Lumension PatchLink Security Configuration Management

Security Configuration Management Made Easy from Assessment to Remediation

Lumension Security™ - PatchLink Security Configuration Management™ provides out-of-the-box regulatory, standards-based assessment and industry best practices templates to ensure endpoints and applications are properly configured. PatchLink Security Configuration Management™ seamlessly integrates with its proven, market-leading solutions, PatchLink Scan and PatchLink Update, to deliver a comprehensive network and agent-based risk assessment of software flaws and configuration vulnerabilities, rapid remediation, continuous validation and policy compliance reporting. PatchLink Security Configuration Management™:

• Delivers Security Content Automation Protocol (SCAP) validated configuration assessment
• Enables the standardization of endpoint and application configurations
• Ensures endpoint and application configurations are continuously secured
• Proactively eliminates vulnerabilities
• Maps technical controls to regulatory policies, industry standards or corporate policies
• Demonstrates policy compliance by reporting configuration status against regulations and industry standards such as Federal Desktop Core Configuration (FDCC) and Payment Card Industry (PCI-DSS) as well as customized policies
• Reduces exposure to operational and financial risk

Overview:

Comprehensive Security Configuration Management and Compliance

Leveraging Security Content Automation Protocol (SCAP), PatchLink Security Configuration Management™ automatically maps security policies to technical controls, enabling organizations to standardize and secure endpoint configurations and easily demonstrate compliance with regulatory policies and industry standards such as Federal Desktop Core Configuration (FDCC) and Payment Card Industry (PCI), among others.

Sponsored by NIST, SCAP is a repository of security content used for automating technical control compliance activities, vulnerability checking of both application mis-configurations and software flaws, and security measurement. The primary output from SCAP are security checklists in a standard eXtensible Markup Language format that agencies (and vendors) can use via automated commercial products to help build, operate, measure and maintain secure systems according to official government security recommendations. Each security checklist contains instructions for configuring information technology products for an operational environment or verifying that an information technology product is already securely configured.

Combining standards-based assessment with network and agent-based scanning, automated remediation, policy enforcement and security measurement, Lumension Security provides the most comprehensive solution to securing endpoint configurations and policy compliance.

How Does PatchLink Security Configuration Management™ Help Government Agencies Comply with FDCC?

As a NIST validated solution, PatchLink Security Configuration Management™ provides a comprehensive list of SCAP policies with hundreds of defined checks, allowing organizations to quickly evaluate their security posture and determine what must be fixed to meet FDCC standards. In addition, customized templates ensure that assessments are tailored to the various compliance policies that fit an agency’s specific requirements. PatchLink Security Configuration Management™ streamlines this process by facilitating the simple importing and exporting of policies across multiple Vulnerability Management Servers, enabling the same policy documents to be shared by network and agent-based scanners. This eliminates the need to manage and interpret a wide range of different policies and results from non-integrated scanners and agents. Additionally, manual security checks (such as physical security ones) can also be setup into PatchLink Security Configuration Management™ checks in order to provide a complete policy monitoring and management view.

How Does PatchLink Security Configuration Management™ Help Financial Organizations Comply with PCI-DSS?

To address PCI-DSS, a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures, PatchLink Security Configuration Management™ ingests the PCI policy template and maps technical controls to the detailed requirements. PatchLink Security Configuration Management™ automates the policy assessment of specific PCI requirements, including manual checks where appropriate, and monitors and reports against the requirements to ensure comprehensive PCI compliance.

What about other regulations such as Sarbanes Oxley, GLBA, HIPAA, ISO 17799, etc?

PatchLink Security Configuration Management™ can be used to monitor and report on any set of policies that follow the SCAP checklist standards. While FDCC and PCI-DSS are available out-of-the-box for immediate implementation, any other security standard policies can be mapped to SCAP standard checklists allowing PatchLink Security Configuration Management™ to control against these checks. The use of eXtensible Markup language (XCCDF/XML) within SCAP checklists standard enables any organization to perform the policy mapping. Lumension Security Professional Services can also help achieve any type of security policy mapping, should it be from regulatory compliance requirements, industry best practices requirements or specific to an organization.

