This content is part of the Essential Guide: How to hone an effective vulnerability management program

Software patching 2.0: Cutting costs with virtual patching, automation

Struggling to bring the cost of the patch management process down? Expert Michael Cobb suggests virtual patching and automated tools can play a role.

Over the last 18 months, several big software vendors made some fairly fundamental changes to the way they deliver updates and patches to their customers. Google's Chrome and Mozilla's Firefox Web browsers have moved to smaller, incremental updates, with new versions released every few months. Both browsers are also silently patched several times each month, with no set schedule. Meanwhile, Adobe recently started syncing security updates for its Flash Player with Microsoft's Patch Tuesday schedule, and updates to Flash for Internet Explorer 10 will be installed on Windows 8 and Windows RT devices via the Windows Update service.

Trying to write a script to push patches to machines across a network has little chance of working seamlessly and successfully.

While these initiatives improve the likelihood of systems being patched in a timely fashion, the average client computer has more than 50 applications from at least 20 different vendors installed; on networks with lax security controls, these numbers are probably even higher. This means that administrators have to support a variety of applications from multiple vendors, all with different update procedures.

Concurrently, many administrators tasked with assessing and deploying patches work under tight budgets and require low-cost options for managing the patch process. Let's discuss the role that automated tools and virtual patching can play in improving the patch management process, while controlling the costs involved.

Pain-free patching requires automation

The first challenge involved with the patch management process is to inventory all installed programs. To get a comprehensive view of which Microsoft software is installed and how well it is patched, run Microsoft's free Baseline Security Analyzer. To get a list of third-party applications, a free tool such as FileHippo's Update Checker may suffice. Update Checker must be run on each machine, but the results provide a list of detected programs (not comprehensive) with links to newer versions if available. As it doesn't include patch information, administrators still need to subscribe to each vendor's alerts to stay informed of new threats and patches.

A more comprehensive report is produced by Secunia's Corporate Software Inspector (CSI). The Small Business version, for fewer than 100 hosts, is $3,100, but it can identify about 13,000 applications from 2,300 companies on any network-connected machine. CSI's reports provide a complete software asset register, listing all the programs and plug-ins installed on each machine and whether they're patched and up-to-date. Links to and advice about each missing patch are provided, making it easy to determine the severity of the issues addressed by the patch and whether the vulnerabilities are a threat to an organization's environment. The scan detects and reports end-of-life programs and plug-ins, which are no longer supported or updated by vendors. With CSI, it is also possible to automatically repackage a large number of patches from different vendors for direct deployment using Microsoft's Windows Server Update Services.

There are plenty of other patching products to consider, although many are aimed at the enterprise level. Lumension Security (formerly "PatchLink") offers a product for a 12-month subscription that is priced at $4,270 for 100 nodes. If an organization already has Microsoft's Systems Management Server, the Inventory Tool for Custom Updates and the Custom Updates Publishing Tool can be used to check patch status and create packages to push to endpoints.

From the editors: More on patch management

Discover some valuable third-party patching tools and software.

Can virtual patching play a role in thwarting Android malware attacks?

Although there is a cost, some form of automated patching tool is essential for all but the smallest of networks. Even moderate-sized organizations need a budget for an automated patching tool to make the process as effective and painless as possible for everyone. Trying to write a script to push patches to machines across a network has little chance of working seamlessly and successfully.

Consider timely virtual patching

If the IT team is struggling to review, test and install patches in a timely manner, virtual patching is another cost-effective option to avoid leaving systems at risk. There are various ways to apply virtual patches, but the easiest method is to update the configuration of a firewall or an intrusion prevention system's filters to control either the inputs or outputs of the affected application. While not a permanent answer, it can buy administrators extra time to assess and deploy a vendor's patch. Another short-term option is to temporarily suspend an application.

To assess, test and prepare for rolling out patches, a virtual test lab is essential. It is also inexpensive to set up using a virtual machine to replicate users' desktop configurations. Even with standardized configurations and thorough testing, it is still a best practice to roll out patches to a small user group first. This allows user feedback and keeps disruption to a minimum, if a patch does cause a problem for some unforeseen reason. Patches should certainly be deployed to standardized systems before updating nonstandard and legacy machines.

Don't forget antivirus products

Beyond having automated technologies in place, system-relevant Internet forums, such as CERT, are a great source of warnings concerning patch installation problems and problem-solving advice. No software will ever be completely devoid of bugs and vulnerabilities, and while a patch provides better protection because it eliminates the root cause, antivirus products can prevent users from initially reaching malicious sites that try to exploit a vulnerability. So even with an efficient patch management process in place, organizations should still run antivirus software on all endpoints, with mission-critical software processes located on a properly protected network segment and firewalls monitoring both incoming and outgoing traffic.

About the author
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was last published in February 2013

Dig Deeper on Microsoft Patch Tuesday and patch management