Network Security, Patch/Configuration Management, Vulnerability Management

Security vendors can no longer ignore patch management

Patch management can prevent most of the malware currently exploiting software vulnerabilities, so why isn't the technology being used everywhere?

Part of the problem is the misconception that if you run your anti-virus (AV) software regularly and update the operating system, you are covered. Reality begs to differ. While AV software derails a lot of potentially harmful attacks, it is only one component of a comprehensive security solution. Updating the OS is important, but it doesn't cover holes in applications and browsers that hackers, cyber criminals and other assorted IT malefactors are adept at exploiting.

Simply put, a truly comprehensive security strategy includes automated, centralized patch management software designed to handle a multitude of patches issued by multiple vendors at different times; a system to perform the necessary tests before applying patches; and the tools to conduct software audits on a regular basis. The execution of which, for far too long, has been a challenge for many small and midsized businesses, and completely out of reach for your average home user.

This needs to change.

The software patching function could be accomplished much more easily for most home and business users if security hardware and software vendors (including AV, firewall, gateway appliance and PC utility companies) integrated patch management into their solutions. It's hard to think of a better fit between complementary technologies, but even though patch management has been available for the better part of a decade, most security vendors still don't offer it among their growing slate of features.

For their part, service-focused companies such as ISPs (internet service providers), MSPs (managed service providers) and RMM (remote monitoring and management) vendors have been successfully integrating patch management into their offerings, thereby taking pressure off their customers to keep systems safe, while also establishing incremental service revenue opportunities for themselves.

Managing a stream of patches

Keeping up with the stream of patches in the course of year is a daunting task for any IT administrator, let alone your average home user. Vendors follow their own schedules, issuing patches monthly, quarterly or as needed. Microsoft alone issued close to 100 updates last year.

Most software applications and systems nowadays do come with auto-update mechanisms for downloadable patches. However, updaters operate independently of each other, taking up resources and bogging down systems, and require users to run them manually. They are time-consuming, requiring application shutdowns and system restarts, so it's easy to see why many users put them off.

“Automated patch management...prevents upward of 90 percent of software attacks.”

Automated patch management solves this problem, and in so doing, prevents upward of 90 percent of software attacks, mostly affecting home computers. Consider that most bots – responsible for untold spam, DDOS and phishing attacks targeting corporate networks – are essentially thousands of infected home PCs, and it becomes clear how increasingly intertwined corporate security is to the security of the average home user.

There's not only an industry imperative to address here, but there's also a tremendous market opportunity for security vendors to seize.

Six pack of trouble

Think of patch management as a flu shot. Like the flu, computer viruses and malware evolve constantly. Just as your body has to adapt to fight off infection, so does your IT environment. A vaccine helps your body adjust, and that is what a patch management system does for your network.

A recent Center for Strategic and International Studies (CSIS) study made a strong case for patch management. The study, conducted over a three-month period, found that simply applying the most recent patches to six software packages on Windows machines could prevent 99.8 percent of malware infections. The six packages are Java JRE (responsible for 37 percent), Adobe Reader/Acrobat (32 percent), Adobe Flash (16 percent), Microsoft internet Explorer (10 percent), Windows HCP (three percent) and Apple Quicktime (two percent).

For anybody using a computer or managing an entire network, automated patch management is clearly a tremendous benefit, protecting their systems and data while saving them money. A network free of viruses is, of course, more cost-effective than one requiring remediation after an infection.

Patch management should be a fundamental component of any comprehensive security solution. It's something ISPs, MSPs and RMM vendors understand, though we can't yet say the same for a broad array of other security vendors, who should proactively strengthen their products with integrated patch management to better protect their business and consumer customers.

If they don't, users and service providers should pressure them to do so. If they succeed, it would be a win for everyone.


Scott Hagenus is vice president of strategic relationships at GFI Software. Learn more at www.gfi.com or by sending email to [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.