Is the Answer to Vulnerabilities Patch Management as a Service?

Patch management is all about helping organizations manage the process of patching software and applications. It encompasses functions such as testing patches, prioritizing them, deploying them, verifying that they are installed in all endpoints, and in general looking after every aspect of patching.

But patching can be a time-consuming – and ineffective – task. There are so many patches being issued to address so many vulnerabilities that it is easy to fall behind. There are more than 20,000 new vulnerabilities identified every year – yet the U.S. Cybersecurity and Infrastructure Agency (CISA) is tracking only about 800 total as actively exploited. That doesn’t mean the rest should be ignored, but it does mean that the actively exploited ones should be prioritized.

Even that isn’t easy, as many organizations aren’t aware of everything they own that needs patching, making IT asset management (ITAM) an increasingly important security tool, as well as a feature of many vulnerability management services.

Because of all those challenges, managed security service providers (MSSPs) and patch and vulnerability management vendors have begun to offer services that do all the heavy lifting for organizations. Given the time and difficulty involved, it’s one place that a security services provider could make sense for a lot of organizations.

Also see:

What is Patch Management as a Service?

Patch Management as a Service (PMaaS) is a managed offering from multiple vendors that aims to eliminate the hassle of patch management by taking care of the function automatically using the as-a-Service subscription model.

“Patch Management as a Service is a solution that organizations can use to update their systems and applications, perform maintenance and repairs, and improve performance and usability of their software after it has been implemented,” said Lou Fiorello, Vice President & GM Security Products, ServiceNow.

Patches, after all, are an essential element of keeping IT assets current. But the workload in present-day IT operations is such that it is often a neglected duty. Despite constant news stories about vulnerabilities and Common Vulnerabilities and Exposures (CVEs) being released with such regularity, a surprising number of organizations fail to install urgent patches for months on end. There are some high-risk CVEs that are years old and still unpatched in some enterprises. Well-known critical flaws like Log4j and ProxyShell continue to be exploited even though fixes have been available for a year or more in some cases.

“Many organizations find that the sheer number of patches required for their software and systems can create problems of their own,” said Fiorello. “Manually managing patches for all of these different applications is extremely time-consuming and pulls dedicated professionals away from core business activities.”

Manual patch management is also prone to human error. In some cases, it may lead to exposed vulnerabilities or decreased app performance when patches are overlooked or incorrectly applied. An effective patch management service eliminates these issues. By applying automation to track and install updates, patch management helps organizations account for and oversee all the software patches their systems and devices depend on.

Is PMaaS a Viable Option to Protect Against Vulnerabilities?

There is no doubt that patching has real value. By plugging the holes that exist in applications and operating systems, organizations are protected from attack. The bad guys look for unpatched systems as an opening or a way to escalate attacks and move laterally inside a network. If they find unpatched vulnerabilities, they rub their hands with glee. It may be hard to believe, but there are still Windows Vista and even XP boxes in use out there (although they are unsupported and riddled with security holes) as well as obsolete systems like Adobe Media Player. A good patch management service picks up such instances and either patches them or has them removed.

Furthermore, PMaaS is relatively inexpensive. The monthly fee covers all patching functions. The user gains the latest in patch technology and has no need to upgrade the underlying infrastructure or license new software. And the time savings allows overburdened security staff the ability to focus on other critical tasks.

Also read: Patch Management Best Practices & Steps

Benefits of Patch Management Services

Patch management services, then, offer many benefits. These include:

  • Reduced liability: A significant percentage of cyber breaches can be traced directly to unpatched vulnerabilities. Those companies that fail to fulfill their obligations to protect customer data may be held legally responsible. Proper patch management provides an essential line of defense—not only for customer information, but also for the organizations that collect it.
  • Improved customer experience: Few things are as frustrating for customers as faulty, malfunctioning applications. With patch management, customer-facing businesses can ensure that their technology offerings work as they are supposed to—fixing bugs and vulnerabilities as they arise and creating a more positive customer experience.
  • Enhanced prioritization: When there is a backlog of important patches that need to be deployed and limited resources available to deploy them, patch management may be employed to help prioritize updates based on type, severity, vendor, and other factors.
  • Efficient deployment: Automated scheduling can establish the best times for updates to be applied, including times outside of regular work hours. This helps minimize system downtime and prevents reboot scenarios from impacting productivity.
  • Optimal tracking & reporting: Patch management makes it easy to access patch policies, track network status changes, identify missing patches and failed patch attempts, and enjoy full real-time transparency into all updates and scheduled updates with easily generated reports.

