PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.
Automated
Patch Management
Copyright 2022, Faulkner
Information Services. All Rights
Reserved.
Docid: 00018900
Publication Date: 2206
Report Type: TUTORIAL
Preview
The task of keeping up
with the latest patches is a constant battle for already
overburdened IT administrators. Smaller environments may be able to
deploy patches manually, but for organizations of even a modest size,
automation is needed to stay
on pace. Automation does not imply that administrators can simply
install a tool and walk away, however. Careful selection,
configuration, and monitoring are required to make effective use of the products now
available on the market. This tutorial examines these and other considerations
when selecting an automated patch-management system.
Report Contents:
Executive
Summary
[return to top
of this
report]
An automated patch management tool is designed to assist with most of the
processes associated with tracking, acquiring, and deploying software
updates and hot-fixes.
Related Faulkner Reports |
Network Management Tools Market Trends |
Network Management Tools Tutorial |
This form of patch management reduces IT labor requirements and helps ensure
that all software deployed on a network is updated to the approved version. Some
products are single-purpose tools whereas others incorporate patch management
functionality into suites that deliver a range of network-management
capabilities. In recent years, there has been a clear trend toward comprehensive
applications. This trend
signals that the technology has reached a new level of market maturity.
Today’s patch
management products are not, however, a panacea for all software updating needs.
Even the best and most comprehensive products require thoughtful
supervision and some manual effort to ensure that the patch management
process works effectively and adheres to internal policies.
Description
[return to top
of this report]
The patch management
process consists of three main steps and two complementary ones, as detailed in
Table 1.
Main Steps | Complementary Steps |
---|---|
|
|
These processes are often aided by automated tools that streamline
testing and implementation, but some manual steps are almost always needed. The key processes of
patch management are described in Table 2.
Process | Description |
---|---|
Backup | Although backing up critical systems is not necessarily associated with distributing patches, it is a wise precaution for all organizations and is considered a best practice. Certainly, system backups require a substantial amount of time and computing resources and may not be appropriate for all routine automatic patch distribution, especially for patches that have been thoroughly tested and carry very little chance of corrupting the network. Organizations must therefore balance the time and resource requirements with the risk before installing patches. If the system is corrupted from a bad patch, restoring it from a recent backup can save considerable resources compared to rebuilding it from scratch. |
Monitoring | Tracking the software installed across a network is difficult and time-consuming, particularly when end-users install software without permission. Patch management software can scan a network to determine which applications and versions are implemented at each endpoint. This provides a means of identifying systems that do not have company-approved versions of software. After a patch installation is completed, reporting functions can identify whether the patch successfully addressed the problem that it was installed to fix. The |
Testing | Applying new patches can be dangerous. Some patches are hastily developed and create problems once implemented. Patches should always be tested because it is impossible to predict in advance how a particular piece of software will interact with a given environment. For instance, a patch for the Windows operating system may have been tested by Microsoft but could still cause problems when deployed with a third-party accounting application. Many Software Implementing As with |
Automatic Rollout |
Patch management servers typically communicate with client systems in one of two ways: through agents installed on the clients or through remote procedure calls (RPCs), which do not require software to be installed on hosts. Although using RPCs reduces the up-front labor needed to install agents on client systems, this approach may not be effective in managing remote hosts that reside on the other side of a firewall. The RPC method may also provide less information about the potential security vulnerabilities of clients. Another advantage of using agents is that they are more likely to enable the management of hosts using non-Windows operating systems. After an Some |
Validating Patches |
Validating that the patches are installed and functioning properly is a natural follow-up to the testing and deployment. Otherwise, the organization increases its risk of problems and potential security intrusions and vulnerabilities that can damage mission-critical systems. It is Additional |
Current View
[return
to top
of this report]
Demand for Patch
Management
Because software
is inherently
imperfect, nearly all commercial
applications require occasional or ongoing updates to fix bugs and to
implement new features. Many software packages offer free, automatic
update services delivered over the Internet. For instance, Windows
operating systems include a built-in update utility that automatically
links to a Microsoft-owned server. Similarly, many types of anti-virus
software can automatically search for updates and install them.
The
opportunity to
reduce the expense of managing patches has
created a market for commercial patch management products. Although
employed for many types of issues, patch management is primarily used
for security updates. This includes updates to operating systems and
other general purpose software to remedy newly found security
vulnerabilities; it also includes updates to security applications to
address new threats, such as updates to anti-virus software to ensure
that it can identify a new
piece of malware. With the growing threat of security breaches and
corresponding hefty losses
and legal liability that organizations face, patch management has
become a critical component in organizations’ attempts to
perform
due diligence in protecting their systems and data.
Best
Practices
IT
administrators could
apply all
patches manually. This process would involve visiting each client
computer and installing the appropriate updates. While practical for
very small, single-office networks, this approach
is impractical for larger, more dispersed environments or for businesses
employing work-from-home protocols. Manual
patching is not only less cost-effective than automated patching, but
it also results in more errors and oversights.
