January 10, 2018
Given the breadth of software in any given organisation and the volume of security patches being released by vendors, building an effective patch management programme has become critically important – especially as we’ve seen the consequences of a well understood ransomware attack.
Although we all recognise patch management as a critical IT function, many organisation have found it difficult to build effective processes to patch both Microsoft and ‘non-Microsoft’ third-party applications – meaning there is still significant risk from unpatched software – leaving organisations wide open to security breaches and cyber attacks (the most common method used by hackers).
Why use Patch Management Software?
Software and Operating System companies identify vulnerabilities, create a patch and then broadcast it for deployment with the intention to keep vulnerable systems secure and up-to-date.
Unfortunately though, keeping track of all OS’s, applications and devices across a business means that IT admin spend a considerable amount of time maintaining inventories, identifying new vulnerabilities and patching one update or another.
The result? In reality it doesn’t get done in a timely fashion – if at all.
With an ever-increasing number of security vulnerabilities, hackers have a large window of opportunity to compromise systems, having very serious consequences – particularly when considering GDPR.
Fortunately, technologies exist to help manage and automate software patching and there are a plethora of patch management solutions in the market.
“How do you choose a patch management solution?”
So let’s take a look at the key features to look for and consider in order to choose the best tool to ensure your software is kept up-to-date and your infrastructure is safe against potential threats, exploits and ransomware.
7 essential features of Patch Management software
1. Ease of use
2. Impact on business performance
3. Agent based vs agent-less
4. Integration with WSUS and SCCM
5. Ability to patch 3rd-party apps
6. Comprehensive scanning
7. Detailed reporting
1. Ease of use:
The best solutions are interactive, intuitive and support users at every step.If a tool is not easy enough for a relative novice to use out of the box, it’s probably going to be too complicated for the organisation to use on a regular basis.
2. Impact on business performance:
An effective patch management solution should be non-intrusive and perform in the background without a noticeable impact on production or end-user systems. It is preferable to restrict permissions to end users and run patching processes unattended. Sophisticated solutions are even able to automatically postpone the installation of patches when it detects that a user is on a slow network link.
3. Agent based vs Agent-less:
Some tools use agent software installed on the individual endpoint to manage the updates, periodically updating status back to the patch management tool. This method typically uses less bandwidth and is useful for enterprises using many mobile endpoint devices. The downside, is that it requires agents to be deployed on all monitored machines to be effective. If the endpoint is compromised by disabling or deleting the agent, this would render the device unpatched and therefore vulnerable.
With agent-less technology, every endpoint device is tracked, and the applications are managed directly from the central server allowing patches to be rolled out directly to these devices. Agent-less patch management doesn’t suffer from the maintenance problems of agent-based systems, but additional rigour is required to control individual devices.
Both methods have their pros and cons. Some solutions allow for both agent-less and agent based systems or even mixing both in the same environment. Be sure to explore all the options to determine what is best suited to your environment and business need.
4. Integration with WSUS and SCCM :
Be sure to choose a product that integrates all your current IT infrastructure platforms. If you already use a comprehensive systems management tool – either SCCM (Microsoft System Centre Configuration Manager) or WSUS (Windows Server Update Services), the patch management software should be able to readily and seamlessly integrate without causing any conflict or affect the overall performance of your current systems.
5. Ability to patch ‘non-Microsoft’ third-party applications :
Hackers have become highly sophisticated in their attacks, so it’s absolutely necessary not only to identify security vulnerabilities across the major operating systems (Windows, Linux and Mac) but ALSO enable full coverage of the most common non-Microsoft desktop applications (e.g. Adobe, Apple QuickTime) as the majority of security vulnerabilities come from non-Microsoft applications.
Patch management solutions should also be able to track the frequency with which all key vendors issue patches.
6. Comprehensive scanning:
One of the most important functions of a patch management application is its ability to comprehensively scan the network and identify missing patches. The more complex your network architecture, the harder it can be to achieve this goal.
The solution you choose should have a method of validating and prioritising patches together with a level of intelligence to assess the software installed and determine the correct version of the patch or whether a patch was replaced or updated.
7. Detailed reporting:
You can’t manage what you don’t measure. A good benchmark is to check how the dashboard is set up in any one solution. It should display the real-time vulnerability status of your environment and have the ability to adapt reporting according to the needs of the different audiences, for example management will need to see the bigger picture while administrators need a more detailed view of each patch status, deployment progress and any issues that need addressing.
Finally… Try before you buy!
These are critical considerations when selecting a patch management software solution but there is no better way than a hands-on trial or demo to verify that your specific requirements are met and that the tool delivers in your current IT environment. During any trial period, be sure to have a defined test plan in place so that you can verify critical operations, compatibility and functionality.
Flexera’s Software Vulnerability Manager – An intelligent solution
It’s no surprise that Flexera’s Software Vulnerability Manager (SVM) – previously called Secunia Corporate Software Inspector – is frequently sighted as a ‘best-in-class’ solution for small and large enterprises, to close security gaps from software security vulnerabilities.
Flexera SVM is the only solution with software vulnerability assessment and patching capabilities in a single platform. With multiple options, seamless integration with WSUS and SCCM and verified vulnerability intelligence from Secunia Research across 20,000+ applications – more than anyone else – enabling you to assess, prioritise and fix software vulnerabilities across Microsoft and all your third-party applications and systems – putting you back in control of the most common security vulnerabilities used by hackers.
Further reading
- WSUS and SCCM third-party patch management
- Why is security patch management so important?
- On-demand webinar: How to develop security vulnerability management programmes
- What is a Vulnerability Scan and does my company need one?
- Pros and cons of outsourcing your Cyber Security – In-house, MSSP, or Virtual SOC?
About Comtact Ltd.
Powered by a dedicated team of software vulnerability specialists, Comtact help give you tools, support and services to intelligently manage your critical software updates. With expert deployment, 24x7x365 support and fully managed ‘Patch Management-as-a-Service’ options, Comtact works with many of the UK’s leading organisation to to simplify your software vulnerability management.