Disadvantages of PMaaS

Patch management is not the be all and end all of security. It still must be supported by other technologies such as vulnerability scanning, penetration testing, endpoint detection and response (EDR), firewalls, SIEM and more.

“Patch Management as a Service aims to help identify and remediate software vulnerabilities but should be validated by local security scans to help confirm third-party vulnerabilities are being detected,” said Bob Kelly, Director, Product Management, Flexera.

Another thing to watch for is coverage. Yes, PMaaS is a good thing. But patch management offerings in general tend to focus on applications and OSes. A recent discovery is that they sometimes miss storage and backup systems.

“Patch management tools do a fine job with OSes and enterprise applications, but often miss CVEs related to storage and backup,” said Doron Pinhas, CTO at Continuity Software. “There are currently about 70 CVEs that have been detected in storage environments that could be used to exfiltrate files, initiate denial-of-service attacks, take ownership of files, and block devices. Overall, about 20% of storage devices are exposed on average and can be attacked successfully by ransomware.”

Continuity Software has tried to fill that gap with storage- and backup-specific scanning to catch the items missed by PMaaS and vulnerability scanners.

As well as limited coverage, another disadvantage of some PMaaS platforms is reporting and compliance visibility.

“One of the biggest challenges we see with PMaaS is that many solutions lack visibility into what patches have been deployed on what devices,” said Bob Kelly, Director, Product Management, Flexera. “This creates problems for IT departments as they try to ensure compliance standards are met across their organization. Because of this, it is important to seek a PMaaS solution that has optimal tracking and reporting capabilities built natively into their solution.”

See the Best Third-Party Risk Management (TPRM) Tools

How Much Do Patch Management Services Cost?

PMaaS pricing varies considerably from vendor to vendor, and it varies based on level of service even within vendors. For some, PMaaS may come with some automation, but that’s not the same as turning the whole job over to a managed service provider.

It can also be difficult to do an apples-to-apples comparison. Some only provide patching of apps and OSes. Some conduct detailed inventories of all endpoints, while others throw in vulnerability management features, endpoint management and security, and even mobile device management (MDM). Pay attention, therefore, to what the monthly rate covers.

Pricing seems to work out somewhere between $500 and $1,000 per year for 10 devices, while basic PMaaS subscriptions might even cost half that amount. The higher number applies when there are add-on features or larger suites are involved. The lower number would apply based on high volume, and may go even lower for large deployments. Some of the more advanced solutions go beyond applications and operating systems to address vulnerabilities in things like routers and IoT devices.

Given the high cost of security professionals, patch and vulnerability management services almost certainly deliver a high return on investment (ROI).

Patch Management Features

Patching has come a long way in recent years. And patch management services are evolving constantly. Here are some of the top trends.

Automation

With so many endpoints to manage, automation is vitally needed. The best patch management solutions provide drag-and-drop features, as well as automation of processes and multistage tasks.

“Automation means IT no longer has to formulate scripts, hop from one screen to another, and manually push out patches to various destinations,” said Ashley Leonard, CEO of Syxsense. “Automation can even address a sequence of actions such as patching VM guests and rebooting them, then patching their host before performing a separate reboot.”

Vendor Testing

Patching processes often bog down in testing. Organizations take half an eternity to test patches to ensure they don’t break other systems. A major trend is vendors dealing with testing rapidly and offering rollback features that return systems to a previous state in the event of a problem after patch deployment.

Patch Supersedence

Supersedence addresses the fact that vendors may issue many patches for the same issue, some of which become redundant. Good PMaaS systems notice this and only install the later patches and skip earlier ones if they contain the same or outdated patches.

Vulnerabilities and Breaches Necessitate Automation

Given the volume of cyber threats, automation is ultimately the key to lessening demands on overwhelmed security teams and staying on top of the seemingly endless threats. And the complicated and time-consuming nature of patching – along with the high costs of failing to get it right – make patching and vulnerability management one of the most promising areas of cybersecurity to turn over to someone else.

Read next: A Few Clicks from Data Disaster: The State of Enterprise Security

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including ServerWatch and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

Top Products

Related articles