Many
IT administrators
do not
install every new patch that is released for
the software platforms they manage. This may be because of the effort
involved with installing the
updates, because administrators sometimes do not hear about a new
patch, or because problems caused by previous updates have made them
reluctant to apply future patches. The lack of a way to easily test and
apply new patches results in a large number of computers without
current fixes. The majority of computer infections and compromises that
occur are likely preventable, because patches exist for them. When the
patches are not applied, however, hackers can
exploit the vulnerability that the update addresses.
Marketplace
Organizations
should base their
choice of patch management tools on several factors, such as the
number of platforms supported and systems to be patched, existing
expertise and personnel involved, and the availability of existing
system management tools. The
following categories typify the automated patch management systems that
are available:
- Pure-Play
Patch Management – Specialized
companies
that focus on patching
operating systems and applications. - Server and Desktop Management – Companies that
offer asset management
solutions and have expanded their offerings to include patch management. - Network
and Systems Management – Companies that offer
network
or systems management solutions that also distribute patches. - Network Security –
Companies that offer security products such as anti-virus and
vulnerability scanning tools, and have enhanced their product suite
capabilities to address patch management.
Top products on the market include:
Microsoft. Microsoft offers the Endpoint Manager and Azure
Automation Update Management, both with patch-management options.
Endpoint Manager includes options for endpoint security, device management, and
intelligent cloud actions – within a unified management platform – with
Microsoft Intune and Configuration Manager. The Azure Automation Update Management
offering, meanwhile, embraces a scalable model for taking ownership of server
updates and patching operations. The software can be customized to run according
to specific business needs using a centralized, DevOps approach.
HCL BigFix. HCL acquired IBM’s patch-management assets in a December
2018 transaction valued at $1.8 billion. This sale included a number of IBM
Software sets, including AppScan, Unica, Commerce, Portal, Notes, Domino, and
Connections. HCL BigFix serves to address the full system lifecycle, including
asset discovery and inventory, software distribution, OS deployment, migration
and re-imaging, power management, and remote desktop control, as well as patch
management.
Ivanti Windows Patch. This software allows the user to
incorporate complete patch management within an Endpoint Manager environment.
The application offers automatic evaluation, testing, and applying of OS and app
patches, enterprise wide.
Solarwinds Patch Manager. The Solarwinds Patch Manager offering provides intuitive software for more
quickly addressing software vulnerabilities. It comes packaged with
out-of-the-box reports to better manage critical updates, installed statuses,
and failed updates. No SQL knowledge is required.
Additional Offerings. There are dozens of patch-management software
options available in the market, including offerings by Broadcom, NinjaRMM,
Atera, ManageEngine, PDQ, Automox, LogMeIn, Salt Project, Kaseya, SysAid,
ConnectWise, GFI Software, Autonomic Software, and IgniteTech.
Outlook
[return to top of this report]
The key shortcoming of many
commercial patch
management systems is that they are limited to certain platforms or
only work with
some applications, and therefore are not able to carry out patch
management
services for all of the systems within heterogeneous networks. Organizations
can overcome this by adopting more than one patch management system,
such as one for UNIX systems and one for Windows.
Currently, the industry offers multiple commercial and free tools
for automatic patch distribution and management for the
Windows environment but somewhat fewer for
other systems. UNIX systems contain numerous configuration variables
that can make automatic patch deployment difficult.
Therefore,
IT departments are more likely to manually distribute patches to UNIX
and Linux systems and leave automated patch management for the Windows
environment.
Some
organizations continue to manually apply patches on UNIX-based systems
by upgrading to the patch
level of the OS version. The various configuration differences common
to UNIX systems can make automatic patch deployment and management
problematic. Manually installing patches on UNIX-based and Linux
systems usually involves compiling the patch source code
into the application or kernel. This approach undermines the goal of
cutting costs and minimizing IT labor, prompting many vendors marketing
patch management to explore a more heterogeneous approach. Today,
several vendors
support scanning and patching of non-Windows operating systems.
The
availability and maturity of patch management products continues to
grow.
These tools are either agent-based or agentless systems, defined by
whether they require software (“agents”) to be installed on the
target systems or whether the systems can be patched
without agents
residing on them. Many
IT departments hesitate before employing an agent on hundreds or thousands of
devices.
Best
practices are emerging for patching cloud environments, but work
remains. Different cloud environments demand different approaches.
For instance, PaaS (Platform-as-a-Service) providers can exercise fairly tight
control, while IaaS (Infrastructure-as-a-Service) companies can use software
designed for traditional environments.
Recommendations
[return to top of this report]
Implementing
patches via tools that are built into applications can sometimes be an
impractical approach for large, dispersed organizations that use a
variety of software packages. These organizations
require centralized control of patch updates to ensure that only
approved software is implemented on their networks. In addition,
enterprises aim to reduce the amount of labor required for the process.
