Given the breadth of software in any given organisation and the volume of security patches released by vendors, building an effective patch management programme has become critically important, especially as we’ve seen the consequences of a well-understood ransomware attack.
Although we all recognise patch management as a critical IT function, many organisations have found it difficult to build effective processes to patch both Microsoft and non-Microsoft third-party applications. This means there is still a significant risk from unpatched software, leaving organisations open to security breaches and cyber attacks (the most common method hackers use).
Software and operating system companies identify vulnerabilities, create a patch, and broadcast it for deployment to keep vulnerable systems secure and up-to-date.
Unfortunately, though, keeping track of all OSs, applications and devices across a business means that IT admins spend a considerable amount of time maintaining inventories, identifying new vulnerabilities and patching one update or another.
The result? In reality, it doesn’t get done promptly, if at all.
With an ever-increasing number of security vulnerabilities, hackers have a large window of opportunity to compromise systems, which can have serious consequences, particularly when considering GDPR.
Fortunately, technologies exist to help manage and automate software patching, and many patch management solutions are on the market.
“How do you choose a patch management solution?”
So let’s consider the key features when choosing the best tool to ensure your software is up-to-date and your infrastructure is safe against potential threats, exploits, and ransomware.
The best solutions are interactive and intuitive and support users at every step. If a tool is not easy enough for a relative novice to use out of the box, it’s probably too complicated for the organisation to use on a regular basis.
An effective patch management solution should be nonintrusive and perform in the background without a noticeable impact on production or end-user systems. Restricting end users’ permissions and running unattended patching processes is preferable. Sophisticated solutions can even automatically postpone the installation of patches when they detect that a user is on a slow network link.
Some tools use agent software installed on the individual endpoint to manage the updates, periodically updating the status back to the patch management tool. This method typically uses less bandwidth and is useful for enterprises using many mobile endpoint devices. The downside is that it requires agents to be deployed on all monitored machines to be effective. Disabling or deleting the agent would render the device unpatched and vulnerable if the endpoint is compromised.
With agent-less technology, every endpoint device is tracked, and the applications are managed directly from the central server, allowing patches to be rolled out directly to these devices. Agent-less patch management doesn’t suffer from the maintenance problems of agent-based systems, but additional rigour is required to control individual devices.
Both methods have pros and cons. Some solutions allow for both agent-less and agent-based systems or even mix both in the same environment. Be sure to explore all the options to determine what is best suited to your environment and business needs.
Be sure to choose a product that integrates all your current IT infrastructure platforms. If you already use a comprehensive systems management tool—either SCCM (Microsoft System Centre Configuration Manager) or WSUS (Windows Server Update Services)—the patch management software should readily and seamlessly integrate without causing any conflict or affecting the overall performance of your current systems.
Hackers have become highly sophisticated in their attacks, so it’s necessary not only to identify security vulnerabilities across the major operating systems (Windows, Linux and Mac) but ALSO enable full coverage of the most common non-Microsoft desktop applications (e.g. Adobe, Apple QuickTime) as the majority of security vulnerabilities come from non-Microsoft applications.
Patch management solutions should also be able to track the frequency with which all key vendors issue patches.
One of the most important functions of a patch management application is its ability to scan the network and identify missing patches comprehensively. The more complex your network architecture, the harder it can be to achieve this goal.
The solution you choose should have a method of validating and prioritising patches, together with a level of intelligence to assess the software installed and determine the correct version of the patch or whether a patch was replaced or updated.
You can’t manage what you don’t measure. A good benchmark is checking how the dashboard is set up in any solution. It should display your environment's real-time vulnerability status and be able to adapt reporting according to the needs of different audiences. For example, management will need to see the bigger picture, while administrators need a more detailed view of each patch status, deployment progress and any issues that need addressing.
These are critical considerations when selecting a patch management software solution. Still, there is no better way than a hands-on trial or demo to verify that your specific requirements are met and that the tool delivers to your current IT environment. Having a fine test plan during the trial period to refine critical operations, compatibility and functionality.
It’s no surprise that Flexera’s Software Vulnerability Manager (SVM)—previously called Secunia Corporate Software Inspector—is frequently cited as a ‘best-in-class’ solution for small and large enterprises to close security gaps caused by software security vulnerabilities.
Flexera SVM is the only solution that includes software vulnerability assessment and patching capabilities in a single platform. It offers multiple options, seamless integration with WSUS and SCCM and verified vulnerability intelligence from Secunia Research across 20,000+ applications—more than anyone else. This enables you to assess, prioritise and fix software vulnerabilities across Microsoft and all your third-party applications and systems, putting you back in control of the most common security vulnerabilities used by hackers.