Fixing the security holes that vulnerability-assessment scanning products detect must seem as difficult to IT administrators as the labors of Hercules. A new Hercules is coming soon, but instead of cleaning stables or winning the skin of a lion, it will to try to help administrators fix these problems, automatically.
Citadel Security Software Inc. will announce Hercules, its automated vulnerability-patching applications, at the RSA Security Inc. conference in late February in San Jose, California, according to Carl Banzhof, chief technical officer at Citadel. Hercules works with vulnerability-assessment products from companies like Internet Security Systems Inc. and Network Associates Inc., takes the list of vulnerabilities they find and allows administrators to automatically apply patches and change policies to close the security holes, Banzhof said.
Hercules matches the vulnerabilities discovered by the scanners to a database of security issues created by Citadel staffers who check vendor sites, e-mail discussion lists about security such as Bugtraq, and hacker sites for information and patches, Banzhof said. When Hercules determines what can be done to fix the holes, it presents administrators with a list of possible actions, he said. Administrators can then determine what actions they want taken and when, Banzhof said.
Once an administrator has created the profile of security changes he or she wants made, Hercules downloads any files it needs to the local Hercules server and automatically applies them, Banzhof said. For administrators who change their minds about security configurations, the first version of Hercules will allow the rollback of all security patches and the second version will go further by allowing all changes to things such as policies and configurations to be rolled back, he said.
Banzhof expects that customers will embrace the product, even though it takes some control out of the hands of administrators, an idea discouraged by some in the security world.
"I think they will (embrace it) once they see the approach we've taken," he said.
Charles Kolodgy, research manager at International Data Corp., thinks so as well, saying that "the people who are purchasing it would want that -- they'd be purchasing it for that." (IDC and the IDG News Service are owned by the same parent company, International Data Group Inc.) Other vulnerability-assessment products are adding that kind of automatic updating, Kolodgy said.
"There's definitely a need (for products) that can let you fix what your vulnerability-assessment products tell you need to fix," he said. Vulnerability-assessment products recommend so "many changes that you can't go and do them manually anymore," he added.
Hercules will be available in mid-February in the United States, with no worldwide launch yet scheduled, Banzhof said. The client and server versions of the product run on Windows NT/2000/XP, with future versions of the client planned for Unix, Solaris and Linux, he said. Pricing starts at US$995 per server and $50 per client, with volume discounts available, Banzhof said.