Jamie Davis, VP, Education, Product Management, and Quality Control
Managing 20,000 machines on a daily basis has its benefits and challenges. Due to this quantity of machines, Safe Systems is often one of the first to know if a Microsoft, core vendor, etc. update has had a negative unexpected consequence on machines or other software. This large quantity also gives us a unique view into the patch status, vulnerabilities, and virus status of our financial institutions as a whole. Keeping such a wide range of hardware and software secure while running at optimal performance with little interference is a goal we strive to attain on a daily basis. Addressing vulnerabilities on so many devices can be a challenging task. Even a fix on 99 machines can have devastating effects on 1 machine at any given time.
For years Safe Systems has applied mass fixes to their managed devices in an effort to keep all devices hardened for security purposes while also allowing them to perform their needed functions. We view this process as a security baseline that all our managed devices will meet if they are on a network we manage. And through these years our NetComply Service has enabled us to apply new fixes every month to our Platinum and Gold client servers. Silver clients also have an opportunity to have their servers meet this baseline through adding the Security Baseline Service to their NetComply contracts.
The graph below represents the dramatic decline in known issues across our client base through some enhancements to our Security Baseline Service. By automating and improving the way Safe Systems addresses vulnerabilities created by Java, Adobe, Flash, and QuickTime, the number of recognized vulnerabilities has dropped significantly by 80% across our managed devices in just 3 months. The Safe Systems security baseline team meets monthly to discuss vulnerabilities, breaking them out into categories of “no fix available,” “fix addressed by our automated systems,” and “fix needs to be created.” Often vulnerabilities cannot be fixed for various reasons. Three of the most common reasons are: 1) the software vendor has not created a fix 2) addressing the vulnerability will stop a needed function 3) the vulnerability listed is a non-issue due to other mitigating factors that exist. The improvements we have seen due to the enhancements we made to our Security Baseline Service now mean that a large majority of all issues fall into the category of “fix addressed by our automated systems.” This means that without any delay or any manual labor, each server will have the vulnerability addressed in one week or less of a fix being produced by the software vendor.
Safe Systems still writes manual fixes monthly, but now we have a more focused list of issues to address. There have been some institutions who reported to us that they receive monthly vulnerability scans by a third party company and the number of issues that were considered high risk have now dropped considerably and in some cases, all high risk issues have been addressed. This Security Baseline Service is an example of our efforts to help financial institutions address their needs in a secure, compliant and efficient way.