Guide to Patch and Vulnerability Management

Patch management best practices

A systemized approach eases the work of managing patches

by Network World Staff
  • Create an enterprise group responsible for identifying, testing and executing patches. Members should include people from the security team and daily operations. The team should include patches in an overall change-management workflow so that less critical patches will not wait long to be tested and deployed. Such patches will instead be rolled out on a similar schedule as other upgrades, feature changes and the like.
  • Use a phased approach to applying live patches. First apply them to a small test group of users before a universal patch. When working with the small test group, reboot after each patch, rather than after the entire set of patches, to help identify which patch may be troublesome. 
  • Standardize IT configurations wherever possible. Obviously, though, no one has a completely standardized IT infrastructure. So in your test group for live patches be sure to include a sample for each typical configuration that you will routinely ask the patch management product to update.  
  • Include a measurement phase after each patch is implemented. This should measure current levels of susceptibility to attack, but should also document the time needed for patching and the cost for patching. This will help you make informed future business decisions on the patching process.
  • Automate the patch management process as much as possible.

Patch management: It's not just for Windows

These four tips will help you select the right product for you

by Ellen Messmer 

When researching patch and vulnerability management products, use the following four tips as your guide. 

1) Validate that your primary patch management vendor not only supports the major operating systems you need to patch and your significant applications, but also the applications that are favorites of hackers. It is particularly crucial to be able to patch those applications that can be automatically launched from the browser. Some of these include Adobe Flash Player, Apple QuickTime, even WinZip. But in addition, a patch management product that can patch your enterprise antivirus software, e-mail application and SQL database is also advised. Even if you use only Microsoft operating systems and servers, a Microsoft-only patch management system may not be enough. 

2) Use the above criteria to determine which fits your needs better, a point product for patching, or patch management as part of the larger, systems management umbrella. There are a number of standalone products for patch management – many of them listed in this Buyer's Guide. Some products combine patch management with more general configuration management and change control. Others add it into a general systems management scheme. Also consider that many existing systems management products either do patch management or support specific point products. Your choice will mostly depend on whether your systems management product supports all the operating systems and critical applications you need to patch. If it doesn't, and you may want to deploy configuration management tools, then combine the patch management tool that best integrates with your configuration management tool. If you have a specific list of products to patch, and a point product vendor patches them all, then, even if you use a configuration management product, a point product would likely be your best bet. 

3) Agent-based or agentless? The old battle between agent-based or agentless tools still rules the patch management market. Agents remain the preferred method of many software vendors. The benefits of an agent is that it ensures that individual devices are properly patched. Plus, it allows vendors to offer many of the extra features that enterprises like so much, such as asset management or policy enforcement options. It is preferred for intermittently connected machines (such as laptops) and devices connected over slow links that cannot afford the overhead of agentless communications. The downside of agent-based patch-management is that it requires agents to be deployed on all monitored machines to be effective. In selecting this approach, network administrators have to ensure efficient deployment of agent-based software. These agents then need to be maintained and, potentially, patched. (See also: Fighting back against software-agent overload) Agentless patch management doesn't suffer from the maintenance problems of agent-based systems, but their makers have been more creative in how they solve the issue of patching and controlling individual devices. 

4) It's not just about Windows. Although Microsoft's "Patch Tuesday" announcement on the first Tuesday of each month always makes headlines, there's a growing range of network infrastructure pieces that need ongoing patches and maintenance, such as products for VoIP and virtualization. Your patch management products, as well as your policies need to take into consideration the frequency with which all of your key vendors in these areas issue patches. How quickly will patches be applied after patches are available for these other products?

Top trends in the patch management market

Patch management is becoming 'vulnerability management'

by Network World Staff 

Patch management has since grown to include vulnerability management. Patch management is focused on the automation and management of patches. Vulnerability management is slightly broader and is used for products that offer more functions, from asset identification to vulnerability classification, as they apply the software patch. This wider scope, plus the pressures of compliance continues to drive both growth and innovation in the market, IDC says. In fact, IDC predicts that by 2011, three submarkets of security and vulnerability management will each exceed $0.7 billion in vendor revenue. These are policy and compliance, security information and event management, and patching and remediation.  

