Automated Patch Management
by Rick Greenwood - CTO of Shavlik Technologies - Friday, 28 April 2006.
By taking an enterprise-wide approach to security assessment, companies need to evaluate internal patch management processes, understanding the potential risk to network systems and data and ultimately adopting a proactive approach to patch management. New tools are available to help companies of all sizes eliminate many of the manual aspects of security patch management, allowing IT professionals to automate time-consuming aspects of patch management, while also accessing key features designed to help workers better understand, test, deploy and validate the right patches, in the amount of time required.

The most effective patch management software should provide a straightforward approach to patch scanning and remediation, ensuring accurate, secure processes that can protect every computer within the enterprise. Important features to look for include: automatic or scheduled installation of missing patches, the ability to rollback or uninstall patches, knowledge about the patches including the vulnerability severity and links to third party information about the issue, and summary reports for executive reporting.

A good patch management software package should also include a shared back-end database to facilitate collaboration and patch management tracking to compare progress against existing enterprise-security initiatives. Such features are important because the first step in the patch process often requires wading through ad-hoc releases, service packs and temporary fixes, to determine what patches are applicable to the enterprise.

After needed patches are identified, a relatively easy set of steps helps ensure that the patch process benefits the enterprise, and doesn’t cause more harm than good:

1. Patch Testing – Once a patch is identified, it must be tested to evaluate the potential impact on a particular computing environment. Installing the patches to a control group and subjecting them to normal use prior to deployment is one option.

2. Scan and Assess – Because computing environments are complex and dynamic, simply knowing that a patch is likely needed somewhere in the enterprise provides little conclusive evidence as to exactly where holes still remain. To identify such holes, systems need to be scanned and assessed, identifying all systems that require patches while accepting systems that need to be left alone.

3. Remediate – Remediation, which involves applying patches to systems in need, is usually the most time-intensive part of the patch management process. However, it is also the most crucial step for protecting the enterprise.

4. Validate and Report – To verify patches have been properly installed, IT managers need to validate and report on key systems and applications. This step provides final assurance that the patch process is complete.

The bottom line

Return on investment (ROI) is a mantra in business, and for good reason – companies want to know that the technology investments they make today will protect them from losses in the future. Based on extensive research and real-world examples, automated patch management can provide a clear ROI because it results in significant productivity gains for end users and administrators alike. Specifically, such systems help improve productivity in two key areas:

- automating the manual process of patching systems and solutions, and

- reducing the number of successful attacks against identified vulnerabilities.

Each step in the patch management process expends resources, but automating the process significantly reduces the total hours required for managing the process to completion. Patch management systems can dramatically improve performance for IT administrators responsible for patching systems, moving the patch management process from a manual, ad-hoc series of steps to an automated system that installs key structures and processes designed to achieve significant time and cost gains.

Reducing risk

The most important benefit of a patch management system may lie in its ability to reduce risk. Successfully patched computer systems can eliminate known vulnerabilities and therefore reduce the instances and impact of attacks – preventing the ensuing loss of data, privacy and reputation often experienced by companies suffering an attack. Using automated patch management as a proactive security measure actually not only reduces the total number of successful attacks against systems, but also reduces the propagation of attacks.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th