and greatest patches. The way hackers work, they fingerprint your OS to see what version of software you are running. Once they have that information, there are plenty of sources on the Internet that show what are the known vulnerabilities. If they see that this SQL Server doesn't have that patch, well, they know they can exploit that vulnerability.
Manually, it's impossible to keep on top of with Microsoft seemingly releasing a patch a day.
Are you concerned that Microsoft will start offering services within its manageability products or in the OS that overlap with services from companies like Ecora?
No. I think Microsoft will try to solve Microsoft's problems. Whether it's configuration management, auditing or patch management, Ecora will look at the entire infrastructure. We don't just cover Microsoft, but also Linux, Unix, Lotus, etc. Customers are worried about security in the enterprise, not just in Microsoft's products. And Microsoft never does anything out of the Microsoft platform. Are people spending more on security products? Is it a situation where just a few companies spend the most dollars?
I don't have a good sense of the totality of the dollars, but for every IT manager I talk to, patch management is on top of their list.
What you will see take place over the next year is the focus on security to become not just external, but internal. Today we have what is equivalent to medieval Europe. The European city-states built a wall around the city, and that's how they protected themselves. But then what happened? Someone on the inside, a rotten apple, opened the door and security was compromised. Companies need to spend some attention on internal security. A year from now, you won't manage your IT infrastructure without some kind of automated patch-management solution.
FOR MORE INFORMATION:
Best Web Links: Patches