K1000 as a Service
K1000 Systems Management Appliance
K2000 Systems Deployment Appliance
Federal CIO Tony Scott’s 30-day Cybersecurity Sprint in July called on government agencies to make substantive progress in four specific areas. Last week I discussed the first directive: federal agencies must immediately deploy indicators provided by DHS regarding priority threat-actor techniques, tactics, and procedures to scan systems and check logs. Let's now discuss the second.
The Second Cybersecurity Directive
“Patch critical vulnerabilities without delay. The vast majority of cyber intrusions exploit well known vulnerabilities that are easy to identify and correct. Agencies must take immediate action on the DHS Vulnerability Scan Reports they receive each week and report to OMB and DHS on progress and challenges within 30 days.”
How did this one go?
DHS Secretary Jeh Johnson has said that agencies patched or remediated about 60 percent of their critical vulnerabilities during the Sprint. And at the Nextgov Prime conference on government cybersecurity in Washington on September 9, CIO Scott said, “The good news is I think we are making progress. The bad news is, incidents that do occur, mostly occur because we failed even the most basic preventative measures.”
So there’s still much work to be done. The Sprint was just one segment of a marathon effort which doesn’t necessarily have a finish line.
Dell Software is here to help agencies continue their press forward. October is National Cybersecurity Month, and we’re presenting a four-part knowledge series of half-hour webcasts on the Sprint directives. The second on-demand webcast, on patching critical vulnerabilities is available and features Robert Osborne, Dell Software Senior Enterprise Technologist. We’ll review Dell Software solutions for scanning and patching, including KACE systems management appliances and network security solutions from Dell SonicWALL.
The complete knowledge series includes:
Please join us for the second knowledge series webcast.
About Jeffrey Honeyman
Jeff Honeyman manages messaging and content for government and education for Dell Software. He is also a saxophone and clarinet player and science fiction reader.
View all posts by Jeffrey Honeyman |
New Windows 10 features are getting ink in the tech press, but it’s Windows 10 security that’s top of mind for most system administrators.
When we conducted a webcast called Under the Hood with Windows 10 Security, more than 2,300 sysadmins, IT managers and network administrators registered. We saw we had a live one, so we decided to distill the highlights of the webcast into this series of three blog posts on the main enhancements to Windows 10 security, focusing on what’s new for the enterprise.
In this first post, I’ll describe Windows 10 enhancements for endpoint security – preventing your desktops and servers from being infected by malware.
It’s a good sign that Microsoft is taking aim at malware because the endpoints are where the bad guys are winning the most. Windows 10 fights back through new hardware components and drivers because that’s what it takes to keep malicious code from running on your endpoints.
Untrusted font blocking (6:10 into the on-demand webcast)
Fonts are known as “complex data structures,” which translates to “big, juicy targets just waiting to be exploited.” Fonts are notorious for buffer overflows that allow privileges to be elevated and arbitrary code to run.
The biggest danger is that fonts can be embedded in documents and sent all over the place. That is an ideal way for bad guys to deliver malware to an endpoint, then get the endpoint to run it.
Untrusted font blocking, an option under Group Policy, is a new Windows 10 security feature. If you activate it, and if the dubious font is not already installed on the device, then Windows won’t use it. It helps limit damage from anything that uses fonts like email, Web content and document files.
Device Guard (7:40)
Device Guard is more than any single feature. It’s a comprehensive way to lock down the code that executes in the kernel. The more you’ve standardized on specific configurations of hardware and drivers in your company, the more you can take advantage of Device Guard, which is oriented toward enterprise devices and Windows versions rather than toward consumer and BYOD. Device Guard runs much deeper inside the OS than AppLocker does.
Secure Boot is a part of Device Guard that depends on UEFI, the new replacement for BIOS in hardware, which checks firmware and your boot files.
Windows 10 features a highly controlled boot process, integrated with the Trusted Platform Module (TPM) chip on the motherboard (if present). Before turning control over to boot loader, Windows hands boot files to TPM, which validates them to ensure that your system has not been compromised. After verification, Secure Boot allows the OS to boot.
