Patch management has been one of those essential security features – much like backup – that typically doesn’t get the attention it deserves. But that may be changing, following a number of high-profile breaches where investigators found the path of attack to be an unpatched system.
Shockingly, security holes in software from vendors such as Fortinet, Microsoft, and Adobe are being exploited over and over again by hackers. Yet patches have existed for months, or even years in some cases. The organizations hacked hadn’t gotten around to deploying the patches. The FBI even recently bypassed dozens of companies by entering their systems and removing malicious software installed due to a weakness in Microsoft Exchange. Again, the patch had been issued, and was well publicized. But somehow, never installed. Those oversights have raised the profile of patch management as a way to automate security fixes, along with adjacent (and sometimes overlapping) technologies like breach and attack simulation and vulnerability management.
Top Patch Management Tools
We’ll cover key patch management features and buying advice below, but first, here’s our picks for the best patch management software.
Value Proposition: Syxsense Manage lets you see and manage all endpoints inside and outside the network, with coverage for all major operating systems and endpoints, including IoT devices. It lets you easily manage unpatched vulnerabilities and includes a wealth of automation features. It also offers endpoint intelligence with OS, hardware, and software inventory details. The system scans and sets security and patching priorities relative to exposed risk.
- Available as a SaaS or managed service
- Patch supersedence means if a vendor bundles older patches into new releases, the system only installs the newest one
- Patch rollback in case a patch is buggy
- Three-hour turnaround for the testing and delivery of new patches
- Technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution
- Includes IT management functions
- A larger suite, Syxsense Secure, includes vulnerability scanning
- Security risk assessments, reports on most vulnerable devices, and task summaries can be scheduled for automatic receipt or exported to interactive reports
- Provides reporting to meet HIPAA, SOX, and PCI compliance
Value Proposition: With Tanium Patch, IT operations teams can keep systems up to date with automated patching across the enterprise, at speed and scale, as well as monitoring patch status across devices. Through analytical insights about their devices, Tanium helps organizations monitor patch coverage (% of total endpoints), patch visibility (% with outstanding critical patch within coverage), and other metrics. Tanium is well liked by users but aimed primarily at the large enterprise market. It is pricier than many other solutions and is often included as part of a larger Tanium endpoint suite.
- Indicates the percentage of outstanding critical patches, which ones should be deployed first to minimize risk and which endpoints need protection until a patch is available
- Patch hundreds of thousands of systems on a single Tanium instance, without the use of distribution points and caching servers
- There’s no need for secondary relay, database, or distribution servers at different bank branches, retail locations, or geographically dispersed corporate offices
- Customize patch scheduling and workflows
- Create dynamic lists, rules, and exceptions with custom workflows, and schedule patches based on advanced rules
- Patch histories available for individual machines, endpoint reboot status, and links to relevant vendor knowledge base articles
Value Proposition: Automox is a SaaS product, and is backed by investment from leading endpoint security vendor CrowdStrike. Primarily a patch management tool, Automox is gradually expanding its offering as it transforms itself into an endpoint hardening platform that supports Windows, macOS, and Linux from a single console. It enables continuous connectivity for local, cloud-hosted, and remote endpoints with no need for on-premises infrastructure or tunneling back to the corporate network.
- Automated continuous patching of OS and third-party applications
- Automox Worklets are used to create custom tasks using scripts across any managed device
- No need for complex infrastructure or VPN requirements
- Serverless configuration management for all managed devices
- Automatically enforces patching, configuration, deployment, and Automox Worklet tasks
- Uses a lightweight agent
- Sets individual permissions for users and groups
- Good integration with CrowdStrike products
BMC Helix Automation Console
Value Proposition: BMC Helix Automation Console (previously BMC Helix Vulnerability Management) simplifies patching, remediates security vulnerabilities, and ensures compliance using automation and analytics. It is a hybrid solution deployed in the cloud and uses an automation engine located on-premises for remediation. BMC Helix Automation Console also works with change management to form a closed-loop change management solution. It can manage compliance with regulations and policies and automate remediation of out of compliance conditions. The console is built using microservices and containers.
- Integrates with a variety of vulnerability scanners to collect data for IT resources both on-premises and in the cloud
- Works with BMC Discovery for blind spot detection and change automation with BMC ITSM
- After consolidating the vulnerability scanner data collected, it uses analytics to transform that data into actionable information, maps vulnerabilities to assets and patches, helps determine risks and priorities, and automates patch acquisition and deployment to remediate security exposures
- Auto-import of security scanner files
- Risk scoring for vulnerability prioritization
- Can use an on-premises product, TrueSight Automation for Servers, for automating vulnerability management, patching, compliance, configuration changes, software deployments, and service provisioning in the data center and cloud
- Integration with top three leading security scanners (Qualys, Rapid7, and Tenable) plus other BMC products
Value Proposition: Ivanti Patch offers a solid patching solution, although its product portfolio has gotten a little complex following the acquisition of Shavlik, MobileIron, and Lumension. There are three flavors of patching solutions:
- Ivanti Patch for Endpoint Manager (formerly LDMS) can detect vulnerabilities in Windows, Mac OS, Linux, and hundreds of third-party apps, as well as deploy pre-tested patches
- Ivanti Security Controls provides PowerShell and REST APIs to allow for extensive automation of critical workloads
- Ivanti Patch for MEM provides a large catalog of updates and has a rapid time to implementation as well as quick discovery from inventory or from vulnerability assessments
- Vulnerability detection and remediation for Windows, macOS, and Linux
- Scan and report on AIX, CentOS, and HP-UX vulnerabilities
- Test, package multiple applications, and pre-cache the patches across your network for quick deployment without impacting your network or users
- Ensure patches roll out in stages to minimize negative impacts and impress your change control board
- Master updates with automated rollouts, so you can patch at whatever pace you choose
- Choose how patching interacts with devices anywhere through Wake-On-WAN, device booting, do-not-disturb events, and maintenance windows
- Ivanti Neurons for Patch Intelligence: This is a supplemental analytics solution that extends all three of Ivanti’s patch management solutions and helps you achieve faster SLAs for vulnerability remediation efforts via supervised and unsupervised machine learning algorithms
Red Hat Satellite
Value Proposition: Red Hat Satellite is an infrastructure management product specifically designed to keep Red Hat Enterprise Linux environments and other Red Hat infrastructure running efficiently, with security, patching, and compliance. Patching is really only one small part of a broader platform. But for those operating Linux environments, it’s always going to make the shortlist.
