By all accounts, patching software is a disruptive, time-consuming process requiring IT departments to test any new software patch before applying it, scheduling downtime for machines to apply the patch and ensuring it doesn't “break” applications. Patching for security purposes also means managers have to be on constant alert for news of any new holes found in vendor products. This thankless task monopolizes large chunks of IT staff time, in spite of a growing array of products and services that can track machines that need patches and automate patch downloads from vendor sites.
“The number of patches per year from different vendors to their applications can number in the thousands, affecting the whole IT infrastructure. Nowadays it requires significant effort for any organization to ensure that the right patches are accepted, tested, and deployed. There needs to be a new approach to patch management, and this is what the patch management solution vendors are trying to achieve by consolidating patch management with Desktop Management solutions in order to achieve a unified process,” says Antoine Al Ibry, Principal Consultant for Business Service Management at CA.
Mahmoud Mounir, Director of HP Software ME, echoes a similar opinion: “Patch Management is a must to have function in any IT environment to ensure compliance, reduce complexity and effort of maintaining all infrastructure devices with appropriate software, secure patches and operating system images. Patch management software completes the lifecycle management of patches, service packs and hot fixes, including discovery, download and collection, testing, conflict analysis and vulnerability assessment, targeting, deployment and continuous enforcement. By automating patch management, deployment time is decreased from months to days, thereby reducing the risk of security vulnerably.”
Patch and vulnerability-management products and services automate the daunting process of applying software updates to applications and operating systems. Vulnerability-management tools also provide functions such as asset identification and vulnerability classification as they apply the software patch. Some tools in this category conduct specific scans to identify vulnerabilities and share that information with the products that are capable of applying the actual patch to a targeted machine. This classification of wares – be it in a product form or as a service – will support specific operating systems and applications. The network manager wanting to automate patch management of a large environment consisting of dozens of flavors of operating systems and thousands of applications, may need to use multiple patch management products. Tools may require software agents to collect information about vulnerability.
Top trends in patch management
Patch management has since grown to include vulnerability management. Patch management is focused on the automation and management of patches. Vulnerability management is slightly broader and is used for products that offer more functions, from asset identification to vulnerability classification, as they apply the software patch. This wider scope, plus the pressures of compliance continues to drive both growth and innovation in the market, IDC says. In fact, IDC predicts that by 2011, three submarkets of security and vulnerability management will each exceed $0.7 billion in vendor revenue. These are policy and compliance, security information and event management, and patching and remediation.
Maintaining secure clients has become increasingly complicated, as well, Forrester points out. The situation isn't expected to get easier anytime soon. The wider variety of clients, uptake in the options available for client operating systems coupled with today's distributed environment, makes controlling the PC a difficult task. In addition, PC environments remain a hefty cost associated with the corporate network. Tools that automate operating system patch management, software vulnerability assessments and systems management promise to help IT to manage their PC environment with more reliability and less head count. The big management players, namely CA, HP and Symantec, own most of the client-management market, but aren't necessarily the right fit for every company. Smaller, younger vendors like many listed in this Buyer's Guide offer some very compelling solutions, Forrester says.
It's not just for Windows
When researching patch and vulnerability management products, use the following four tips as your guide.
1) Validate that your primary patch management vendor not only supports the major operating systems you need to patch and your significant applications, but also the applications that are favorites of hackers. It is particularly crucial to be able to patch those applications that can be automatically launched from the browser. Some of these include Adobe Flash Player, Apple QuickTime, even WinZip. But in addition, a patch management product that can patch your enterprise antivirus software, e-mail application and SQL database is also advised. Even if you use only Microsoft operating systems and servers, a Microsoft-only patch management system may not be enough.
2) Use the above criteria to determine which fits your needs better, a point product for patching, or patch management as part of the larger, systems management umbrella. There are a number of standalone products for patch management – many of them listed in this Buyer's Guide. Some products combine patch management with more general configuration management and change control. Others add it into a general systems management scheme. Also consider that many existing systems management products either do patch management or support specific point products. Your choice will mostly depend on whether your systems management product supports all the operating systems and critical applications you need to patch. If it doesn't, and you may want to deploy configuration management tools, then combine the patch management tool that best integrates with your configuration management tool. If you have a specific list of products to patch, and a point product vendor patches them all, then, even if you use a configuration management product, a point product would likely be your best bet.
3) Agent-based or agentless? The old battle between agent-based or agentless tools still rules the patch management market. Agents remain the preferred method of many software vendors. The benefits of an agent is that it ensures that individual devices are properly patched. Plus, it allows vendors to offer many of the extra features that enterprises like so much, such as asset management or policy enforcement options. It is preferred for intermittently connected machines (such as laptops) and devices connected over slow links that cannot afford the overhead of agentless communications. The downside of agent-based patch-management is that it requires agents to be deployed on all monitored machines to be effective. In selecting this approach, network administrators have to ensure efficient deployment of agent-based software. These agents then need to be maintained and, potentially, patched. Agentless patch management doesn't suffer from the maintenance problems of agent-based systems, but their makers have been more creative in how they solve the issue of patching and controlling individual devices.
4) It’s not just about Windows. Although Microsoft’s “Patch Tuesday” announcement on the first Tuesday of each month always makes headlines, there’s a growing range of network infrastructure pieces that need ongoing patches and maintenance, such as products for VoIP and virtualization. Your patch management products, as well as your policies need to take into consideration the frequency with which all of your key vendors in these areas issue patches. How quickly will patches be applied after patches are available for these other products?
Standardisation dilemma
How important is it to have all of your systems at the same patch level? Is it even possible? It is definitely possible to keep the managed systems within a compliance boundary. As an example: after approving a security update, it takes a while until the update is distributed. During this time, the different systems are – obviously – not on the same level. However, it is desirable to keep the systems in a policy compliant state, which includes (but is not limited to) having the updates deployed within a given timeframe after approval,” says Mark Chaaban, Commercial Market Strategy Group Director, Microsoft Middle East.
The timeframe itself is subject to your risk management strategy. If a system falls out of compliance, it shall be isolated in a Quarantine Network – the same is actually true for non-managed systems. Within the quarantine network the system must have the ability to “heal itself” and fulfill the policy again (e.g. install a security update). This technology is called Network Access Protection and should definitely go hand-in-hand with a proper patch management, risk management and compliance strategy, he adds.
As a patch administrator, you sometimes have a thankless job, but a highly necessary job. If done properly and diligently you can have a positive effect on the security of your information assets. Your patch administration duties are part of a larger security framework, and the successful completion of your duties could mean the difference between whether your assets are properly protected from the latest threats, or ripe targets for the next hacker exploit.
When you are considering the risk assessment of the newest vulnerabilities and threats to your information assets, think globally, elicit information from other colleagues, and always keep in mind what controls you have in place and how those controls can be utilized to help reduce your risk.