Automated Patch Management

It’s nearly impossible to escape computer-based information in today’s high-tech society. From doctors’ offices to hardware stores, organizations and companies of all sizes record, track and transmit data electronically – making it an integral part of daily business and commerce. But with this increased dependency comes greater risk. Security failures, information exposure and privacy invasion is far greater in today’s electronic-based world. The risk of insecure data not only concerns consumers – who are wary of fraud, identity theft and privacy – but greatly concerns businesses, which can be held liable for information that is unintentionally exposed, despite a firm’s best efforts to protect such data.

Instant access

Unlike paper-based storage, which requires physical access to compromise, today’s electronic files are virtually accessible anywhere in the world. Security vulnerabilities in software applications, electronic files or computer operating systems can be quickly exploited to inflict serious damage: accessing private or secure data; stealing passwords or identities; performing unauthorized financial transactions; examining personal health records; or capturing sensitive network data.

The majority of software vulnerabilities today are found in Microsoft-based products – primarily because they are the most widely used software on the planet. And while Microsoft releases more than just vulnerability fixes on Patch Day – also providing software updates that add new features to existing products – the security patches almost always grab the most attention, because they expose what are dangerous weaknesses in widely used software products.

Patch and go

So what’s all the fuss? Just install the security patches and you’re safe, right? Unfortunately, no. As IT professionals will attest, it can be extremely difficult to test and apply the necessary patches to every vulnerable computer within an enterprise before exploits become public. Compounding the matter, some patches can actually interfere with, or “break” existing software applications, adding to the time it takes to determine which patches can be applied and which need to be tested within a given organization’s network.

Moreover, many still handle patch management manually, physically going to every computer on the network to download and install patches. For enterprises with hundreds or thousands of PCs, including mobile workers and remote offices, manually applying patches has proven to be an impossible task. As a result, network administrators fall behind, and critical patches often aren’t applied as quickly as needed.

No time to lose

Moments after the news of a new patch release, malware-writers start identifying security vulnerabilities and writing code to take advantage of flaws. For example, the patches for the RPC/DCOM flaws were released just 20 days prior to the onslaught of the Blaster worm attack in 2003.

But even a short 20 days can seem long when compared to today’s zero-day exploits. The disclosure of the Windows Metafile (WMF) flaws in December 2005 immediately led to the discovery of over 80 active exploits. By the time Microsoft released a patch ten days later, enterprises were already at high risk of infection and there was no time to spare in getting the necessary patches in place.

What’s a company to do?

By taking an enterprise-wide approach to security assessment, companies need to evaluate internal patch management processes, understanding the potential risk to network systems and data and ultimately adopting a proactive approach to patch management. New tools are available to help companies of all sizes eliminate many of the manual aspects of security patch management, allowing IT professionals to automate time-consuming aspects of patch management, while also accessing key features designed to help workers better understand, test, deploy and validate the right patches, in the amount of time required.

The most effective patch management software should provide a straightforward approach to patch scanning and remediation, ensuring accurate, secure processes that can protect every computer within the enterprise. Important features to look for include: automatic or scheduled installation of missing patches, the ability to rollback or uninstall patches, knowledge about the patches including the vulnerability severity and links to third party information about the issue, and summary reports for executive reporting.

A good patch management software package should also include a shared back-end database to facilitate collaboration and patch management tracking to compare progress against existing enterprise-security initiatives. Such features are important because the first step in the patch process often requires wading through ad-hoc releases, service packs and temporary fixes, to determine what patches are applicable to the enterprise.

After needed patches are identified, a relatively easy set of steps helps ensure that the patch process benefits the enterprise, and doesn’t cause more harm than good:

1. Patch Testing – Once a patch is identified, it must be tested to evaluate the potential impact on a particular computing environment. Installing the patches to a control group and subjecting them to normal use prior to deployment is one option.

2. Scan and Assess – Because computing environments are complex and dynamic, simply knowing that a patch is likely needed somewhere in the enterprise provides little conclusive evidence as to exactly where holes still remain. To identify such holes, systems need to be scanned and assessed, identifying all systems that require patches while accepting systems that need to be left alone.

3. Remediate – Remediation, which involves applying patches to systems in need, is usually the most time-intensive part of the patch management process. However, it is also the most crucial step for protecting the enterprise.

4. Validate and Report – To verify patches have been properly installed, IT managers need to validate and report on key systems and applications. This step provides final assurance that the patch process is complete.

The bottom line

Return on investment (ROI) is a mantra in business, and for good reason – companies want to know that the technology investments they make today will protect them from losses in the future. Based on extensive research and real-world examples, automated patch management can provide a clear ROI because it results in significant productivity gains for end users and administrators alike. Specifically, such systems help improve productivity in two key areas:

– automating the manual process of patching systems and solutions, and
– reducing the number of successful attacks against identified vulnerabilities.

Each step in the patch management process expends resources, but automating the process significantly reduces the total hours required for managing the process to completion. Patch management systems can dramatically improve performance for IT administrators responsible for patching systems, moving the patch management process from a manual, ad-hoc series of steps to an automated system that installs key structures and processes designed to achieve significant time and cost gains.

Reducing risk

The most important benefit of a patch management system may lie in its ability to reduce risk. Successfully patched computer systems can eliminate known vulnerabilities and therefore reduce the instances and impact of attacks – preventing the ensuing loss of data, privacy and reputation often experienced by companies suffering an attack. Using automated patch management as a proactive security measure actually not only reduces the total number of successful attacks against systems, but also reduces the propagation of attacks.

Risk reduction protects against qualitative losses to reputation, legal action and competition. Such benefits can be even more significant to an organization than the baseline time and costs savings achieved through improvements to the overall patch management process. Although lost productivity of end-users is quantifiable, it’s usually not something that can be recovered directly. Giving employees, contractors and business partners the ability to conduct business without disruption can be a significant benefit to companies.

Ensuring network security through automated patch management is no simple task. It requires diligence to stay informed and secure. However, companies that understand risk and proactive security will find that the investments made in an automated patch management process far outweigh the costs.