A recent Network World Virtual Showdown, "How best to patch," drew six vendors together in a weeklong debate that ultimately concluded patch management is best viewed as one facet of a larger security strategy. Among the six vendors invited to the debate -- Altiris Inc., BigFix Inc., Citadel Security Software Inc., Configuresoft Inc., Shavlik Technologies LLC and Symantec Corp. -- all but Shavlik argued that patching should be integrated with technologies that take into account asset, configuration, compliance and vulnerability management.
Shavlik countered by saying patch management is too complicated and critical to be addressed by multi-purpose offerings.
"Patch management is an arduous task and requires detailed patch analysis and testing to ensure networks are protected from vulnerabilities," wrote Chief Security Architect Eric Schultze. "Pure-play patch management vendors are best-suited to address these potential threats due to our experience in dealing with the intricacies of the patch management process."
The patch process at its most basic involves assessing systems for vulnerabilities, testing patches, deploying patches and then ensuring the patch deployed removed the vulnerability from the machine without causing performance problems.
Patching is often a reaction to new vulnerabilities, and most of the vendors argued their products can help companies be more proactive. Citadel, for example, advises users not to wait for updates to start the process. Citadel said IT enterprise managers should scan their networks to identify the assets that could be vulnerable, such as a misconfigured router or firewall, and eliminate the risk by plugging holes before a known threat is announced.
"Enterprise vulnerability management works on the basic premise that by removing the real problem -- the vulnerability -- you will minimize the number of threat occurrences to which your company is exposed," wrote Carl Banzhof, CTO at Citadel.
BigFix and Configuresoft argued that patch management is simply a piece of the broader concept of security configuration management.
BigFix said this broader category "provides enterprises with a number of other capabilities, including mobile and endpoint security, configuration management, anti-virus and firewall management, asset discovery and inventory, and software distribution."
"IT organizations face a growing need to simplify their environments and to maximize the value of the tools they deploy by combining security, configuration and systems management functions into a common easy-to-manage solution," wrote BigFix's Gregory Toto, vice president of product management.
Industry watchers weighing in on the debate agreed. "Part of patching ties into vulnerability management, part of it goes back to software distribution, part of it is knowing the IT assets, and part of it is security configuration management," says David Friedlander, a senior analyst at Forrester Research Inc.
Some of the vendors said IT managers are losing patience with multiple tools and are looking for vendors to consolidate features in one product or software suite.
Take Brad Carpenter. The senior systems analyst for Lane County in Eugene, Ore., uses LANDesk Management Suite 8.1 software to monitor systems and augments it with LANDesk's Patch Manager application plug-in to tackle patching.
LANDesk Management Suite maintains an up-to-date repository of his 1,400 client machines and the software running on them, including the patch versions. He was able to automatically populate the Patch Manager application with the desktop data from LANDesk's larger suite, and that is the primary reason he picked LANDesk over a product he evaluated from pure-play vendor PatchLink.
"I already have my complete inventory of client machines, and I can write a vulnerability status query in one system and (the product) will show me all the machines that are affected," he explains. "It's just another piece of the same network view, and if I was using a separate tool for desktop management and patching, I would lose all my integration."
Altiris offers modules that customers can mix and match to address specific management tasks, including patch. BigFix recently broadened its software to include systems management features, and security vendor Symantec could use software from its On Technology acquisition to combine software distribution tools with its vulnerability scans. Symantec has an OEM agreement with Shavlik to use its patch management software with Symantec's vulnerability, intrusion-detection, anti-virus and other security tools.
"Patch management is just a small, yet critical component of the complete solution required for customers to create a more resilient infrastructure that is able to prevent, cope with and recover from unexpected events," wrote Thom Bailey, director of product management at Symantec.
The debate also featured discussion about the difference between systems that use software agents on managed devices and agent-less approaches. The majority of vendors rely on agents, but Shavlik offers customers the option to run its product agent-less.
"An agent-less solution is much easier to deploy across networks and less expensive to maintain," Shavlik's Schultze wrote. "In addition, the ability to be scanning for and applying patches within minutes is a marked advantage, especially in this era of zero-day exploits."
Yet when it comes to remote or mobile clients, BigFix and Configuresoft argued for agents because an agent-less network scan relies on machines being connected. The vendors also said the amount of control, depth of information and range of actions that can be taken on servers and client machines increases exponentially with the use of agents.
"The problem with agent-less approaches is that they are less scalable and often less robust," said Randy Streu, Configuresoft vice president of product management. "The arguments for agent-based solutions include mobile support, scalability, robustness, lack of network delays and deeper inspections."
On a similar note, vendors discussed how their products could address decentralized networks that don't have a single operations center from which updates and patches are sent.
Guest expert Felicia Nicastro, a principal consultant with International Network Services Inc., asked vendors, "How do you enable management of globally distributed environments for large, more complex customers?"
BigFix's Toto chimed in, explaining how agents installed on every managed machine continuously monitor the system and "since all clients are working in parallel at the same time, the central server is never a bottleneck and BigFix can manage many tens of thousands of agents on a single BigFix Enterprise Suite server."
Peter Stapleton, director of Computer Associates International Inc.'s eTrust Managed Vulnerability Service, joined the debate, saying "the greatest challenges for decentralized organizations are often procedural or process-based" and do not concern specific technology, patch or otherwise.
With customers preferring integrated tools, industry watchers expect the market to tilt toward larger companies.
"There are plenty of vendors doing just pieces of (patch management), and what customers need is an integrated software product that can tackle all the elements in a distributed environment," said Fred Broussard, a senior analyst at IDC.
Security vendors such as Citadel and Symantec are likely to expand patch features in their product suites. Systems management vendors such as Altiris and Configuresoft say patch is a natural extension of their change and configuration management tools.
"It's actually surprising that more pure-play patch vendors haven't been acquired," Forrester's Friedlander said. He said bigger security vendors such as McAfee and Trend Micro would be most likely to acquire pure-play vendors because patching is the responsibility of the security team in most IT shops.
Management heavyweights such as BMC Software Inc., Hewlett-Packard Co. and Computer Associates also potentially could acquire pure-play vendors to round out their security software suites.
BMC's acquisition of systems management software maker Marimba has industry watchers speculating the vendor already could be pumping up its patch offerings. HP is set to announce this week product details related to its acquisition of Novadigm, which is likely to address HP product holes in the areas of change and configuration management and security.
Computer Associates' Stapleton said his company already can tackle the multi-faceted patch problem.
"What CA has done is address the problem of vulnerability management and applied our experience in enterprise management with particular emphasis on change control and configuration management," Stapleton said. "The basic challenges of knowing what you have (asset management), knowing who should be able to access it (identity management), and knowing the risk to your enterprise (threat management) are cornerstones of the CA offerings." -- Network World (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.