Turning vulnerability management from burden to routine with UEM

The strongest, most reliable defence against malware and data intrusions comes from taking care of the routine essential maintenance of network devices.

“Cybersecurity.” The word itself invokes popular perceptions of hyper-vigilant IT pros at multi-screen admin consoles, keeping their users safe from the round-the-clock depredations of malevolent hackers and foreign powers intent on stealing dollars, identities, and corporate reputations. It sounds noble and almost glamorous in a techy sort of way.

But the reality? Not so much.

The day-to-day of IT operations and security may be more of a continuously time-crunched effort driven by a mix of knowledge, experience, hope, and fear. Most of the battle is a matter of just keeping up, not only with the latest threats and known vulnerabilities but with the time-consuming tasks of routine OS patching, app updates and deployments, device configuration and management, and the usual ‘my-computer’s-not working’ help desk requests.

IT security deserves the attention it gets, and security teams require specialised tools and knowledge particularly in incident response. But effective security does not happen in isolation. It depends on the coordinated efforts of IT and other departments across an organisation. In fact, the management of routine and unglamorous IT tasks using a comprehensive unified endpoint management (UEM) system provides the strongest and most reliable defence against malware and hacker intrusions. At the same time, UEM can automate many of the routine and time-consuming processes according to highly customisable rules and preferences. Time that would have been spent putting out fires and chipping away at support backlogs can instead be directed to strategy, planning, and optimisation.

A holistic view of vulnerability management
As the name implies, UEM unites multiple management tasks within a common framework and dashboard view. Day-to-day tasks include OS installs and cloning, application and update deployment, mobile device management (MDM), remote desktop support, virtual machine provisioning, and backup and restore. Vulnerability management touches on all of those. UEM capabilities specifically affecting risk assessment and management are device and app inventory, patch management, managed updates, and compliance management.

Knowing what you know, and what you don’t
UEM and vulnerability management both begin with a comprehensive and automatic inventory of all network devices, configurations, installed apps, and even the drivers for the video, storage and other endpoint subsystems. You can also get a detailed look at network topology and configurations on all SNMP printers, routers, switches and other devices. This level of detail is essential for deploying the right updates to the right machines. For example, you can buy and deploy 100 laptops from the same vendor and discover that half have different embedded device controllers. Even seeing which systems on your network have local administrator rights configured can tell you quickly which vulnerabilities need attention.

The UEM system also can get granular with application usage tracking to find what software is being used on each device or should be used and isn’t. It can also find unlicensed or unapproved software that shouldn’t be there. You can use the inventory report as an IT playbook for setting and tracking your management priorities.

Three paths for patch management and one word: Automation
UEM systems employ a range of powerful reporting and automation features to address one of the most critical and time-consuming IT responsibilities jobs, namely, patch management. Patch management can be divided into three main areas. The first is in Microsoft Windows patching. Windows Server Update Service (WSUS) is familiar and useful but has its shortcomings. For example, it can report patches as installed when they may be incomplete or unsuccessful. WSUS updates can also be slow to deploy for a variety of reasons. Notably, the 2017 patch for WannaCry came out on a Friday night, but it was not unusual for the patch to reach user endpoints at some organisations until the following Monday – with users unaware of the risks for two days.

The second path covers third-party application patches. There’s a natural tendency to think that hackers are looking for some new, novel exploit. But it’s usually a case of “Sutton’s Law,” named for 20th century bank robber Willie Sutton who when asked why he robbed banks reportedly replied, “Because that’s where the money is.” Hackers tend to attack the most common vulnerabilities in widely used applications including Java, Flash, Acrobat, web browsers and other office software. There are several tools available to handle third-party patches, but the granularity of a UEM-generated inventory can go a long way toward avoiding compatibility issues and rollbacks that require additional time.

Finally, there are custom and special-use applications like AutoCAD, Adobe Creative or industry-specific packages that require special handling for various endpoints and configurations. Even knowing the urgency of a non-standard patch can be challenging.

The key to patching in all of those areas is automation and repeatability. With its detailed visibility into the target endpoints, a UEM system enables you to define endpoint-specific patch deployments smoothly, efficiently and with the degree of customisation that’s required for each.

Keeping a half-step ahead of the bad guys
All of us rely on NIST CVE data to track known vulnerabilities and exploits. But one person’s tool is another person’s weapon, in other words, the bad guys have access to the same info that they can use to find vulnerabilities and targets. Having a vulnerability assessment for your specific configurations can keep you just far enough ahead of the bad guys to make a big difference. A UEM system can automatically check the NIST database and help you determine quickly which CVEs affect your systems and applications on your network.

Getting pushy for happy users
Many management systems including Microsoft System Center Configuration Manager (SCCM) are pull-based for deploying patches and updates. That can be fine – until it’s not. The problem is that you don’t know how quickly that pull will happen, and you may have to get patches out with greater speed and precision than SCCM allows. A UEM system enables you instead to push updates to all applicable endpoints. Not only can you be sure if and when a patch is deployed, you can actually lock down machines until an urgent patch is installed. To minimise user impact, a UEM system gives you the ability to use Wake-on-LAN for night time or weekend deployments without user input. You also can give local and remote users the power to choose their own times or set reminders or define time slots, so they don’t feel like IT is keeping them from getting their work done.

Routine endpoint management means routine endpoint security
Given the risks and consequences involved, it’s natural for security operations to get special attention. But it’s important that that heightened focus is integrated with regular and routine IT functions that otherwise might be seen as lower priority. A coordinated, cross-disciplinary approach using automated UEM systems provides a comprehensive foundation for secure operations and delivers multiple and measurable benefits in IT productivity and end-user productivity.