We looked at ECM 4.8, with the Security Update Manager (SUM) add-in. But while ECM supports multiple platforms, including Windows, Linux and Solaris, SUM is Windows-specific.
Installation was challenging, with the software demanding very specific versions of MS SQL 2000 and other software, although we were impressed by the feedback. The software not only reports on missing components, but details what actions could be taken to remedy the problem.
Configuresoft includes a Flash demo of the application that skims through the basic features of the product at high speed, but in enough detail to be very useful to a new user.
Once installed, a bit of heavy lifting is required to gather all the basic information about your network. The console is all web browser-based, with the familiar multi-pane view presenting tabs of activities on the left, status at the top, and all the actual data in the rest of the page.
The functions in the navigation tree are set according to role of the current user, and are split into sections – console, compliance, reports and administration. If you are using SUM, then an extra section is added for that.
The first step (after some basic tweaking) is to gather all the information about your network, including IP ranges and domains.
At install, the software scans for available domains and machines to manage. But this is never infallible, so you will want to either compare the list to a known audit of the enterprise, or do repeat scans, watching for new systems coming online after the initial period of deployment. There will always be offline or travelling machines that will be missed the first time.
Discovery is thorough and can scan by IP range, primary domain controller or active directory. Agent installation, and subsequent scanning, is all quick and easy to set up, although on a large network you will probably want to take advantage of the facility to target small groups at a time and schedule tasks to minimize the load on your infrastructure.
Once you have your network of machines fully defined, and agents installed everywhere, the first collection is run to establish a baseline of information about the systems.
This takes ages, even on a smallish network, and the amount of data going to and fro is definitely going to have an impact.
However, subsequent scans only return data that has changed, which helps to reduce the overhead tremendously.
At last, with information in the system, you can do some real work. Analyzing that data is where Configuresoft’s real strength lies – applying filters and drilling down. With just a couple of mouse clicks, you can identify machines that deviate from established baseline policies, and track over time the deployment of critical patches.
Mapping all this back to compliance modules provides audit-ready reports derived from all the data. The software does a great job of making formerly complex and time-intensive tasks quick and easy.
One of the key areas where all this analysis shines is patch management. The software quickly identifies machines that are behind your nominal patch schedule.
Tracking configuration policies (installed software, security policies and so on) is also a task that the software tackles with ease. You might find that, on first pass, a surprising number of systems are out of compliance: the accumulation of extraneous software code on PCs is insidious.
Configuresoft also builds in a little bit of security event management. You can track login failures and security alerts, but you should probably have a decent SEM tool doing this separately.
This is a good time to mention the Security Update Manager, a Windows-specific component that gathers security alerts from Microsoft, pulls together all the relevant patch information, and then helps with the entire patch lifecycle — from testing, through deployment, verification and roll-back of failed patches. Combined with the overall capabilities of ECM, this is great, and our only wish is that it was also cross-platform, like the rest of the suite.
By default, the software keeps logs for 30 days, although in today’s world of tight regulations and internal forensic exams, you might want to increase this.
We’d like to see better integration with asset management tools: after all, many organizations already have a comprehensive list of known machines stored elsewhere. Active Directory is a start, but ties to third-party asset management tools would be helpful.
Another helpful step would be more platform integration. Configuresoft supports variants
of Unix and Linux, but we would love to have seen a standard API that other firms or Linux distribution managers (Novell, for instance) could use to publish data back to ECM.
At around $995 per Windows or Linux server (around $1,495 for AIX/Solaris), it is not cheap to manage a large number of servers, but the effort is worth it. And if you are like the many organizations with a server-consolidation project on the go, even better.
ECM and SUM combine to form an extremely advanced configuration and policy management tool, which scales well into any size organization.