Efficient patch management is a task that is vital for ensuring the security and smooth function of corporate software, and best practices suggest that patch management should be automated through the use of specialized patch management solutions. In this article, we take a comprehensive look at the patch management problem and tell you what you need to know to implement an effective patch management software system that will keep your business secure.
If you're in the market for a patch management product, see our list of top patch management solutions.
What is patch management?
A typical corporate network will include servers and user endpoints running a large number of different applications on top of different operating systems. These applications probably include software developed in-house, proprietary commercial software packages, and open-source applications. Most software will have been approved by the IT department, but most corporate networks will also include an element of unauthorized consumer-oriented software installed by end users as well.
The goal of patch management is to ensure that all applications running on the network are patched to ensure that they are secure and stable, and achieving this goal involves:
- software inventory management
- monitoring the availability of security and other patches for all operating systems and applications in the inventory
- detecting any software which is has not been appropriately patched
- deciding which patches need to be applied to which systems
- testing the patches to ensure that compatibility with other software and systems is maintained
- installing the patches in the correct order to ensure that one patch does not undo another
- ensuring that patches are installed in a timely fashion, or within a target timeframe that is commensurate with the organisation’s overall risk management approach
- final testing after installation to ensure that the installation is successful and that the software continues to operate as expected
Windows patch management
Many organizations run a combination of Microsoft Windows server and desktop operating systems, so Windows patch management is a key activity for system administrators. To simplify the procedure, Microsoft issues security patches and other updates on the first Tuesday of every month, and most desktop systems can be configured to patch themselves automatically after downloading the patches via Windows Update.
In a corporate environment, this approach may not to be appropriate because patch management involves testing patches to ensure that they don't break compatibility with other systems.
Third-party Windows patch management software tools exist, but a common approach is to use Microsoft's own Windows Server Update Services (WSUS) patch management tool. This enables administrators to manage the distribution of updates that are released through Microsoft Update to computers on their network by downloading them, testing them, and then approving or declining them. Administrators can also force certain updates to install by a given date, and even approve certain classes of updates such as critical updates automatically.
WSUS can also be used to configure user endpoints by local group policy to ensure that endpoints, or certain groups of endpoints, are patched (and can't be disabled by end users).
Reputable software developers take great care to build software that is stable, bug-free and secure, but good applications may remain in use for many years. During that time, the user environment can change considerably, compatibility demands can change, and vulnerabilities may be discovered due to software flaws or use cases that had not been envisioned by the developer.
For these or other reasons, all software needs to be fixed with software patches from time to time, and once a developer has created and distributed a patch, it is the responsibility of the system administrator who is in charge of patch management to be aware of its existence and any instances of the software that the software patch needs to be applied to.
Developers will also usually provide information about the patch, including information on any vulnerability that it fixes, affected components, dependent applications, and an indication of the severity of the problem that the software patch fixes (as well as mitigations that can be put in place until the software patch is applied.)
Application patch management
Cybercriminals and malicious hackers often use the information provided by software developers about the vulnerabilities that are fixed with specific software patches to create exploits that can be used to compromise systems that have not been patched. Since they can produce exploits in a matter of hours, it is important for businesses to minimize this window of vulnerability by applying patch software as quickly as practical.
This is the primary reason that system administrators should use a patch management solution – if patch management is carried out manually rather than in a systematic and automated fashion then there is a high risk that the application of some software patched may be delayed or missed altogether, and systems therefore left unnecessarily vulnerable.
Patch management solutions and tools
Patch management solutions provide a complete framework to enable systems administrators to keep all software fully patched, and to ensure that no software is left in a vulnerable state.
There are many solutions on the market, and a patch management software comparison reveals that while all offer differing levels of functionality, most offer the three key features of patch management solutions:
- Inventory scanner. The purpose of an inventory scanner is twofold. First, the scanner should be able to scan the entire network for connected servers and user endpoints and detect their operating systems (including versions of Windows, MacOS or OS X, and Linux) and all the software running on them. This should include applications authorized by the IT department, and applications that may have been installed by the end user.
Some patch management solutions also offer the ability to scan virtual machines (including virtual machines that are offline and virtual machine templates) as well as machines running in the cloud.
- Patch status detection. The scanner should be able to evaluate the security patch status of all of these applications, providing administrators with a dashboard showing patched and vulnerable software as well as flagging any systems with unrecognized applications or applications for which the patch status is unknown. Many patch management solutions also generate software patch application reports to demonstrate compliance.
- Security patch deployment. The most important part of a patch management solution is the ability to collect, configure and apply software patches to applications that require them in the appropriate order to avoid conflicts or to undo a previously applied patch. Good patch management solutions will provide administrators with information about the relative importance of different patches so that they can prioritize the testing and application of critical ones. Some also enable administrators to create groups so that they can push software patches to different groups at different times to prevent network congestion.
Many large organizations manage their IT infrastructure through Microsoft System Center, so it makes sense that some patch management solutions integrate with System Center Configuration Manager SCCM patch management (and Windows Server Update Services) for the actual patch deployment.
Patch management software
There are an increasing number of patch management software solutions on the market as organizations recognize the importance of patch management.
Some well known patch management solutions include:
- SolarWinds Patch Manager lets you automatically download, publish, and patch popular and commonly used third-party applications.
- LANDESK Patch Manager evaluates, tests, and applies patches across the enterprise automatically to simplify system administration.
- Shavlik Protect provides everything needed for an effective patch management strategy, including Microsoft Windows, Mac OS, virtual infrastructure, and third-party application patching.
- Kaseya Patch Management Software automatically keeps servers, workstations and remote computers up-to-date with the latest important security patches and software updates.
- Cloud Management Suite Patch Manager keeps desktops, laptops, and remote users up-to-date with the latest Microsoft and third-party software updates from the cloud.
- Lumension Patch and Remediation identifies and patches vulnerabilities across heterogeneous OSes, configurations, and all major third-party applications.
- Flexera Corporate Software Inspector alerts when a software vulnerability with an available patch poses a threat, and provides information about where it will have the most critical impact, what the right remediation strategy is and how to deploy it.
For building your own patch management solution, check out our guide to open source patch management solutions.