No patching panacea

The recent Network World Virtual Showdown, "How best to patch," drew six vendors together in a weeklong debate that ultimately concluded patch management is best viewed as one facet of a larger security strategy.

Among the six vendors invited to the debate - Altiris, BigFix, Citadel Security Software, Configuresoft, Shavlik Technologies and Symantec - all but Shavlik argued that patching should be integrated with technologies that take into account asset, configuration, compliance and vulnerability management.

Shavlik countered by saying patch management is too complicated and critical to be addressed by multi-purpose offerings.

"Patch management is an arduous task and requires detailed patch analysis and testing to ensure networks are protected from vulnerabilities," wrote Chief Security Architect Eric Schultze. "Pure-play patch management vendors are best-suited to address these potential threats due to our experience in dealing with the intricacies of the patch management process."

The patch process at its most basic involves assessing systems for vulnerabilities, testing patches, deploying patches and then ensuring the patch deployed removed the vulnerability from the machine without causing performance problems.

Patching is often a reaction to new vulnerabilities, and most of the vendors argued their products can help companies be more proactive. Citadel, for example, advises users not to wait for updates to start the process. Citadel said IT enterprise managers should scan their networks to identify the assets that could be vulnerable, such as a misconfigured router or firewall, and eliminate the risk by plugging holes before a known threat is announced.

"Enterprise vulnerability management works on the basic premise that by removing the real problem - the vulnerability - you will minimize the number of threat occurrences to which your company is exposed," wrote Carl Banzhof, CTO at Citadel.

BigFix and Configuresoft argued that patch management is simply a piece of the broader concept of security configuration management.

BigFix said this broader category "provides enterprises with a number of other capabilities, including mobile and endpoint security, configuration management, anti-virus and firewall management, asset discovery and inventory, and software distribution."

"IT organizations face a growing need to simplify their environments and to maximize the value of the tools they deploy by combining security, configuration and systems management functions into a common easy-to-manage solution," wrote BigFix's Gregory Toto, vice president of product management.

Industry watchers weighing in on the debate agreed. "Part of patching ties into vulnerability management, part of it goes back to software distribution, part of it is knowing the IT assets, and part of it is security configuration management," says David Friedlander, a senior analyst at Forrester Research.

Some of the vendors said IT managers are losing patience with multiple tools and are looking for vendors to consolidate features in one product or software suite.

Take Brad Carpenter. The senior systems analyst for Lane County in Eugene, Ore., uses LANDesk Management Suite 8.1 software to monitor systems and augments it with LANDesk's Patch Manager application plug-in to tackle patching.

LANDesk Management Suite maintains an up-to-date repository of his 1,400 client machines and the software running on them, including the patch versions. He was able to automatically populate the Patch Manager application with the desktop data from LANDesk's larger suite, and that is the primary reason he picked LANDesk over a product he evaluated from pure-play vendor PatchLink.

"I already have my complete inventory of client machines, and I can write a vulnerability status query in one system and [the product] will show me all the machines that are affected," he explains. "It's just another piece of the same network view, and if I was using a separate tool for desktop management and patching, I would lose all my integration."

Altiris offers modules that customers can mix and match to address specific management tasks, including patch. BigFix recently broadened its software to include systems management features, and security vendor Symantec could use software from its On Technology acquisition to combine software distribution tools with its vulnerability scans. Symantec has an OEM agreement with Shavlik to use its patch management software with Symantec's vulnerability, intrusion-detection, anti-virus and other security tools.

"Patch management is just a small, yet critical component of the complete solution required for customers to create a more resilient infrastructure that is able to prevent, cope with and recover from unexpected events," wrote Thom Bailey, director of product management at Symantec.