Automated patch management for small organizations

Most large organizations have patch management and antivirus scanning nailed. They use enterprise systems management tools to automate the entire process and don’t worry about vulnerabilities. Many small companies aren’t quite at that “set it and forget it” stage. Now SMBs have a simple, flexible tool designed for them that coincidentally happens to be the same update engine embedded into sophisticated enterprise tools.

According to both Gartner and CERT, more than 90% of security events result from targeted exploits to known vulnerabilities in software where patches have been made available but have not yet been applied. More and more exploits are being written for applications that hackers know are not being regularly patched by users—applications like Adobe Acrobat, iTunes, QuickTime, WinZip, RealPlayer, Firefox and more. The Firefox web browser alone represents nearly 20% of the browser market, making it an attractive target for miscreants looking to exploit any known vulnerabilities.  

To help combat the malware that is growing day by day, organizations need complete coverage over their entire environment regardless of device location and connectivity status. This includes mobile devices that are frequently off the network as well as those devices that are always attached, and virtual as well as physical assets. To accomplish this, IT organizations need a solution that:

* Supports patch management for any current and legacy Windows-based applications (those developed by Microsoft, ISVs or custom-built in-house)

* Supports both physical systems and virtual environments with the ability to analyze a virtual machine, even if it is offline

* Digs deep into the Web browser environment, which is effectively its own operating environment on the system and has its own set of applications (plug-ins, etc.) to patch

These needs are routinely managed by large organizations with system management tools from vendors such as BMC and Symantec. Smaller companies, however, often lack the resources and expertise to deploy such tools. What’s more, enterprise-class management solutions are simply overkill for the smaller company that doesn’t need all that functionality.

Now small-to-medium sized companies (SMBs) can use the same toolsets these system management vendors embed in their enterprise offerings. Software developer Shavlik Technologies provides kernels of technology to BMC and Symantec, who incorporate them into their own products. Shavlik also markets this same technology to SMBs in its Shavlik NetChk Protect platform offering. This allows any organization, regardless of size or extent of resources, to simplify its patch and antivirus management to improve its security and compliance posture.

NetChk Protect helps organizations ensure they are securing their entire Windows environment by scanning and deploying patches for Microsoft operating systems and applications (both current and legacy) and third party applications. NetChk Protect also allows custom patches to be identified, selected, and deployed for non-commercial applications or software that is developed in-house.

With NetChk Protect, organizations can automatically bring systems into conformance with corporate policies for patching, antivirus and deployed software applications by identifying systems that are not fully patched, that don’t have the latest antivirus signature, or that have unsupported software applications installed.

But detecting these gaps is not enough. Many organizations use tools that require manual remediation of each node and that just isn’t feasible for companies with lean IT departments.  Further, solutions that require heavy scripting to handle these tasks are not affordable to many smaller companies. To lower operational costs, it is critical to automate the process of fixing the identified gaps. Fully automating the process from scanning to fixing is the only way to ensure increased protection, lower operational costs, and reduced impact on IT resources.

To agent or not to agent? That is the question.  

With NetChk Protect, all of its functions can be performed with or without an agent. There are times when an agent is an absolute necessity and others when agents are not desirable. Shavlik’s solution provides flexibility if an organization needs an agent for active protection but wants to deploy patches without an agent.

This flexibility is important because:

* It reduces implementation time from weeks and days to hours.

* It allows instant access to send out zero day exploit patches at a moment’s notice without waiting for an agent polling interval.

* Agent-less means NetChk Protect patches everything in an environment, not just machines with agents. Typically, if no agent is there, the device may not be seen or patched. With NetChk Protect, the process will see these machines through an IP range scan, AD scan or other methods, allowing full visibility of all the Windows machines.

* With NetChk Protect, if the administrator can “see” the machine and has the proper credentials, he can scan and patch. Also for the remote devices, agent capabilities are available for machines that are not connected to the network.

With the ever changing malware environment, a flexible and simple approach to protecting IT assets – both physical and virtual, and local and remote – is critical. The Shavlik solution provides visibility and control with flexibility, and it helps companies to avoid becoming victims of security incidents that were easily avoidable through regular patching.

Brian Musthaler is a Principal Consultant with Essential Solutions Corporation.  You can write to him at bmusthaler@essential-iws.com

About Essential Solutions Corp:  Essential Solutions (http://www.essential-iws.com) researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies