Nov 23, 2007 (07:11 PM EST)
Managing Patch Pain
Read the Original Article at InformationWeek
In 2006, the CERT program at Carnegie Mellon's Software Engineering Institute reported upward of 8,000 application vulnerabilities that required software patches--that's 30% more than in 2005. We've had years to get this process down, yet patching continues to cause a great deal of angst. We frequently see organizations that are more than a month behind on patch applications--and open to viruses and security violations. Why take that risk? Too many IT groups lack the tools, processes, and resources to patch effectively.
No fewer than 14 vendors are looking to rectify that situation. Each product has strengths and weaknesses, and we're hoping to get most of them into our Real-World Labs in the near future. See our automated patch management Rolling Review invitees and requirements at Rolling Reviews.
Ideally, patch management will be just one element of a comprehensive configuration management or software distribution system in larger shops. Smaller companies can get by with standalone tools, but many need several point products for different types of apps and devices. But however you manage it, automation is critical, as are documenting changes, testing to ensure that patches won't break other apps, and deployment policies to avoid bogging down networks.
(click image for larger view)
WHAT HAPPENS IN REDMOND ...
While the need to patch applications is as old as computing, the volume of Windows updates coupled with Microsoft's market dominance have focused attention on the issue. Since the introduction of Windows 98, Microsoft has looked to automate patching of Windows servers and desktops. Its current incarnation, the Windows Server Update Services, or WSUS, provides a locally managed software update service alternative to the local Microsoft Update system. Using WSUS, IT can automatically distribute patches and updates to clients from a central server.
The current version expands on the range of software it can update and is a big improvement over using the Microsoft Windows Update Web site. You'll save bandwidth, time, and disk space, because individual computers don't have to connect to an external server. In Windows Server 2008, this capability will be native to the application; currently, WSUS is a free download from Microsoft's site.
Free's nice, but most organizations have more to their worlds than Windows desktops and servers. And Microsoft's free tools don't provide the flexibility or scalability required for larger organizations.
Automation is critical. Manual patching is an unacceptably labor-intensive process. Develop a detailed list of every step in your patching process, including gathering patch information to determine severity and priority, doing detailed staging to uncover if the patch will affect other systems, and deciding what endpoints will be updated. Ask whether all those steps can be automated in the software you're considering.
Change control, as it relates to patch management, also is important. How often and when do you apply patches? Who can deploy and/or authorize updates? How are patches tested? What problems will trigger a rollback? Knowing how many managed devices you have, and will have in the foreseeable future, also is critical when looking at software. Offerings range from managing 50 to 100 devices up to scaling into the hundreds of thousands. Larger companies considering configuration-related products, such as software distribution or configuration management databases, should ensure that robust patch management capabilities are included. If you have an asset and inventory system, check that the patch management function integrates, or you'll end up having to do discovery.
Given the negative impact willy-nilly patching can have on users and the network, look at how products deal with utilization and devices that aren't connected at the time of the patch. Can it employ multicast distribution, advanced compression, and checkpoint and restart capabilities? If a communication link goes down, the end device is an offline laptop, or for some reason application of the patch fails, what happens? Ideally, the software will have a methodology to attempt to patch the application again and escalate notifications and alerts based on repeated failure.
Reporting is important, too. Ensure that the product can support auditing as well as notification. In many public organizations covered under Sarbanes-Oxley, this is a strict requirement, and neglect could result in substantial penalties.
SOFTWARE VENDORS TO THE RESCUE?
In general, there are four classes of patch management products, based on what they patch and how they use agents: Windows desktops and servers with optional agents, Windows desktops and servers with required agents, multiplatform systems with required agents, and multiplatform systems with required agents and a virtualization support/data center focus. Here's a preview of some products we hope to test.
Windows desktops and servers with optional agents:
Like NetChk Protect, Ecora Software's Patch Manager gives IT administrators the option to use agents or run without them. With a concentration on discovery, patch assessment, and patch installation on both Windows workstations and servers, Ecora uses bandwidth throttling to limit the network resources dedicated to patching. Critical functions such as patch rollback, wake on LAN, and the ability to designate a test environment for patching before production deployment are all promised in Ecora, and a variety of reports are included that will aid in auditing and compliance.
Agents are typically used in environments where IT may not have dedicated access to managed devices, such as laptops that connect sporadically to the corporate network. Agents may also come in handy when you need to distribute network traffic related to patching, and they tend to provide tighter control over devices.
Kaseya's Patch Management software automatically discovers missing patches and updates, and it can automate deployment and installation of patches on a defined schedule. Once initial scans are completed, IT can review results for each machine and decide if, when, and how each missing patch or update will be applied. IT administrators also can track and approve patches for auditing and reporting.
Novell's Zenworks Configuration Management focuses on notifying IT when a new security update exists and ensuring that the update has been staged for distribution. Novell provides a team of security experts to track software vendor support sites and update feeds to organizations.
IBM's Configuration Manager provides Microsoft client and server software patch automation capabilities in distributed environments. Configuration Manager also can scan clients for missing patches, build patch plans, and distribute required patches to clients. Like IBM, CA Unicenter's Patch Management is focused on Windows--in its case, desktop environments. CA monitors for newly available patches and validates available patches.
Multiplatform with required agents:
LANDesk's Patch Manager includes a subscription service that will collect and analyze patches for heterogeneous environments. Like other suites, it scans managed devices to identify application and operating system vulnerabilities; when it discovers an issue, you can download the associated patch and research requirements, dependencies, interactions, and known issues. LANDesk monitors the status of each installation and provides bandwidth throttling, staging, and detailed policy and compliance reporting.
BMC Patch Manager, formerly Marimba, provides testing capabilities that allow administrators to minimize risk by analyzing the impact a patch will have on an endpoint. The BMC Patch Manager Policy Engine facilitates the initial patch installation and continually monitors patches to ensure that they stay installed. Lumension's PatchLink Patch Management suite automates the collection, analysis, and delivery of software patches to a wide range of operating systems. It also focuses on reporting.
Other vendors deploy configuration management databases to manage and control patches. Configuresoft's Enterprise Configuration Manager automatically discovers new systems and tracks configuration changes at scheduled intervals to ensure that the latest patch information is available. It groups machines by function or role and supports patch testing across different configurations. The software continually updates the patch status of all machines and maintains an audit history of patch deployment, extremely useful for compliance reporting. Similarly, Symantec's Altiris Patch Management is focused on a central, extensible repository.
Multiplatform with required agents, virtualization support/data center focus:
BladeLogic is focused more on the data center server environment than the desktop world and supports operating systems, server components such as middleware, utilities, system software, and multitier apps in virtualized environments. BladeLogic Configuration Manager uses a policy-based approach where changes are applied to a policy, then synchronized with target servers. The company says this bidirectional method significantly lowers the costs and errors associated with managing servers. Configuration Manager also features a cross-platform command line interface that supports single sign-on using a range of authentication protocols. All communication is encrypted, and all user actions are logged and can be authorized based on role, which is key for highly secure environments and something that may not be available in midmarket products.
Opsware SAS will automatically discover server hardware, configurations, and software. With broad configuration and provisioning capabilities, SAS can identify and patch a large number of servers as well as create and enforce patch policies. SAS also uses best practices in audit and remediation definitions to enable fast response to security or compliance vulnerabilities that require patches.
Illustration by Michael Sloan