That defends against rootkits and makes sure that Windows starts from trusted, un-tampered code. Secure Boot was supported in Windows 8 and Windows Server 2012; the biggest changes for Windows 10 are the new requirements for hardware manufacturers, like UEFI and TPM.
Code Integrity (17:50)
Code Integrity is part hardware, part software. In mobile terms, you can say that it makes Windows more like an un-jailbroken iOS system or an unrooted Android system, but with more freedom and control from the enterprise point of view.
Whereas AppLocker starts late in the boot process and runs in user mode, Code Integrity takes control as soon as the OS begins to boot and runs in kernel mode deep within the OS. You can customize the Code Integrity Policy for every OS and specify only the code that has been signed by someone you trust. Not even a local administrator can override it.
Code Integrity looks at the way every executable on your device has been signed and compares it to a golden system. For unsigned programs like line-of-business apps you’ve built, there is a Package Inspector. Code Integrity is a big step toward endpoint security for point-of-sale systems because you can implement it in kernel mode if administrators have control over the hardware, or user mode if they control only the installed apps. Even if you don’t have complete control, you can still use Code Integrity’s audit mode.
Virtualization-based security (29:30)
Virtualization-based security (VBS) enlists Hyper-V to protect sensitive parts of Windows even on endpoints. It inserts a hypervisor between the metal and the Windows 10 kernel, then moves local security authority (LSA) and kernel mode code integrity (KMCI) to quasi-virtual machines, or the secure world.
Before virtualization-based security, both LSA and KMCI ran in kernel mode. Normally, that’s a safe place to run, but device drivers run there too, and they come from all over and are not always secure. Once they’re in the secure world, LSA and KMCI are inaccessible to everything else including the kernel, the apps and any kernel mode malware.
To prevent code injection exploits, KMCI keeps memory pages in the kernel from being maliciously changed to execute mode. That means that even if an attack manages to inject malware to the kernel, KMCI will prevent it from running.
With Windows 10, Microsoft has acted to slow down attacks. Consider that the OS now has three different, overlapping technologies to let you control application usage:
If you’re really serious about taking advantage of Device Guard and the full spectrum of malware-defeating technologies built into Windows 10, you’ll discover that the hardware you buy really matters. You’ll want TPM and UEFI built into your endpoints.
Under the Hood with Windows 10 Security – On-demand webcast
Take a few minutes to listen to Randy Franklin Smith’s webcast, Under the Hood with Windows 10 Security. I’ve included the time stamps so you can fast-forward to the topics of most interest to you.
My next post will cover what’s new in authentication and data protection in Windows 10, so subscribe to this blog to be sure you don’t miss it.
About Christopher Garcia
A ten-year Dell veteran, Chris has had experience in various marketing roles within the organization. He is currently a Senior Product Marketing Manager.
View all posts by Christopher Garcia
As I’ve explained in my previous blog posts, mobile devices have quickly evolved into critical enterprise tools that open the doors to better productivity, innovation and competitive advantage. At the same time, they have increased IT complexity and raised critical security and privacy concerns. I’ve offered several recommendations for ensuring security with both personally owned and corporate-owned devices. But what strategies actually work in the real-world? For example, what do educational institutions actually find most effective?
To find out, I’ve asked Kim Cary, CISO of Pepperdine University, to discuss the challenges of enabling mobility while maintaining security. Here’s our Q&A:
Q. Tell us a little bit about endpoint security from your perspective as CISO at Pepperdine.
A university needs a different network than the typical business. For one thing, we don’t own all the endpoints on our network — students, conference guests, invited speakers and contracted services all use systems we don’t own. Further, for those endpoints we do own, it isn’t appropriate to use a simple “only what the company installs on it” strategy for security, particularly with faculty. So our endpoint strategy in security is much more of an “innocent until proven guilty” approach.
The way this plays out is that we use role-based access. For devices we don’t own, we limit access to well-maintained and monitored services. For devices we do own, we make sure that they are patched and their assigned users have good security training available.
