What is patch management software?
Patch management is the process of distributing and applying updates to software in order to correct bugs, including those that represent security vulnerabilities, and to take advantage of enhancements or new features. Software that needs patches includes operating systems, embedded system firmware, and third-party applications.
What is a patch management solution used for?
Prompt and reliable patch deployment is essential to minimizing risk to your information technology (IT) assets. A patch management solution can provide an automated patching process, which can dramatically reduce both the effort required to update software and the chance of issues due to human error.
What are the two main types of patch management software?
There are two types of patch management software: cloud and on-premises. A cloud solution is deployed by the vendor in their data center or a site such as Amazon Web Services, Google Cloud, or Microsoft Azure. On-premises solutions are usually installed on the customer’s server. Some vendors offer both types of solutions.
What are the core patch management tool features to look for?
The main function of a patch management solution is of course the installation of missing patches on target devices. Accordingly, be sure to check which operating systems and firmware the tool supports. In addition, the ability to patch 3rd-party apps — especially all popular browsers — is vital because this software can have critical of vulnerabilities.
Other key features include:
- Automatic download of patches from software vendors
- Alerts on new updates and their criticality level
- A central update repository so devices are not downloading updates from the internet
- Ability to group devices to create a test environment for evaluating new patches
- Policies for installing patches
- Inventory of the software on each asset
- Patch installation on a schedule or based on a trigger
- Ability to roll back updates
- Ability to remotely reboot systems during the update process
- Ability to run cmd, bash, and PowerShell commands and scripts on target systems
- Ability to email or message all affected users that an update will be applied and whether it will require a reboot
- Ability to assign an owner to each asset and schedule update installation time
- Ability to assign particular engineers to check applications after update installation
- Comprehensive scanning and detailed reporting, including automatic scanning of assets to determine where updates need to be installed and reports and dashboards that provide an overview of update status and details for troubleshooting issues
- Integration with:
- Vulnerability management systems
- Project management systems
- Backup systems (to facilitate backups before patch application)
- WSUS, SCCM, Puppet, and inventory management software
What other considerations are important?
Ease of use and simplicity of deployment
A good patch management tool should be easy to install and use. It must have an intuitive interface without freezes or lags, as well as clear documentation on all product features. If it is on-premises solution, it should support both Windows and Linux operating systems; if it uses a web interface, it should be supported by all popular browsers.
Impact on business performance
Ideally, a patch management tool should consume little computing resources and not degrade the performance of any business systems. At the local level, the system should interact well with the operating system components responsible for updates without allowing them to heavily load the system during patch application. The tool should also minimize the load on the network by limiting the number of updates being downloaded to devices simultaneously.
Agent-based vs agent-less
A patch management system may or may not rely on agents. Each approach has its advantages and disadvantages. Many patch management solutions offer both options.
In an agent-based approach, an agent on the device installs the updates using local system permissions. Naturally, this means an agent must be installed on each target system. It is a plus if the patch management tool can do this automatically using a service account or local account whose credentials you provide; otherwise, you will have to install the agent manually using scripts or special software such as SCCM.
The key advantage of this approach is that agent and server can create an encrypted tunnel and exchange data without fear of compromise. Accordingly, this option is recommended for cloud-based patch management solutions.
However, using agents can lead to performance degradation on the device, or even to a Blue Screen of Death (BSOD) in extreme cases such as a poor-quality agent update from the vendor. Also, APT groups look for vulnerabilities in agents that they can abuse to execute their code on the device.
Most agent-less patch management solutions use a service account to connect to devices and install updates. Naturally, this avoids the work of installing agents and the risks associated with them.
However, this approach involves the risk of an unprotected data channel, as well as the risk of the service account being compromised and used for malicious purposes.
Accordingly, an agent-less server patch management system is best used inside the protected network perimeter of an on-premises environment.
The vendor should provide training on the product functionality and 24/7 support. Experienced technicians should be able you resolve issues with installing, configuring, and using the tool. It is particularly important for vendors to help solve problems related to failed patch installation, since missing patches leave your company vulnerable to security breaches.
RMM tool integration
Patch management functionality is often included in remote monitoring and management (RMM) tools. A combined solution is quite convenient, especially when you need to quickly fix a problem related to the failure of an update. Often, the same agent can be used for both patch application and remote management. In addition, eliminating the need to buy two separate tools can reduce costs.
Security of the patch management product
Patch management tools modify and install software on devices throughout the IT ecosystem, which makes them a powerful tool for attackers. For example, an adversary who compromises a patch management tool could use it to spread ransomware to multiple devices.
Accordingly, be sure to look for the following security features:
- Multi-factor authentication (MFA) must be required for all administrative accounts
- Role-based access control (RBAC) is necessary to allow only certain employees to update and manage certain systems using a least privilege model
- All databases used by the solution should be encrypted
- All configuration files should be encrypted
- If the patch management solution is running in the cloud, it should be SoC 2 and ISO27001 certified, and the system should be protected against OWASP top 10 and DDoS attacks
- The signatures of both the update repositories and the patches should be verified
- The checksums of update distributions should also be checked to avoid spoofing
- Under no circumstances should an on-premises patch management system interface be exposed to the internet; it should be used only inside a secure perimeter with proper network security
The price of a patch management system will depend on its features, quality, support, and other factors. Be sure to assess whether particular capabilities are actually useful to your organization. As a general rule, a patch management tool should not be more costly than Microsoft Endpoint Configuration Manager.
Effective and reliable patch management is critical to cybersecurity, regulatory compliance, user productivity, and business continuity, so choose your patch management solution wisely. Carefully assess your needs and IT architecture to determine what functionality you require. To justify the budget, calculate the time savings it will provide for your IT teams, and quantify the risks and costs it will help your organization avoid by ensuring that your systems are properly updated.
Effective and Reliable Patch Management with Action1
With Action1, you can learn about newly released updates as soon as they are available, streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software, automate patching policies and much more.
See for yourself just how easy effective patch management can be. You can use Action1 on 100 endpoints free of charge with no functionality limitations.