Patch Management Simplified

With so many external attacks targeting client computers these days, a virtual Pandora’s Box has been opened, calling for entirely new approaches to securing systems end to end. Yet, securing end-points on the company network is clearly one of the most challenging issues facing IT professionals today. And the stakes have never been higher, with ever-increasing threats targeting company data and systems. According to industry analysts, there has been a steady rise in all forms of malicious software – viruses, worms, spyware, phishing schemes – you name it. A recent estimate, for example, indicates that an unpatched Windows system connected to the Internet would last barely 20 minutes before falling prey to some form of malware. And according to Gartner Inc., approximately 90% of all security threats target vulnerabilities for which an existing patch already exists.

Although the last few years have seen the trend of large enterprises incorporating sophisticated patch management systems into their security framework, smaller organizations have tended to handle things the conventional way – either by manually updating individual machines, pushing out patches and updates via login scripts, relying on the typical client upgrade cycle, or doing nothing and hoping the worst will never come. Clearly this is no longer a viable option, owing to a number of converging factors: the increasing reliance on remote connectivity and web-based applications, the severity and frequency of known exploits, more stringent privacy and confidentiality requirements (such as HIPPA and Sarbanes-Oxley) and the sheer logistics of monitoring and rolling out numerous patches to servers and clients.

Keeping up with the steady stream of security patches, hot fixes, browser updates and application updates in today’s hostile environment is a tremendous challenge for IT departments. So many patches and so little time it seems. Most security professionals recommend a more centralized and coherent approach; one that integrates all of the various security assets – vendors, partners, products, services – into a manageable process that effectively anticipates the current risk landscape. This requires thinking smarter about security and threat response as it pertains to all aspects of system planning and administration – from configuration and change management, to standardization and compliance, to policy enforcement and end-user awareness. Ultimately, it requires being able to distribute urgent security fixes to affected network hosts faster and smarter than ever before.

For smaller firms, this is definitely asking a lot, as the challenge in effectively securing client devices where users routinely interact with an increasingly hostile web is enormous. For one thing, IT departments in small to mid-size firms are typically stretched thin already. Adding to this is the fact that most network administrators and support staff are more likely to be systems generalists than dedicated security professionals. For these and other reasons, smaller IT departments have tended in the past to take a more ad hoc or piecemeal approach to end-point security. Yet – “the times,” they say “are a changing.” Clearly the current threat environment, as it impacts smaller to medium size operations, is driving the impetus for a more sophisticated patch management framework that enables those in the IT trenches to more effectively leverage available assets and resources.

Before considering some of the patch management solutions available, it is important that your information system adheres to some overall best practices in terms of planning and architecture. This will make the deployment of any form of automated client updating system even more successful.

First, implement some form of asset management so that you know precisely what you have out there. Although centralized and automated patch management offers the capability to gain control of your client environment, you cannot control what you don’t know you have. Carefully documenting and monitoring all system assets, including hardware, installed applications, system configurations, network schema, connection information and relevant change issues, will make securing clients on your network a whole lot easier.

Next, actively implement and maintain consistency from end to end. This should be a key planning consideration when approaching the usual upgrade cycle for client assets. Where possible, standardize on a uniform make and model of equipment throughout device lifecycles, including desktops, laptops, wireless devices, etc. This will make driver and configuration updates a lot easier to manage. Uniform desktops, for example, will also allow you to use baseline hard drive images when rolling out new clients. Also ensure that clients are consistent in terms of operating system and application versions. Again, if all of your desktops are running Windows XP SP1, then managing the patching process with some an automated updating system will be many times more efficient and effective. A basic rule is that the more homogeneous your client environment, the more effective will be your patch management solution, regardless of which vendor you choose.

Another helpful prerequisite is a well-defined security policy that advances client security and resiliency amidst an ever-changing risk landscape. Such a policy should be revisited as often as necessary and enforceable, either through group policy or third-party configuration tools. Ideally, your security policy will also mitigate risk, as well as greatly enhance your team’s ability to respond effectively once an attack is circulated. Common access rights, restrictions regarding application installation and configuration, routine monitoring and alerting – all of these will advance the effectiveness of your patch management system from day one. For example – preventing users from installing unapproved applications, such as peer-to-peer or instant messaging programs, will limit the introduction of malicious software into your corporate environment.

The good news for those looking to introduce some form of patch management software into their environment is that these products have come a long way in the last few years. The majority of the solutions on the market today offer sophisticated and effective ways to gain control over the client update process and enhance security at the outer edges of your network. Here are some key features worth considering:

Directory integration: A patch management system that actively integrates with your account directory and accesses select objects, such as user and device groups or organizational units, will allow you to configure patch distribution based on some form of validation logic. This will greatly simplify the configuration process as it will allow you to leverage your existing network schema. One practical benefit of this might be to set up a patch pilot test group, where updates would be tested in a localized manner prior to system-wide deployment.