Q. Why is endpoint security so important in terms of your overall security strategy?
As one of our vendors puts it, “Your network is only as secure as the devices that are connected.” This means that at the end of the day, after all the firewalls, IDS/IPS, security education and anti-virus have done their work, if someone’s workstation is weak, it can still become a cybercriminal HQ on your network. The resulting data breach would not be good for the students, community or university.
Q. What does Pepperdine do to manage and secure endpoints?
We use a NAC to provide role-based access. We evangelize security training and software patching aids for systems we don’t own. For systems we do own, we automate patching of the statistically most exploited software: the operating system, the productivity suite, and the web helper apps — Java, Adobe Flash Player, Adobe Acrobat Reader and the like.
Q. What endpoint security solutions do you use and find most valuable?
For systems we own, what is determined to be security baseline must be mandatory. We have found that automation is required, since every other form of maintenance — including posture checking, user education, technicians with flash drives, and even concierge service for executives and high-profile faculty — has been shown to fail to provide a baseline of security.
We’re using Dell KACE to automate third-party patching and security configuration for systems we own. We’ve also found it useful for tracking down and helping eradicate zero day infections that have gotten past our anti-virus. Beyond security, the KACE solution lets us provision systems campus-wide. When finance went paperless and we needed Acrobat on every workstation, KACE installed the licensed software in days. When we needed to retire XP before April 2014, KACE gave us an inventory of the 400+ systems to target, and enabled us to upgrade those systems to Windows 7 overnight, instead of having to pull them in to the workbench and interrupt our colleagues’ work.
Our NAC is critical system for providing role-based access and for informing people of what to do when their BYOD system is blocked for signs of infection or copyright infringement. Being able to both isolate and inform in one operation has saved tons of help desk calls and more importantly, tons of student frustration.
Q. What advice would you give other IT security executives and managers about managing and securing endpoints?
Don’t accept that security is not possible if a traditional method of control is not available. Take ownership and find another path; be proactive in innovation; publish measures of your success. Invest in automation of the baseline tasks — your users and even technicians were not hired to spend time on these basics. Automation enables these colleagues to focus on things more important to the business than patching and configuration, such as making the most of their technology tools and designing new solutions for business problems.
Learn more about building a secure mobile enterprise
As Pepperdine University illustrates, enabling mobility while ensuring security is a worthy and attainable goal for any organization. I’d like to thank Kim Cary for sharing his insights and advice, and I hope you’ve found them helpful as well.
To learn more about achieving a secure mobile enterprise, read our whitepaper, “The Secure Mobile Enterprise.”
About Kim Cary | Chief Information Security Officer at Pepperdine University
Kim's current work is focused on security training, business process consulting, security policy, mission-friendly security system implementation, security event analysis, incident handling and system operations.
Kim completed his Ed.D. at Pepperdine in 2004 and holds current major security certifications from ISC2 as CISSP and from GIAC as Firewall, Intrusion and Forensics Analyst and Incident Handler. He received his M.Div. at Biola in 1986, and his bachelor's degree in biology at the University of California, Los Angeles in 1979.
KACE is a top choice among Redmond readers!
We are excited to inform you that Dell KACE won two Platinum Awards for License Management and Patch Management within the Infrastructure Management category. The award winners are determined by the readers of Redmond Magazine based on their responses to the annual survey on the largest hardware and software providers surrounding the Microsoft ecosystem.
Dell won the largest number of awards in 46 categories.
SECURITY AND COMPLIANCE
STORAGE AND BUSINESS CONTINUITY
To view the complete list of award recipients you can register with Redmond Magazine.
About Lolita Chandra
Lolita is a Product Marketing Manager for Dell KACE. She has over 10 years of product marketing experience with IT software and infrastructure-as-a-service solutions.
View all posts by Lolita Chandra
In my two previous blogs, I’ve talked about two key requirements for any mobility program: secure mobile workspaces to enable BYOD and effective mobile device management to prevent data breaches on corporate-owned devices. As an IT professional, you might be saying, that all sounds great, but how am I supposed to deliver all that security with my complex IT environment and limited IT staff?
