Secunia Partner Program Brings Patch Management To Masses

Secunia has been known as a vulnerability intelligence service, but it also sells a corporate software inspector to scan and detect vulnerabilities in thousands of third-party programs and browser components and prepackaged patches for hundreds of products. It integrates tightly with Microsoft System Center Configuration Manager and Windows Server Update Services, relying on the underlying Microsoft technology as the core engine to scan for issues and deploy third-party patches.

The company's software solves what has been a longstanding problem for businesses: how to provide patch and configuration management for hundreds and sometimes thousands of endpoint devices, said Nash Pherson, a senior systems consultant at NowMicro, a St. Paul, Minn.-based systems integrator and Secunia partner.

[Related: The 10 Coolest Security Startups Of 2013 ]

The window of opportunity for attackers to exploit vulnerabilities is increasing significantly, making an efficient vulnerability and configuration management strategy an essential part of every security program, Pherson said. When a vendor issues a patch, cybercriminals can reverse engineer it and create an exploit within hours of its release, Pherson said.

"Manually managing software patching at each endpoint is too resource-intensive for most organizations," Pherson told CRN. "Secunia takes the massively complicated challenging process of handing security updates for a variety of software and makes it as easy as handling Windows updates."

Attackers are choosing to target vulnerabilities in third-party applications and browser components, such as Java, Flash, Adobe Reader and Acrobat software. Instant messenger clients, remote management software, file sharing applications and a variety other collaboration tools used by employees pose a risk, said Pherson and other security experts. While zero-day attacks that use custom malware get a lot of attention, the vast majority of attacks target flaws in commonly used applications, according to a recent analysis of the threat landscape conducted by IBM's X-Force research team.

"Patching is a painful process for every organization, and it's so painful that most organizations just don't do it," Pherson said. "This is a fundamental problem that needs to be solved."

Secunia's goal is to have a specialist on a regional basis across the United States and Canada, said Neil Butchart, who heads Secunia's U.S. channel sales as vice president of North America, based out of the company's Minneapolis office. Butchart, a channel veteran, spent a decade at Shavlik Technologies, building out its international channel before it was acquired by VMware and subsequently spun off to Landesk Software.

Butchart said the company has started out with a direct sales force but is transitioning over to resellers and systems integrators to help boost sales. The company hopes to attract a mixture of technically savvy solution providers to help deploy and maintain the patch management software over time, Butchart said. The company has formed alliances with SHI International Corp. and CDW for fulfillment, but it wants to develop more partners that are involved in direct engagements with clients.

"We have a technology that is superior in how it integrates specifically with Microsoft System Center Configuration Manager," Butchart said. "We are looking for companies that are specializing on the services and implementation end of [Windows Server Update Services] and also looking at security-centric system integrators."

Secunia offers training, qualified leads, not-for-resale keys, deal registration and field sales support to its Silver and Gold partners. On-site sales training is provided to Gold partners, which also get beta version access and a dedicated support line. To qualify for Gold status, partners need to maintain a minimum of three certified technical specialists and two certified sales reps.

Secunia counts Landesk and SolarWinds among its competitors but cites its Microsoft integration as a differentiator, as well as its vulnerability intelligence and vulnerability scanning technology. Larger enterprises with a mature IT security program in mixed environments typically look for traditional vulnerability assessment with no requirements for patch management support, and would consider offerings from Tenable, Rapid7, Qualys or McAfee. Other firms that provide vulnerability scanning include BeyondTrust, Tripwire and CriticalWatch.

PUBLISHED DEC. 16, 2013