2015 Security Conference

SecuniaDo I really need secure Applications?

Rod WhiteEnterprise Sales, UK & IrelandTel: 7887 492 043Email: rwhite@secunia.com

An Introduction To Vulnerabilities

Are the Vulnerabilities used as an attack vector “known Vulnerabilities”?• The attack vector that you should never ignore

“Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and be detectable via security monitoring.”

- Gartner (1)

(1) “Adapting Vulnerability Management to Advanced Threats.” Gartner. April 2012 http://www.gartner.com/id=2142515

Why Do You Need Patch Management?• Only patching Microsoft programs is simply not enough

Vulnerabilities in non-Microsoft software are still on the rise. Despite fixes being available for most of those, we continued to see organizations suffering costly breaches caused by exploitation of vulnerable applications

throughout 2012.- Secunia Vulnerability Review 2013

https://secunia.com/vulnerability-review/

“Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber attacks. As a result, these companies enjoyed an average cost savings of $1.6 million when

compared to companies not deploying security intelligence technologies.” - Ponemon Institute 2012 (5)

(5) “2012 Cost of Cyber Crime Study: United States.” Ponemon Institute. October 2012 www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6.pdf

Timeline of an Attack

Source: Microsoft Security Intelligence Report volume 11. http://www.microsoft.com/en-us/download/details.aspx?id=27605

How big is the problem?

BEWARE THE INSIDER THREAT!

In 2014 Secunia saw 15,435 vulnerabilities in 3,870 applications from just 500 Vendors. Up 18% from 2013Up 55% over the last 5 years

60.2% of vulnerabilities showed the primary attack vector was via remote network access. Local network access as an attack vector rose to 33.4% Local System Access remained stable around 6.4%

Top 50 Portfolio showed 1,348 vulnerabilities in 17 products from 7 vendors (circa 80 per product or 192 per Vendor)

• Secunia Reports

Based on the figures for Q4 2014

The average PC User in the UK has

74 Programs from 26 Vendors

59% (44) of them are non-Microsoft

10.6% of users have unpatched Windows Operating Systems

10.9% have completely unpatched 3rd Party Apps

5.8% of Apps are End of Life (no longer Vendor patched)

• Most Exposed Applications in Q4

• Top 10 End of Life Applications in Q4

• What is the problem space?

Many 3rd Party Applications in use

Many technical products – all with 3rd party software

Often Business Critical but lots of non-critical App-Creep

Identifying when a security patch is available is time-consuming and liable to mistakes- Checking websites for new patches/ content- How many people/ how much time does it take?

Many customers not patching AT ALL

Some think SCCM takes care of it

Many are doing it manually and in an ad-hoc fashion

Many are missing Application patches – don’t know they exist or not aware you have the Application in house

Enterprise Challenge: Patching the Known Unknowns

Why do customers care?Resources invested in SCCM implementation – Secunia helps maximise the benefitCustomers do Microsoft patching really well!Why not use the SAME process to roll out 3rd Party Patches – save yourself time, effort and money

BusinessView

Criminals’View

What criminals attack

MS apps and (sometimes) common third-party apps

Programs you know about (and have no resources to patch)

Programs you don’t know about

What users patch

Vendors

About Secunia

Company Overview• Brief Secunia facts

Established: 2002HQ: Copenhagen, DenmarkRegional offices: Germany, UK&I, Austria, Australia, USA

Ongoing collaboration with leading industry organizations Trusted advisor to thousands of organizations, including CERTS and ISACs, the White House, NATO, NIST, NERC and Mitre.

Endorsements and ongoing collaboration: Industry experts consistently recognize Secunia’s product innovation and commitment to eliminating vulnerabilities.

• Market Focus• The three pillars of our success

Vulnerability Intelligence, Vulnerability Management and Patch Management for global enterprises, SMBs and private users

World-renowned

Vulnerability Intelligence

Award-winning

Vulnerability Management

Best-in-Class

Patch Management

1 2 3

Research TeamThe heart and soul of Secunia; the eyes and ears of the industry

One of the largest Vulnerability Intelligence databases on the market

• Database contains vulnerabilities in software products since 2002

• 51,000+ programs, applications and plug-ins from thousands of software vendors

• Fully CVE compliant. Data is tested and verified by Secunia’s researchers

• The database is unique to Secunia and is Secunia’s own IP – we don’t re-sell it to anyone

Delivering the most reliable advisories on the planet

• The Secunia Equation• Our foundation stone for the proactive detection and remediation of vulnerabilities

Complete Patch Management

How do you stop them?

When/ how do you roll fixes out?

Where are they?

Secunia CSI combines scanning, vulnerability analysis and patching, meeting the requirements of both IT Security and Operations teams.

This combination of vulnerability intelligence, vulnerability scanning, patch creation and patch deployment integration is unique in the industry.

Complete PatchManagement

What threats are there?