These concerns are completely valid.
Today’s mobile environments encompass a wide range of devices.
Your IT team is likely managing a large number of personally owned and corporate-owned smartphones, tablets and laptops, and dealing with multiple versions of both Apple iOS, Mac OS, Windows and Android operating systems. That complexity will only increase in the coming years. For example, a Dimensional Research survey sponsored by Dell found that most organizations expect both the number and variety of devices to continue to grow in the next few years.
Managing that growing complexity — no matter your IT staff’s experience and expertise — requires an effective window into your mobile infrastructure enterprise. While most IT organizations do use systems management tools (often three or more of them!), only about half say their tools can support all the platforms, operating systems and device types they must manage. That means systems management has moved beyond management of traditional computer endpoints and into a new world where “anypoint” systems management will be the imperative for securing and tracking virtually anything with a network connection.
A better approach is to manage all mobile devices, as well as their applications and content, from a single pane of glass. An overwhelming majority (89 percent) of organizations that lack such a consolidated view would like to have one. Let’s explore some of the key features of such a tool:
Nearly every organization today wants to reap the benefits of modern mobile technologies — without sacrificing security or overwhelming IT. Secure mobile workspaces, effective MDM, and single-pane-of-glass management are critical components of a successful BYOD strategy. To learn more about achieving a secure mobile enterprise, read our whitepaper, “The Secure Mobile Enterprise.”
There’s no question that mobility offers a wealth of benefits to organizations, from better productivity and collaboration to improved IT agility and competitive advantage. But as I explained in my previous blog, implementing a mobility program requires careful attention to security. There, I detailed why secure virtual workspaces are the best way to enable users to access corporate resources from their personally owned devices.
Now let’s look at another piece of the mobile security puzzle — preventing security breaches on corporate-owned devices. How can IT keep mobile devices up-to-date and secure, both when they’re in the hands of authorized users and in the event that the device is lost or stolen?
The answer is effective mobile device management (MDM).
A sound MDM strategy will include the following best practices for keeping data from being compromised:
Effective MDM complements the secure virtual workspace, helping organizations create, implement and grow their BYOD strategies. To learn more about achieving a secure mobile enterprise, read our whitepaper, “The Secure Mobile Enterprise.”
Systems management is a tough job, and it’s not getting any easier. Along with managing all of the PCs, Macs and servers in your organization, you now have to secure and maintain mobile devices and address the BYOD phenomena, all while having to plan strategically for the control of all sorts of newly connected devices. The need for “anypoint” systems management has arrived. Are you ready?
Attend Dell World Software User Forum October 20-22 and address these challenges and more head on.
You will get direct access to “anypoint” systems management expertise through a broad offering of KACE educational sessions, all designed for maximum practical take-home learning. Here you’ll uncover more about the newest and most popular KACE features and capabilities that you can put to work right away. KACE experts will be out in force in Austin, all in one location!
From its origins as the KACE Konference, and now encompassing all that Dell World has to offer for one affordable fee, Dell World Software User Forum is simply the premiere learning opportunity of the year. Here, you along with your IT peers, can up your game by enhancing your KACE appliance knowledge, while exploring the added benefits of the wider Dell Software product portfolio. Immerse yourself in the future of “anypoint” systems management, and leave knowing more about the latest trends in big data, cloud management, advanced analytics, and the ins and outs of secure network access.
The Agenda Builder is live, so once you’ve registered, you can create a personalized Dell World Software User Forum experience that best meets your needs and aspirations.
Featured and favorite KACE sessions include:
Endpoint security is at the top of everyone’s priority list, and the K1000 management appliance includes a number of features that address these security needs. Find out how to improve endpoint security through K1000 security best practices.
License management can be a daunting task. Learn how the K1000 management appliance, integrated with the Dell Application Catalog makes your job easier. Also discover the new functionality from the most recent K1000 release.
A lot has changed with the K2000 deployment appliance in the last year. Stay up to date with the latest and greatest. In this session you will learn what's new from K2000 product experts to make OS deployments easier and faster.
Why should you attend?
