A zero-day exploit found recently in Java, may have reminded IT managers to rethink a patching process that often is less than perfect and, in most cases, considered a pain. Patch management solutions may not be the answer to growing problems, but they can alleviate the impact of a problem that may be growing out of control.
While patching itself is, conceivably, among the most critical tasks in IT today, it can also be considered one of the most neglected issues given the required level of diligence. While the primary task could be simply summarized in (1) knowing about and understanding a patch, as well as (2) having a clear procedure how a patch can be deployed across a network, the underlying infrastructure of how patches are treated, is fundamentally more complex.
Organizations typically deal with the cost of their patching infrastructure with timing issues that weigh the risks and benefits of testing and deploying within a certain time frame, with compliance requirements and problems, with transparency of patching, with appropriate education of users, as well as an effective and uneventful deployment. According to Jeff Keyes, senior product marketing manager at patch management provider Kaseya, many organizations struggle with an effective and reasonable patching environment because of those requirements and have adopted an environment that allows them to get by on an everyday basis, while being busy "fighting fires" with compliance issues and the threat of a compliance audit.
Patch Management Compliance Issue:
Patch Management Deployment Issue:
Patch Management IT Visibility Issue:
According to Keyes, organizations are generally doing "ok" at the PC level, but tend to be negligent about server patching. In a conversation with Tom's IT Pro, he noted that IT admins may disable server patching at the server level as they introduce significant inconvenience and delays due to rebooting needs as well as manual work to adjust the patch. "This is much more serious than playing with fire. What is not understood entirely is that there are automated exploit tools that can attack a server."
Dodi Glenn, product manager at patch management provider GFI, added that a critical issue is also that a lack of patching often stems from the fact that IT may be overloaded with support tickets that are simply reacting to damage that has already been done, and frequently take an affected machine off the network. Instead, Dodi said, it would be much more desirable from a patch perspective to enable IT to "deal more proactively with potential threats." He stated that more effective solutions will be required as organizations will be facing increasingly complex device environments with remote systems as well as BYOD where individuals are bringing their own laptops, phones and tablets into an existing IT environment.
Patch management solutions can address some of the general issues patching poses today. While it is unreasonable to expect patch management to solve the entire problem, and it is unreasonable to expect a comprehensive solution that works seamlessly across all operating system platforms, an automated solution can tackle most relevant issues, including cost, timing, compliance, visibility and deployment. However, there is a clear trend and requirement for patch management providers to keep up with the trend of multi-platform organizations that have to manage much more than just a Windows PC and server platform.
Glenn mentioned that there is no exact timeframe in which a new patch is guaranteed to be available, but the ability to deploy a critical patch is "measured in hours and not days". Testing of patches can usually be reduced to a single day as patches can be deployed to individual machines that run affected applications and could be facing breakage due to a patch, before patch management servers can deploy an update organization-wide. Solutions such as Kaseya product also use agents that are installed on client machines and complete check-ins based on tasks with a deployment server.
Despite a growing concern of cybercrime, Keyes noted that patch automation is a relatively immature industry segment and "most companies are barely above the reactive level." One reason may be a lack of understanding of the need of patching, which reaches, according to Glenn, from the level of individuals all the way into the enterprise.
"The most common mistake in patching is that we do not realize the repercussions of not patching." We typically require to be reminded of the potential impact, even with massive infections such as the Conficker worm in 2009, which reportedly infected more than 3.5 million hosts and incurred estimated removal costs of close to $10 billion. And even without such major outbreaks, the cost to deal with malware that is exploiting unpatched systems is estimated to be about $20 billion annually, according to Computer Economics.
Glenn believes that for IT to successfully tackle this issue, there is a need to educate both executives as well as users of the importance that is put on patching. "And it's not just about new patches," he added. "Exploits often go after old vulnerabilities," which makes a good case for "patch management that reaches from the consumer level, to SMB and enterprises".
Wolfgang Gruener is a contributor to Tom's IT Pro. He is currently principal analyst at Ndicio Research, a market analysis firm that focuses on and disruptive technologies. An 18-year veteran in IT journalism and market research, he previously published TG Daily and was editor of Tom's Hardware news, which he grew from a link collection in the early 2000s into one of the most comprehensive and trusted technology news sources.
See here for all of Wolfgang's Tom's IT Pro articles.
Shutterstock credit: 113900932