Manage Learn to apply best practices and optimize your operations.

Proactive security patch management reaps rewards

A new model for patch management can prevent attacks, minimize damage, and lower costs.

Walter Elliot

It's the all-too-common scenario: A virus attack or security breach brings down your servers, destroys data, wastes the time of high-salaried workers, and -- in extreme cases -- grinds your business to a halt. Compounding the frustration, many of these business interruptions can be prevented by applying security patches in a complete and timely manner.

But security patches alone aren't the answer. That's because, as the nature and scale of security vulnerabilities increases, so, too, does the volume of security patches you must apply across your IT infrastructure. Vendors issue new security bulletins every week, but the attacks and vulnerabilities only seem to keep pace. For example, just 19 days after Microsoft announced MS04-011, malicious hackers unleashed the Sasser virus.

For IT professionals, this steadily increasing volume of cyber attacks and vulnerabilities spells trouble. Experts believe that organizations will spend more than $13 billion this year mitigating and repairing damage arising from viruses and other attacks. Those costs are driving our industry toward a new model for patch management, one that can prevent attacks, minimize damage, and lower costs.

Implementing a policy-based approach
More than ever before, it's essential to take a proactive, holistic, and systematic approach to patch management. How does your IT organization know when a new security patch has been released? (Naturally, it isn't feasible to spend time scouring Web sites and online advisories looking for patches.) For example, the Sasser virus had four different variations, but only the most recent patch revision alleviates all vulnerabilities. Just as important, how do you know if a previously issued patch has been properly and completely applied to all relevant systems in your global organization? A complete solution should present relevant security information to your IT team to enable them to make patching decisions.

By their very nature, policy-based tools are inherently self-managing and self-patching. This approach drives patch-management responsibility to the client end-point, which uses a small agent to constantly self-check to see if it has the policy or desired state you've pre-defined. The result is a "self-policing" process. Any device whose state differs from the desired state (e.g. does not have the most current security patch) automatically receives an update without any intervention from the IT department.

This systemic approach reduces labor overhead for the desktop or server management group, which can view reports on each computer's vulnerability status.

Supporting remote and mobile users
The unique needs of remote and mobile users make patch management particularly difficult. Workers typically connect only intermittently and often through unstable, low-bandwidth connections. If your organization has many remote "SOHO" workers, road warriors, or small offices without on-site IT support, it can be a challenge to ensure that computers have the latest patches.

Patch management tools can factor in these distinct needs and constraints through a variety of mechanisms and techniques. For example, it's a good idea for a patch manager to automatically detect the availability of a network connection and automatically adjust its bandwidth consumption to ensure that the user can still accomplish his "real" work (such as checking e-mail) without significant performance degradation. In the event of a connection failure, you don't want to restart the patching process from the beginning. You want a checkpoint restart that automatically resumes the process from point of download failure.

Another key consideration: user flexibility. For example, given remote users' varying connections and time availability, you might want to allow a user to defer a non-critical installation for a certain number of days. Conversely, a critical patch might come through a mandatory "forced install." Other options include allowing a user to defer a reboot. All of these increase the quality of the user experience and improve the acceptance of a patch management solution.

Getting the bigger picture: IT business intelligence
Automated solutions have far less value if they don't supply the necessary reporting and analysis you need to manage patches properly. Borrowing from the tenets of business intelligence -- including multiple dimensions, Web accessibility, graphical displays, and intuitive navigation -- patch management solutions can (and should) furnish complete details on the state of your infrastructure.

Every enterprise should have two forms of reporting. The first is tactical reporting for operational people that enables IT managers to take action on an operational basis. For example, a tactical report might list devices that have not applied a specific security patch.

The second form of reporting is IT business intelligence. These analyses enable executives to monitor trends across the organization and create longer-term plans. IT business intelligence enables an executive to understand the current state of security vulnerability in the infrastructure. It also allows them to understand how to reduce, mitigate, or eliminate those vulnerabilities over time as patches are deployed and lets them and monitor these processes as they unfold. Since these reports must be easy to access from any location and easy to use, Web-based "executive dashboard" reporting has emerged as the most versatile paradigm.

More than patching: Managing the entire configuration
Security vulnerabilities can arise from any application, any operating system version, and any vendor. That's why new patch management solutions must be able to deploy security patches from any vendor to any operating system, automatically.

However, the reality today is that security patches, as critical as they can become, are only one important piece of the puzzle. Virtually every enterprise IT department must manage a multitude of applications residing on every corporate desktop, laptop and server. What's more, different versions of Microsoft Windows -- and increasingly, Linux -- complicate the management challenge.

Enterprise IT needs a solution that can not only implement security patches but also deploy applications, application updates, non-critical patches, service packs, and anti-virus updates, to name a few. All of these contribute to the larger goal of managing the device's entire configuration. This encompasses hardware and software inventory tracking, license management, and more. Inventory tracking, in particular, feeds directly into any license management process, which helps reclaim unused licenses.

Transforming your computing assets into a self-managing, patch-compliant infrastructure can yield enormous dividends. It starts with preventing the loss of data and productivity but quickly escalates into even greater value. By expanding the value proposition to enterprise configuration management, the return on investment and lower cost of asset ownership becomes even more compelling.

Walter Elliot is the CEO at ManageSoft Corporation. Contact him at

This was last published in May 2004

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.