Leverage All KACE Capabilities
Your Dell KACE appliances are already at work helping you keep your systems up to date and secure. Why not leverage all of the KACE capabilities – some of which you may not have explored or had the time to learn yourself? Your registration includes admission to all Dell World general sessions, solutions showcase, and the big opening night concert. And don’t forget: the BOGO (buy one, get one) offer is still valid. Each paid registrant can bring a colleague free of charge.
Register for Dell World Software User Forum!
About Stephen Hatch
Stephen is a Senior Product Marketing Manager for Dell KACE. He has over eight years of experience with KACE and over 20 years of marketing communications experience.
View all posts by Stephen Hatch
Mobility is one of the most transformational technologies available today.
In just a few short years, mobile devices have evolved from cool consumer technology into mission-critical enterprise tools. Accordingly, organizations left and right are adopting bring-your-own-device (BYOD) policies to enhance productivity and collaboration while opening the doors to business transformation, competitive advantage and improved performance. In fact, a Dimensional Research survey sponsored by Dell found that 84 percent of organizations already support mobile devices on their networks.
Security is critical to a successful mobility program
Of course, the benefits of BYOD do not come free; rather, BYOD brings a host of technical challenges. Chief among them is security: 44 percent of the 1900+ global organizations surveyed in Dell’s recent Global Technology Adoption Index (GTAI) listed “fear of security breach” as the primary barrier to expanding mobile technologies within the organization. Clearly, reaping the substantial benefits of BYOD requires a carefully considered plan for network and data security.
The first hurdle is providing users with easy yet secure access to the corporate network from their personally owned smartphones and tablets. One approach is the traditional model: have IT manage all devices that access the corporate network. That way, the organization can ensure that all devices are properly maintained with current security software, browser updates and so on.
This old-school approach can work well for corporate-owned devices, but it has important drawbacks for personally owned devices, especially in verticals like education. In particular, it fails to protect the privacy of user data — the organization can see everything on a user’s personal device, from personal texts and emails to Facebook posts and browser history. Even though our culture seems to be growing ever more comfortable with sharing personal information online, most people aren’t comfortable giving their employers this unfettered window into their personal lives. As a result, this approach tends to hamper BYOD adoption, if not bring it to a grinding halt.
Secure mobile workspaces are the most secure way to implement BYOD
Fortunately, there’s a better option: secure mobile workspaces. By downloading a free app to their phone or table, employees (and other authorized users, such as partners or contractors) can establish a VPN-like connection to the corporate network. A customized workspace provides each user with access to only the resources authorized by policy, while keeping personal and corporate data separate and secure.
Specifically, a secure mobile workspace can enable authorized users to access:
Learn more about building a secure mobile enterprise!
This secure virtual workspace is a key ingredient in a broader mobile strategy — what Dell calls the secure mobile enterprise. To learn more, read our whitepaper, “The Secure Mobile Enterprise.”
The threat landscape has been evolving at a rapid pace, requiring enterprises to be highly vigilant and stay on top of new tools and processes that effectively protect them from cyberattacks. According to a recent study on data breaches, 90 percent of exploits targeted apps for which patches had been available for six months or longer, and 50 percent of systems had at least 10 vulnerabilities that had patches available, but were not installed.
Needless to say, patch management is an integral component of any effective defense-in-depth strategy and is a valuable first line of defense to minimize your endpoint risk. System hardening with security configuration management and vulnerability assessment and remediation are two important controls that go hand-in-hand with patch management.
Security Configuration Management
Over the years Verizon’s annual Data Breach Investigations Reports have indicated that weak configuration management and inadequate system hardening factor into most data breaches. Developing configuration settings with strong security properties is a complex task that requires knowledge and analysis that is beyond the scope of the user.
Installing a strong configuration is not enough. You must continue to manage it to maintain its security properties to ensure it is not compromised over time as a result of changes or new events, such as new security vulnerabilities or software updates. In order to manage all the systems, operating systems and applications in your environment, you need a centralized solution that gives you a holistic view of your endpoints, and the ability to install and update standard configurations across your entire environment.