Maintaining secure clients has become increasingly complicated, as well, Forrester points out. The situation isn't expected to get easier anytime soon. The wider variety of clients, uptake in the options available for client operating systems coupled with today's distributed environment, makes controlling the PC a difficult task. In addition, PC environments remain a hefty cost associated with the corporate network. Tools that automate operating system patch management, software vulnerability assessments and systems management promise to help IT to manage their PC environment with more reliability and less head count. The big management players, namely CA, HP and Symantec, own most of the client-management market, but aren't necessarily the right fit for every company. Smaller, younger vendors like many listed in this Buyer's Guide offer some very compelling solutions, Forrester says.  

Patch and vulnerability management: how it works

by Ellen Messmer and John Fontana

Most patch and vulnerability management tools follow similar workflow patterns. 

1) The organization's security policy is the starting point for patch management procedures. The policies must define which IT assets are critical, how quickly critical patches are to be applied, how quickly other patches are to be applied and so on.

2) Based on the ability to identify network assets, the initial step involves gathering information on vulnerabilities. This will use a scanning process, whether agent-based or agentless.

3) A workflow method is necessary to prioritize and assign patch-management tasks, and to report on how and when this is carried out.

4) The remediation process of applying the software update is sometimes automated but more often it is scheduled so that it won't interfere with the production environment.

5) For scheduled remediation, a testing phase is usually completed to verify that the patch will not disrupt other applications.

6) The tool will have some method of dealing with a failed deployment. This may include suggestions on how to modify configurations to make a deployment successful.

By now the names are familiar. Nachi, Klez, Lovsan, SoBig, BugBear, Swen, Blaster and Yaha, these represent only a sample of worms and viruses that slithered into corporate networks. But they all have one thing in common: Patches were readily available before most damage had been done.

So why do these intruders continue to wreak such havoc?

Because patch management is tough.

It's tough because there are too many patches and not enough time, and because exploits to announced vulnerabilities are materializing faster. It's tough because clients are becoming the attack targets as much as servers, fueling faster propagation and the threat of re-infection from mobile workers reconnecting to the network. 

And it's not just Microsoft vulnerabilities. Although Windows seems to get the bulk of the exploits and end-user animosity, the list of targets includes routers, switches, firewalls; Unix and Linux, too.

Patching chores likely will never go away, experts say, but there are ways to address the task proactively to minimize exposure.

"Patching is the physical process," says James Williams, information delivery manager for RBC Centura Bank in Rocky Mount, N.C. "But you have to manage that process, and to do that you need some structure."

Centura has an 11-person staff as part of a computer security incident response team that maintains what Williams calls a "very systematic and very organized" patch management process. That process utilizes inventory, change-control practices and automated deployment supported by tools from Ecora, IBM/Tivoli and others.

"I might not have enough staff, but I have processes and organization that help me cover that issue," he says.

How to patch

Felicia Nicastro, senior network systems consultant for International Network Services, says the biggest mistake companies make is leaving out diligent monitoring for new patches. This should be in addition to detailed evaluation, testing, deployment and validation that a team or individual manages.

"This typically isn't a task for one person. It has to involve the security group, the operations group and the developers," she says. "So what also makes patching tough is a lack of resources." 

Nicastro says companies need to have several pieces in place before a patch-management process and its accompanying tool or tools can be installed: network inventory, change management, configuration management, asset management, formalized record keeping, an understanding of costs, prioritization guidelines, and maintenance and communications plans.

Inventory, or documenting what machines run what software, is the first step, and it might be your biggest cost because it takes time. Some patch management tools attempt to do autodiscovery, as do some configuration management tools. But human follow up is still necessary because one buggy, overlooked server is all it takes for a worm to take hold. 

Inventory ties into asset, change and configuration management. "If you track configuration then you know what's changed, and that can help with future patching," she says.

The process then naturally moves into monitoring for new vulnerabilities and available patches for everything in inventory. Once a vulnerability is identified and determined to be a threat, teams of IT, data and operations managers must work together to usher a patch through the established rollout process. A course of action and a timetable for execution, including lab testing, should be established.

"Many times companies don't have the money to support a lab or duplicate environment, but at a minimum you should try to duplicate business-critical systems, say a Web server with a database back end," Nicastro says.

After testing, distribution of the patch, implementation, exception handling, tracking and reporting need to be done.

Nicastro says in times when patching becomes a fire-fighting exercise, companies should quarantine the worm or virus on network segments and patch using their documented processes.


Subscribe to the Best of PCWorld Newsletter