Automated patch management tools provide a way to meet these
goals.
Patch
management has grown into an integral, ongoing
part of network
maintenance and management as IT staff must constantly update a variety
of software systems to protect against network intrusions, viruses,
malware, and other threats. Patch management tools deliver a range of
functionality from basic deployment to value-added systems, network,
and security management.
Implementing
patches via tools that are built into applications can sometimes be an
impractical approach for large, dispersed organizations that use a
variety of software packages. These organizations
require centralized control of patch updates to ensure that only
approved software is implemented on their networks. In addition,
enterprises aim to reduce the amount of labor required for the process.
Automated patch management tools provide a way to meet these
goals. Patch
management has grown into an integral, ongoing
part of network
maintenance and management as IT staff must constantly update a variety
of software systems to protect against network intrusions, viruses,
malware, and other threats. Patch management tools deliver a range of
functionality from basic deployment to value-added systems, network,
and security management.
Choosing the appropriate tool
for an organization can be complex. Administrators need to evaluate
products based on many factors, including:
- Which
solutions are agentless? - Which
products integrate well with existing systems? - Is the solution easy to use?
- What
solutions offer comprehensive coverage of installed operating systems? - Which
solutions cover handhelds and mobile systems? - Can the solution run in the background to avoid impacting performance?
- Can patches be alleviated if they cause errors and issues to the network?
- What
licensing options are available? - What
testing and update mechanisms are available? - What
support and maintenance plans are offered?
IT departments must first define what their organization needs before
determining what tool would work best in their infrastructure. Focusing only on
technology to solve the problem is not the answer. Installing patch management
software or vulnerability assessment tools without supporting guidelines,
requirements, and oversight will be a wasted effort that will further complicate
the situation. Instead, good patch management programs will blend technological
solutions with policy and operationally based components that work together to
address each organization’s unique needs.
Patch
management processes function most effectively as part of an overall
network management plan. Before deciding to implement a particular
solution, organizations should establish a comprehensive strategy that
includes asset management, software distribution, availability and
performance monitoring, application management, and network accounting. Small
organizations may only need automated, user-driven tools like
Microsoft Update, whereas large organizations need established policies
on updating each critical system as well as sophisticated software to
distribute, test, and validate the patches.
Most
customers will find that selecting a patch management tool requires
compromises. Dedicated patch management tools provide rich features and
automate many processes, but they have to be operated separately from
other management products. On the other hand, broadly focused products
with built-in patch management capabilities
may be less mature and may automate fewer processes.
Regardless
of which vendor’s solution an organization implements, patch management
software does not automate all processes. This forces administrators to
manually perform certain functions. When evaluating the potential
benefits of patch management software, organizations should not assume
that all costs associated with tracking, testing, and deploying patches
will be eliminated. Although
seemingly a limitation, the lack of total automation is actually
beneficial. IT administrators should remain actively involved in
monitoring software levels, evaluating patches, and installing updates.
Implementing a “raw” patch – that is, an update that comes directly
from a software vendor without being independently tested – is not a
safe practice. Vendors often rush
patches to respond quickly to newly discovered vulnerabilities.
As a result, some contain bugs that could cause problems,
sometimes disabling entire systems. Even in cases in which a vendor
performs its own testing, there is no guarantee that the patch will
work safely within a particular environment. Organizations that test
patches themselves before deploying them within their own networks will
minimize the possibility of malfunctions.
Organizations
will better protect themselves by maintaining non-production systems
for testing patches, an approach known as a “sandbox.” These systems
are configured with the same hardware and software as those that are in
use on the network. Organizations may be required to maintain multiple test
systems for each platform they maintain – for instance, one for file-and-print
servers, one for the mail server, and one for desktop clients – which may look
like an unnecessary expense, but it is much cheaper in the long run than
suffering the production consequences of a defective patch.
Routinely measuring the results of a patch management program, rather, helps
to continually improve it.
Web Links
[return
to top
of this report]
- Atera: https://www.atera.com/
- Automox: https://www.automox.com/
- Broadcom: https://www.broadcom.com/
- ConnectWise:
https://www.connectwise.com/ - GFI Software: https://www.gfi.com/
- HCL: https://www.hcltech.com/
- IgniteTech:
https://www.ignitetech.com/ - Ivanti: https://www.ivanti.com/
- Kaseya: https://www.kaseya.com/
- LogMeIn:
https://www.logmein.com/ - ManageEngine:
https://www.manageengine.com/ - Microsoft: http://www.microsoft.com/
- NinjaOne: https://www.ninjaone.com/
- PDQ: https://www.pdq.com/
- Solarwinds: http://www.solarwinds.com/
- SysAid: https://www.sysaid.com/
About the Author
[return to top of this report]
Brady Hicks is an
editor with Faulkner Information Services. He writes about computer and
networking hardware, software, communications networks and equipment, and the
Internet.
[return
to top
of this report]