Such a solution will empower you to enforce a consistent endpoint configuration policy, as well as continually monitor and tweak it to ensure that it stays effective long term.
Vulnerability Scanning and Remediation
Vulnerability scanning is another integral component of an effective security strategy; without it, you would be unable to discover and address flaws that could potentially give hackers a way to get into your network and systems. Also, vulnerability analysis can help you assess the effectiveness of proposed countermeasures.
The Open Vulnerability and Assessment Language (OVAL®) is a well-known standard that gives you a repository to check for software vulnerabilities, configuration issues, programs, and/or patches on your endpoints. The OVAL repository for vulnerability tests is continually updated by the community, which reviews and vets new definitions before adding them to the repository. For more information and a helpful list of controls, check out our new white paper, Protecting Your Network and Endpoints with the SANS 20 Critical Security Controls.
Enterprises today must take a very active role in defending their organizations and managing risk, and you play a key role in helping your organization achieve this through patching, configuration management and the use of vulnerability scans. This is no easy undertaking, but a centralized solution can make your life a lot easier.
Gain more insight into developing an effective patch management strategy that meets your organization’s needs.
In our previous blog we talked about simplifying the patch management process and how automating patch management can greatly ease the burden of managing your IT environment. We touched upon three key elements of effective patch management:
Here we will talk about the impact an effective patch management strategy has on both IT admins and users, and some of the elements that contribute toward that experience.
Significantly Improved Productivity and Job Satisfaction for IT Admins
A centralized patch management solution allows you to coordinate patch updates across large user populations in a more timely and efficient manner, while providing detailed visibility into each of the patching phases. This eliminates the headaches associated with using multiple solutions, making for a much better user experience and allowing you to focus on more strategic projects. Here are ways you can streamline the patch management process and gain greater control over each step in the process:
1. Get the “undo” button
The ability to roll back or “undo” patches is an important feature that gives you peace of mind. It’s especially valuable in those instances when a patch gets rolled out unintentionally, errors are found after deployment, or the vendor issues a recall. Rollbacks simply make your life a lot easier. With this capability you no longer have to spend excessive amounts of time on rigorous testing that can lead to delays, or even a failure to close security gaps in a timely way.
2. Use a phased approach
Leveraging a phased release approach to patch management helps you avoid bottlenecks and delays. This is especially important in organizations with large, complex and distributed user populations. Using a phased approach, you can schedule deployments based on criteria best suited to your organization, such as department or geographical location. A phased approach allows you to push out critical patches immediately to systems that need them the most, while rolling out less critical patches subsequently. Such a systematic approach is more easily communicated to end users, setting realistic expectations while minimizing disruptions.
3. Deploy to remote sites without clogging up the network
It is critical to deploy patches to remote sites without consuming excessive network bandwidth. A robust solution will give you the ability to deploy an image once from the central site to the remote site, and then have the image deployed to all the systems in the remote location using the local network. This minimizes the impact on network bandwidth, and is much more efficient than deploying images from the central site to all of the remote systems.
4. Set up reports and alerts to notify you of issues
Detailed reports and alerts quickly identify issues so you can focus on the systems that need your attention right away. Reports identifying non-compliant computers, alerts notifying admins of failures, and other such tools make life a lot easier. They allow you to take action quickly and identify issues needing your immediate attention.
Using an automated, centralized patching solution that gives you these capabilities allows you to save a significant amount of time and hassle, gain increased visibility into your environment, eliminate errors and exercise a lot more control over your systems. By doing your job more effectively and efficiently, you’ll have time to move on to value-added tasks that result in improved productivity and greater job satisfaction.
Engaged, Productive and Happy End Users
Now let’s see what impact a centralized patch management solution has on end users. It is only natural for employees to get upset when their PC suddenly reboots in the middle of the work day, losing unsaved work. Here are some ways a centralized patch management solution can improve the patch management experience for end users:
To learn more, read our white paper, “Nine Simple (but Critical) Tips for Effective Patch Management,” to gain more insights into developing an effective patch management strategy that meets your business needs. Stay tuned for blog #3.