Features & Benefits:

• SCAP Validated FDCC Scanner: This NIST validation provides another level of confidence with ensuring accurate assessments of policy checklists and configurations as defined in the National Vulnerability Database
• Open, standards-based approach: Leverages security best practices to ensure secure configurations; content pulled from a variety of sources including: OVAL Vulnerability fingerprints, SCAP, FDCC Compliance
• Checklist, PCI Compliance Checklist, NVD, Microsoft Patch Fingerprint, etc.
• Delivers actionable information: Consolidates content from variety of sources and delivers information with context to properly remediate
• Policy Management: Provides the ability to define, edit and import/export security configuration policies.
• Policy Assessment: Delivers a flexible mechanism to assess and apply appropriate policies to applicable systems.
• Results and Reports: Demonstrates policy compliance with high and low level reports on the status of endpoint configurations.
• Policy Enforcement: Maintain compliance, leveraging automated remediation and policy enforcement with PatchLink PDK.
• Mature (PatchLink Update and Scan) delivery platform for assessment and reporting - SCM is expanded functionality on top of a proven base
• Centralized User Interface: Technical controls and asset entities are consolidated into a single UI

Leader in Development of SCAP Standards:

With a solution officially validated by NIST, Lumension Security is a leader in the development of standards including proposing a format for SCAP Remediation in August 2006 and a database pattern for all (current and future) SCAP documents, results and reports. Lumension was engaged with the NIST SCAP well before the OMB mandates and have experienced staff working on our solutions.

Links of Interest to know more:

• SCAP Validated Products
  http://nvd.nist.gov/scapproducts.cfm#scapproducts
• SCAP Home Page
  http://nvd.nist.gov/scap.cfm
• FDCC Home Page
  http://csrc.nist.gov/fdcc/
• FDCC SCAP CheckLists
  http://nvd.nist.gov/scapchecklists.cfm
• CVE Home Page
  http://cve.mitre.org/
• OVAL Home Page
  http://oval.mitre.org/
• XCCDF Home Page
  http://nvd.nist.gov/xccdf.cfm
• FISMA Implementation project
  http://csrc.nist.gov/groups/SMA/fisma/
• PCI DSS Home Page
  https://www.pcisecuritystandards.org/

Requirements:

Minimum Requirements with PatchLink Update
 

Hardware	Single 1.4 GHz CPU on x86 512 MB RAM 36 GB of available disk space Single 100 Mbps network connection
Operating System	Windows Server 2003, Web Edition with SP1 or later	Windows Server 2003, Standard Edition with SP1 or later	Windows Server 2003, Enterprise Edition with SP1 or later	Windows Server 2003 R2, Standard Edition	Windows Server 2003 R2, Standard Edition
Web server	Microsoft® Internet Information Services (IIS) 6.0
.NET Framework	Microsoft® .NET Framework 1.1 SP1			Microsoft® .NET Framework 2.0
Web browsers	Microsoft® Internet Explorer		Mozilla FireFox	Apple Safari
DB Server	Microsoft® SQL Server 2005 Express Edition with SP2		Microsoft® SQL Server 2005 Standard Edition with SP2	Microsoft® SQL Server 2005 Enterprise Edition with SP2

Note: PatchLink Update Server installs SQL Server 2005 Express Edition RTM during installation. Therefore, you must not have any database server installed prior to the installation of PatchLink Update.

PatchLink Update Agent Coverage - Supported Client OS
 

Vendor	Processor Family	OS Version	OS Edition	OS Bit
Microsoft Windows
	X86/x64	Windows XP SP2	Professional	32/64
		Windows 2003	Web Standard Enterprise R2	32/64
		Windows Vista	Enterprise Business Ultimate	32/64

 

Minimum Requirements with PatchLink Scan
 

Hardware	Pentium® compatible 1 GHz 512 MB RAM 20 GB of available disk space Single 100 Mbps network connection
Operating System	Windows 2000 Server SP4	Windows 2000 Advanced Server SP4	Windows XP Professional SP2	Windows Server 2003 SP1

 

PatchLink Scan Supported Target Systems
 

Operating System / Version	Discovery	Assessment	Remediation
Windows 2003 Server X86/X64
Windows XP X86/X64
Windows Vista X86/X64

Documentation:

Download the Lumension PatchLink Security Configuration Management Datasheet (PDF).