Efficiently manage the Red Hat infrastructure life cycle easily, even in air-gapped environments
Create and manage instances on bare metal, virtual machines, and private and public clouds
Manage configuration across thousands of systems
Automate most system maintenance
Deploy patches on physical, virtual, or cloud infrastructures
Value Proposition: Kaseya VSA is more of a remote monitoring and management (RMM) tool and is focused on the MSP market. The suite includes comprehensive IT management, IT automation, and security features. On the security side, it includes automated software patch management and vulnerability management, access control via 2-factor authentication, management of backups, and antivirus/anti-malware from a single interface.
- Resolve IT incidents and automate common IT processes, including software deployment, patch management, antivirus and anti-malware (AV/AM) deployment, and routine maintenance
- Standardize IT processes with policy-based automation
- Set schedules for inventory scanning or patching and define management processes for specific machine groups
- Discover and monitor all assets
- Use the VSA agent endpoint fabric to optimize the delivery of installer packages, eliminating the need for a centralized File Share or LAN Cache
- Deny a specific patch or block a specific update to a subset of machines, overriding the default patch classification
Value Proposition: IBM sold BigFix to HCL in 2019. The functionality still survives, although the patching side is largely buried among a huge list of other applications and features. HCL BigFix, in reality, is an endpoint management platform that enables IT and security teams to automate discovery, management and remediation, whether on-premises, virtual, or cloud – regardless of operating system, location or connectivity.
- Greater than 98% first-pass patch success rates
- Unified, cross-platform, real-time visibility and management of endpoints
- As well as patching, it includes asset discovery, software distribution, OS provisioning, remote control, and power management
- Continuous policy enforcement and reporting
- Software asset inventory for license reconciliation and compliance purposes
And finally, a pair of broader endpoint management tools to round out our list:
Micro Focus ZENworks Patch Management
ZENworks Patch Management automates the collection, analysis, and policy-based delivery of patches to endpoints. It provides pre-tested patches for more than 40 different Windows and non-Windows operating systems. It is part of the comprehensive ZENworks endpoint management suite, and covers systems, applications and devices across physical, virtual and cloud environments.
Quest KACE Systems Management Appliance
The Quest KACE Systems Management Appliance is another worthy contender, but it’s a broader endpoint management tool. It covers a wide range of endpoints, including laptops, servers, IoT devices and printers. It goes well beyond patch management to include service desk capabilities, server monitoring, and inventory and asset management, among other features.
Key Patch Management Features
Here are some of the key features in patch management tools:
- Automation: patching tools need to automate the process of installing multiple patches in a great many systems simultaneously.
- Patch testing and rollback: Patches from vendors should be tested before they are deployed. Left as an in-house function, this is often the bottleneck that prevents timely deployment of patches. Some vendors now offer testing as part of their service. And if a patch goes bad, a rollback feature returns the enterprise to the previous state.
- Cloud functions: patching tools should at least be cloud-enabled if not cloud-based.
- Discovery: Detection of available updates based on inventory. The system should self-assess and offer guidance on what to install in which sequence.
- Prioritization: There are always more updates than organizations feel they can respond to effectively, so prioritization based on more than vendor severity is critical.
- Cross-platform support: Management of all endpoints from one centralized location, including cross platform support. for Windows, MacOS, and the many flavors of Linux.
- Reporting: Most want to understand the compliance of their environment and see overall insights on patching needed to show that SLAs are being achieved.
Selecting Patch Management Tools
Selecting a new or replacement IT management or patch management system can be challenging. Many vendors appear to offer similar features. Here are a few tips to ease the selection process:
- Cloud or on-premises: if the application is installed inside the corporate firewall, additional hardware and software may be involved. On-premises systems may struggle to patch devices outside the firewall.
- Maintenance: Some vendors charge extra for maintenance, others roll it into one SaaS price.
- Bandwidth: It is important to test candidates to determine how much bandwidth a patch consumes. If a lot of systems are being patched, some tools eat up available network capacity.
- Agents: Most patch management tools use agents to establish a connection between the endpoint and the management cloud/server. It is important to understand how the agent functions and to research any performance overhead it may create. Some poll the server every 60 minutes, which can delay the completion of urgent tasks. Others have an always-open connection.
- Check out what operating systems the tool supports, whether Windows, Mac, or Linux, as well as cloud platform and application support.
Patch management is sometimes a feature of broader security tools like endpoint detection and response (EDR) and vulnerability management so investigate what the optimal approach is for you and how it will fit with your existing investments.