IT administrators in small businesses have a tough job keeping up with all the software updates for every single application installed on every computer in the organization. Software vendors either have their own patching schedule (Oracle CPU, Microsoft Patch Tuesday, Adobe updates, to name just a few) or don’t release updates regularly. Administrators have to stay on top of all the update news, and push out updates or encourage users to not wait “for later” to install the security fixes. Enter Secunia SmallBusiness, a Web-based console wrapped around the company’s Secunia Personal Software Inspector (PSI) 3.0 for small business networks.
Large enterprises can use patch management systems to scan local computers and monitor what software is running and push out updates as they become available. For the small business, however, many of these products are out of reach, either because they are either too complex or too expensive. This is where Secunia SmallBusiness comes in.
Intended for the small office/home office and small/medium-sized business setting, Secunia SmallBusiness is ideal for environments with between 2 to 50 users. SmallBusiness occupies the market right between Secunia PSI, which manages patches for a single user, and Secunia Corporate Software Inspector (CSI) for use in environments with more than 100 users. Secunia SmallBusiness takes advantage of Secunia PSI’s robust scanning and patching console by installing the agent-based software on each computer that is being monitored. SmallBusiness collects all the scanning results into a centralized Web console so the administrator has an ongoing overview of the organization’s security posture.
The platform is currently in beta but will be generally available by June. While in beta, Secunia SmallBusiness is free for up to 50 users. After the beta ends, the company plans to charge “a low monthly fee per additional host” that is less than $5 per host per month. Secunia will offer monthly or yearly plans, and organizations can add more seats as needed under a pay-as-you go plan.
The SmallBusiness console is a centralized location for the results generated by the agent-based scanner on each computer. This way, administrators have an at-a-glance view of the organization’s overall security posture as well as which software each computer needs to update.
I signed up for an account on Secunia’s Web site. Once I created a password, I was directed to the console, which is a simple page with a header containing links to the user manual, built-in help, and links to the PSI software agent. All the names of the systems being scanned and monitored are listed on the left side of the screen. When I click on the computer name, I see all the software installed, whether the application is insecure or not, and how many computers within the organization are running that same product. A “criticality” meter indicates the seriousness of the vulnerability in that software that needs to be patched.
Secunia SmallBusiness generates a unique link pointing to a version of Secunia PSI that is associated with the account. I clicked on the Download link at the top of the console to get my unique link. I could email it into an email or other forms of communication for users to download the PSI agent, or I could log in to the console from each employee device and manually download the agent. For a small organization, asking the administrator to go from computer to computer to manually download the agent, or relying on the user to install the agent is fine, but for even slightly larger environments or one with users who work remotely, this is not a very sustainable model. Qualys offers a similar scanning service where administrators can push an MSI file of the agent to each employee device. Something similar would be useful for Secunia SmallBusiness.
Once Secunia PSI is installed on the user’s endpoint, the agent collects all the information about what is installed, compares the list against Secunia’s extensive database of over 3,000 applications, and presents the user with information about what software needs to be updated. PSI under SmallBusiness acts exactly the same as the stand-alone counterpart and more details on how it works is available under its own review.
Despite all the applications I have installed on the test system, the scanning process was quick and did not impact my computer’s performance. Once it had finished the scan, it displayed a list explaining which applications were current and which needed to be updated. This same information is visible from the Web console.—Next: Secunia SmallBusiness Web Console
Everytime PSI runs a scan, it uploads the results to the Web console. The security score for each computer is saved to the console, and the administrator can see that the systems are 90 percent secure, 58 percent secure, 100 percent secure, etc. The Web console also takes that information and provides an overall network score.
There is nothing stopping the user from downloading PSI directly from Secunia’s site instead of using the provided link. However, since each download link is customized for the organization, if the user decided to download PSI directly, that computer’s results will not show up on the Web console.
From what I could tell, while I could view the historic results on each computer, the historic data does not get saved on the Web console. So there is no easy way to tell just how long it has been since the user updated Adobe AIR, or that a computer has been running at least one outdated software for the past six months. Administrators could benefit from having some historical context to the results.
One of the strengths of the platform is that it doesn’t matter where the computers are physically located. Since the agent is downloaded from a link unique to the organization, Secunia’s servers know which account all the scanning results need to be associated with. This is particularly useful when the business has a workforce that is frequently on the road, whether it’s out in the field or on various business trip. Regardless of where the user is physically located, Secunia SmallBusiness can ensure the machine has all the updates installed.
If anything is vulnerable, the administrator can either automatically update the software or nag the end-user to perform the task. As mentioned in the earlier PSI review, the scanner can be configured to automatically grab and install updates. If I clicked on the name of the program within the Web console, it opened another window which provided some information about the issue. Along with a link to the Secunia advisory explaining the flaw, I could see what machines needed to be updated, and the option to “Update all” to install the patch on all affected systems. The ability to perform a bulk update will be quite handy for administrators.
The platform is designed only for Windows machines. Mac OS X users need not apply, although the company has an Android version in works. Considering the number of software applications on Mac OS X that have recently been targeted because users aren’t keeping up with updates, being able to manage patches for the Mac OS X would have been beneficial.
Patching as First Line of Defense
Secunia SmallBusiness actually has more in common with network management platform Panorama9 than BrowserCheck from Qualys from Qualys and BrowserScan from Rapid7. Although BrowserCheck and BrowserScan have the same goal, to help organizations keep track of outdated software so that users won’t be vulnerable to cyber-attacks, those two tools focus on the Web browser and plugins. Secunia supports other Windows applications, and does not have as deep support for plug-ins.
The SMB cannot treat Secunia SmallBusiness as a replacement for other security measures, but can take advantage of the quick snapshot into the organization’s security posture. For small businesses falling behind on patch management and regular software updates, Secunia SmallBusiness is a good first step. Secunia PSI is enough for a single user, but when it comes to a business environment, administrators need a way to compile the information.
Automated updates also help administrators keep users up-to-date without having to nag them to download the software. With this kind of a tool, organizations don’t have an excuse as to knowing why all the computers aren’t up-to-date or not knowing what specific software the users are running.
|OS Compatibility||Windows Vista, Windows XP, Windows 7, Windows 8|
Copyright © 2012 Ziff Davis, Inc