Support for non-Microsoft products: This may or may not be an essential feature, depending on your current environment. Although most security patches circulated will update various iterations of Windows, Internet Explorer and Microsoft Office, you may have other platforms that need to be accessible to your patch management system. You may also need to design custom deployment routines based on non-standard variables. In this case, you will need to ensure that this is a supported feature.

Web Server and DB platform support: Most patch management systems will run on top of some form of database such as MSDE or SQL Server. They may also require the availability of a web server, such as IIS. If you have particular requirements in this area, then this may be a qualifying feature.

Centralized management console: As this is where you as the patch administrator will be spending the bulk of your time, it is essential that the management console is logically designed, simple to use, consistent, easy to navigate and offers a full range of viewing and configuration options.

Patch distribution options: What patches to install? What client systems to update? When to deploy updates? The ability to roll back patches that have unintended consequences. The capacity to remove spyware and/or malware? These and more are some of the key determinations you will need to make in managing the update process. Whatever system you employ will by necessity have to support this level of granularity and control.

Real-time monitoring, alerting and reporting options: As the key benefit of any patch management system is the ability to configure, manage and control the client update process in a centralized and automated fashion, it is vital that you be able to see real-time status information, as well as meaningful reports on your environment as a whole.

Scalability and support for low bandwidth connections: If you have multiple physical locations or clients connected via low-speed connections, then you will want to ensure that your patch management system offers support for multiple distribution servers and low bandwidth connections to optimize the update process. Agent-based systems, in which a small software footprint is created on the client itself, will be more appropriate for distributed, low bandwidth conditions. Most patch management systems on the market employ client-side agents to enable and optimize the updating process.

Integration with other security or change management frameworks: If a key criterion is the ability to integrate with an existing security framework, such as an anti-virus update framework or an existing desktop management infrastructure, then you will need to determine whether the patch management solution under consideration meets this criterion. Although there are some exceptions, the majority will utilize their own framework and database.

The number of patch management offerings on the market today is impressive and growing. Here is just a quick snapshot of some of them. Since the majority incorporate most, if not all, of the essential features mentioned above, we have highlighted significant features only.

HFNetChk Pro (Shavlik Technologies) is an impressive package for a number of reasons. As a pioneer in the area of vulnerability scanning and analysis, it was Shavlik who designed MBSA for Microsoft and continues to be an innovator in updating those hard-to-reach places at the edge of your network. In addition to many of the key features mentioned above, HFNetChk Pro offers an accurate and powerful scanning engine, an intuitive web-based interface, support for mobile computers and Linux, customized machine grouping and scheduling options and employs industry standards such as HTTP and SSL. Whether you have a single or multiple physical locations, 15 or 500 clients, HFNetChk Pro will definitely help you keep them up-to-date.

LiveState Patch Manager (Symantec) offers an attractive option for those currently invested in Symantec’s client management framework or others seeking a stand-alone patch deployment product. LiveState Patch Manager’s ‘persistent delivery’ and ‘checkpoint restart’ features helps ensure that all security updates are successfully delivered and applied, even if a client connection is interrupted during transmission.

ZENworks (Novell) has been around longer than most of the others and provides a complete platform for automating patch management and ensuring system compliance in a Windows, NetWare or Linux environment. ZENworks’ tried, tested and policy-driven model is one many network administrators have relied on for years for distributing resources throughout their network.

Desktop Authority Patch Deployment for Desktops (ScriptLogic) is a modular add-in for those already committed to ScriptLogic’s award-winning desktop management platform. Desktop Authority’s advanced ‘validation logic’ allows the targeted deployment of updates with a level of granularity and control that is almost staggering.

PatchLink Update (PatchLink) employs its patented ‘Patch Fingerprint’ technology to scan existing networks for security holes wherever it finds them – Windows, NetWare, Macintosh, Linux, Solaris, AIX and HP-UX. In addition, PatchLink Update fully integrates with all LDAP directories, making it easy to target delivery destinations by familiar objects and groups.

GFiLANguard Network Security Scanner (GFI) is a full-featured network security portal that incorporates patch management for Windows environments. The advantage of this is that the network administrator is afforded a global view of all security matters on the network, including the update status of connected devices. Those familiar with GFI products will appreciate the quality and value of GFiLANguard Network Security Scanner.

Clearly, patch management is not just for enterprise-size organizations with thousands of network clients. Smaller to mid-size organizations are quickly realizing the benefits of centralizing and automating the process of keeping clients patched and compliant with system standards. The fact that there are currently so many excellent products on the market supports the idea that patch management is now for everyone.

Copyright W.E. Smith @ 2008 AVI Media Ltd. Further duplication without permission is prohibited. All rights reserved.