Guide to Patch and Vulnerability Management

Patch management: It's not just for Windows

These four tips will help you select the right product for you

by Ellen Messmer 

When researching patch and vulnerability management products, use the following four tips as your guide. 

1) Validate that your primary patch management vendor not only supports the major operating systems you need to patch and your significant applications, but also the applications that are favorites of hackers. It is particularly crucial to be able to patch those applications that can be automatically launched from the browser. Some of these include Adobe Flash Player, Apple QuickTime, even WinZip. But in addition, a patch management product that can patch your enterprise antivirus software, e-mail application and SQL database is also advised. Even if you use only Microsoft operating systems and servers, a Microsoft-only patch management system may not be enough. 

2) Use the above criteria to determine which fits your needs better, a point product for patching, or patch management as part of the larger, systems management umbrella. There are a number of standalone products for patch management – many of them listed in this Buyer's Guide. Some products combine patch management with more general configuration management and change control. Others add it into a general systems management scheme. Also consider that many existing systems management products either do patch management or support specific point products. Your choice will mostly depend on whether your systems management product supports all the operating systems and critical applications you need to patch. If it doesn't, and you may want to deploy configuration management tools, then combine the patch management tool that best integrates with your configuration management tool. If you have a specific list of products to patch, and a point product vendor patches them all, then, even if you use a configuration management product, a point product would likely be your best bet. 

3) Agent-based or agentless? The old battle between agent-based or agentless tools still rules the patch management market. Agents remain the preferred method of many software vendors. The benefits of an agent is that it ensures that individual devices are properly patched. Plus, it allows vendors to offer many of the extra features that enterprises like so much, such as asset management or policy enforcement options. It is preferred for intermittently connected machines (such as laptops) and devices connected over slow links that cannot afford the overhead of agentless communications. The downside of agent-based patch-management is that it requires agents to be deployed on all monitored machines to be effective. In selecting this approach, network administrators have to ensure efficient deployment of agent-based software. These agents then need to be maintained and, potentially, patched. (See also: Fighting back against software-agent overload) Agentless patch management doesn't suffer from the maintenance problems of agent-based systems, but their makers have been more creative in how they solve the issue of patching and controlling individual devices. 

4) It's not just about Windows. Although Microsoft's "Patch Tuesday" announcement on the first Tuesday of each month always makes headlines, there's a growing range of network infrastructure pieces that need ongoing patches and maintenance, such as products for VoIP and virtualization. Your patch management products, as well as your policies need to take into consideration the frequency with which all of your key vendors in these areas issue patches. How quickly will patches be applied after patches are available for these other products?

Subscribe to the Security Watch Newsletter

Comments