Patch management packages proliferate

Patch management remains a major headache and money pit for network executives and can no longer be handled by manual processes, according to experts.

This week, BigFix and ConfigureSoft will release upgrades to their patch management tools for Microsoft software aimed at helping network executives efficiently run patch management over distributed networks. Vendors such as Loudcloud, St. Bernard Software, Shavlik Technologies, Ecora, Aelita, PatchLink and Ponte also offer patch management tools.

"Patch management is extremely complex," says Michael Rasmussen, director of research and information security for Giga Information Group. "It is still in the early adopter phase, and many people are still trying to do it through a manual process."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Patch management remains a major headache and money pit for network executives and can no longer be handled by manual processes, according to experts.

This week, BigFix and ConfigureSoft will release upgrades to their patch management tools for Microsoft software aimed at helping network executives efficiently run patch management over distributed networks. Vendors such as Loudcloud, St. Bernard Software, Shavlik Technologies, Ecora, Aelita, PatchLink and Ponte also offer patch management tools.

"Patch management is extremely complex," says Michael Rasmussen, director of research and information security for Giga Information Group. "It is still in the early adopter phase, and many people are still trying to do it through a manual process."

But with the proliferation of vulnerabilities on the Internet, that is no longer a workable solution, experts say.

"Patch management is viewed as a best practice to be done when time permits," says Eric Hemmendinger, an analyst with Aberdeen Group. "But no one ever finds the time. With automated tools, that might change."

That change could go a long way to preventing many security breaches. Gartner reports that more than 90% of security exploits are carried out through vulnerabilities for which there is a known patch.

BigFix will unveil its Enterprise Suite 1.3, which includes a set of administrative tools to ease automated deployments of patches. The suite also incorporates support for distributing updated virus definition lists in addition to patches for Microsoft software, and adds a number of reporting controls for discovering what is installed on network clients and servers, including those running Linux.

ConfigureSoft will release Security Update Manager 2.0, which includes tools for quickly assessing which machines need new patches and administrative tools for controlling who can install them. The software runs on top of the company's Enterprise Configuration Manager and relies heavily on that product's database of information.

"It is the volume [of patches] that has become unmanageable," says Jon Speer, IS director for TripWire, which develops software to ensure data integrity. He says the company does not have the resources to dedicate to patch management.

Click to see: Patch costs

Speer is using BigFix to tame the problem.

"BigFix has been a step in the right direction. We are not completely on autopilot, but we go through the new patches every few days and push them out to our machines," he says.

With Version 1.3, BigFix is adding the ability for multiple Enterprise Suite servers to communicate with the BigFix Fixlet server. Fixlets are templates that define a security vulnerability and its corresponding patch. They are installed on servers and clients. That lets companies install Enterprise Suite servers at multiple locations for optimizing performance. BigFix also has added a peer element that lets one machine at a remote site download new Fixlets from the Enterprise Suite server and distribute them to the rest of the machines in its domain.