• Solutions PortfolioReliable, transparent, integrated, cloud-deployed solutions

Free version for smartphones and tablets Scans apps downloaded from Google Play as well as apps from external sources Alerts users to apps with known vulnerabilitiesChecks that security updates are performed quickly

Personal Software Inspector (PSI) PSI for Android

Cons

umer

Free tool for Vulnerability ManagementSafeguard data from cybercriminalsScans software on PCs and identifies insecure programsAutomatically applies software security updates to keep PCs secureAvailable in 8 languages

Corp

orat

e

Corporate Software Inspector (CSI) Vulnerability Intelligence Manager (VIM)Targeted, flexible Patch Management Secures and updates vital applications The complete A-Z: Vulnerability Intelligence and Scanning plus Patch Creation and DeploymentMicrosoft System Centre 2012 and WSUS integrationScans Windows, Linux and Mac OS

Tactical handling of vulnerability threatsEnables pre-emptive action against vulnerabilities in a simple, cost-effective wayDelivers real-time vulnerability alertsNo installation required

• Microsoft Security Alliance Partner SCCM / WSUS & Altiris integration

• Ongoing collaboration and solutions integration

Because patching non-Microsoft programs is essential to corporate security

Secunia is the first Vulnerability Security

Alliance Partner of the Microsoft Technology

Centre Program.

We are also a member of Microsoft’s System

Centre Alliance Program.

Our solutions integrate with Microsoft System

Centre 2012 and Microsoft WSUS.

Secunia products heavily utilise Microsoft deployment tools

Secunia products are installed at Microsoft Training Centres GLOBALLY.

Extract more VALUE from your Microsoft SCCM/ WSUS installation

Also scan RedHat Linux, MAC OS, Android

How?

Integration of Secunia CSI with Microsoft SCCM (2012) & WSUS

Scanning Leverage existing System Centre collection information to get visibility of 3rd Party

Applications.Agent-based and Agent-less scanningMany customers have a hybrid environment

Patch Plug-in within SCCM

Enable 3rd party patch deployment directly within SCCM console.

What do Secunia do?

Added Value to SCCM

CSI is an intelligent remediation solution that combines multi-platform assessment of patch status and tools for cost-effective security patching and seamless Microsoft System Center integration.CSI pushes 3rd party updates seamlessly into SCCM/ WSUS

• Sample of Our Reference CustomersDiversified customer base across multiple verticals, worldwide

22Markets: ANZ, Asia, EMEA & AmericasSectors: Financial Services, Government, Defence, Education, Energy and Utilities, Healthcare

Global

Quote from the EVERNOTE CEO

“Secunia is a particularly valuable tool, keeping you up to date on potential attacks, vulnerabilities and the patches you can integrate to fend them off.”

Secunia Can Help You• Don’t take our word for it – hear what others have to say about us

"The MS-ISAC is pleased to collaborate with Secunia in providing our members with resources that assist in identifying and mitigating vulnerabilities across their environment… This

partnership is an excellent example of the public-private sector collaboration necessary to protect our critical infrastructure assets

from cyber security threats." - William F. Pelgrin, President and CEO

“…Thanks to the high quality of the information provided and the rapid and extremely service-oriented response to our

queries as well as suggested improvements, Secunia's services have proven to be particularly valuable to the Bundesbank.”

- IT Security Management

“….This stream of accurate alerts helps Commerzbank CERT providing timely alerts together with appropriate remedies and

mitigations to our customers worldwide. Commerzbank's collaboration with Secunia has proved to be an efficient and cost-

effective service over time.”

- Head of Threat Analysis & Forensics

“Having the specific vulnerability information we require for prioritization, along with the ability to communicate relevant

vulnerability intelligence to the appropriate resources for remediation, for us was especially convincing.”

- Bernhard Weller, Managed Operations & Services

Secunia Can Help You• Don’t take our word for it – hear what others have to say about us

“As a local authority we have a large and complex IT infrastructure with a wide variety of software applications and operating systems.

With limited resources it is difficult for us to take a pro-active approach in identifying missing software security updates across the entire estate and patching them in a timely and effective way.

Secunia demonstrated that extensive research and testing had gone in to providing the security updates that can be easily integrated into our existing infrastructure. This helps to reduce the majority of the resource burden when deploying software and security updates across so many systems. Implementing Secunia CSI provides us with the reporting capabilities we didn’t already have to actively monitor our infrastructure and effectively target priority areas which represent high levels of risk. Secunia CSI will aid us to meet compliance requirements for the PSN Code of Connection and allow us to become more pro-active than re-active and addressing vulnerabilities as soon as fixes become available and not just when an annual penetration test is due. ”

- Liz Holmes, ICT Security & Compliance

• Secunia Can Help• Don’t take our word for it – hear what others have to say about us

“We’ve been able to understand the landscape in our software environment and take business decisions about risk with a full understanding of the situation. The Secunia CSI has removed difficult, time consuming process steps from our workflow,”

- Stephen Kavanagh, IT Manager

Oxford University, Anthropology Department

"“Earlier, South Oxfordshire had a patch management system that used agents, and we found it unreliable. So we wanted to go back and use something native, and WSUS gave us that option. Then with Secunia pushing software updates into WSUS, it was obviously perfect for third party patching."

- Simon Phillips, IT Security Officer

• Q&A