Home / Blog / General / WSUS and SCCM Third-Party Patch Management

September 25, 2018

At the heart of any sound IT security strategy, should be an effective Microsoft and third-party patch management process – a house keeping necessity to close known vulnerabilities and fix existing software problems, in order to keep your systems safe against malware and avoid exploitation by hackers. But, despite this repeated truth, many organisations still fall short in keeping their data, network and infrastructure safely patched and secure 24/7.

Microsoft & third-party patch management – The sum of two parts.

Essentially, we can discuss patch management in two parts:
Microsoft patching and ‘non-Microsoft’ or third-party patch management.

Microsoft and third-party patch management

Most organisations use Microsoft tools to deploy patches to their Windows environments and we’ve become accustomed to the routine and regularity of ‘Patch Tuesdays’. However, it can be confusing when making the choice between WSUS (Windows Server Update Service) and Windows SCCM (System Centre Configuration Manager).

Both tools provide all the functionality for Microsoft, but a key limitation is their inability to patch non-Microsoft applications, leaving a very big hole in the third-party applications update area, and one that is extremely dangerous if left unpatched.

Let’s first take a look at the broad differences between WSUS and SCCM

The biggest difference is that WSUS is free and SCCM isn’t.

WSUS: A basic offering

WSUS does not require its own server, eliminating the need for server connections to download and distribute patches and hotfixes to computers in a corporate environment. WSUS connects directly to Microsoft’s update catalogue, has some configuration functionality but limited reporting details on patch deployment.

Geared towards smaller organisations, WSUS is a wonderful solution in which manual patching is reasonable and there is no need for a highly granular deployment scheduler for updates.

SCCM: True end-to-end lifecycle patch management

Also a centralised application, but with extensive reporting architecture to understand vulnerabilities and prevent malicious OS attacks. SCCM works well with BYOD situations by providing data on any users who have not updated their OS and RDP (remote desktop protocol) capability that enables login to any machine in your environment.

Ultimately, a superior suite of solutions that provides greater flexibility and control as part of a robust, agile patch management automation system – crucial to any business with more than a few servers, desktops and other end points.

Which is right for your business?

Sure, SCCM comes at a price, this is because it provides an entire suite of integrated solutions and flexibility to your patch management regime. It also requires a substantial SQL server (WSUS does not), which also adds to the costs. Base your decision on the size, complexity and current needs of your business.

Irrespective of what you choose, the result is that the importance of Windows patching at the operating system level is generally well understood and expected.

So, that’s Windows patching in a nutshell. What about the fact that 65% of software vulnerabilities are from non-Microsoft applications?

Speech marks

65% of the vulnerabilities were from non-Microsoft applications, even though they only represent 33 % of the apps in a Windows system.
(Source: Flexera Vulnerability Report 2018)

The most commonly used applications are a hackers best target. According to Flexera’s Vulnerability Review – Top Desktop Apps 2018, Adobe Flash Player, Google Chrome, Mozilla Firefox and Oracle Java JRE – to mention a few – are ripe with vulnerabilities.

These programs are installed and will continue to run indefinitely on your OS’s. However, managing third-party software applications independently and manually creates excess work that often just doesn’t get done, leaving cracks in your IT environment for hackers to exploit. If left unpatched, it’s likely you’ve got a pretty sizeable security problem on your hands, which could cause your organisation considerable risk and disruption.

There’s good news – you can take back control.

The majority of vulnerabilities can be thwarted, with a solution that takes a holistic and integrated approach to patch management.

The answer lies in unified management across all work streams, comprehensive visibility of multiple interfaces, and scalable automation that provides IT professionals with critical control via profiles and policies.

3rd-party patch management from Flexera SVM

One such ‘best-in-class’ solution is Flexera’s Software Vulnerability Management (SVM) Platform – previously called CSI (Corporate Software Inspector) from Secunia Research.

Flexera’s SVM maps your entire software inventory and correlates this to Secunia Research’s vulnerability intelligence covering 20,000+ programs (more than anyone else) from thousands of software applications across Windows, Mac OSx and Linus systems.

Seamlessly integrating with WSUS and SCCM to track, prioritise and patch ALL vulnerabilities across Microsoft and non-Microsoft applications – keeping hackers out and you in control.

Further reading

About Comtact Ltd.

Powered by a dedicated team of software vulnerability specialists, Comtact help give you tools, support and services to intelligently manage your critical software updates. With expert deployment, 24/7 support and fully managed ‘Patch Management-as-a-Service’ options, Comtact works with many of the UK’s leading organisation to to simplify your software vulnerability management.