What is Patch Management Software?
Patch management software is a category of enterprise or business software that helps IT and remediation teams fix vulnerabilities on networks. Fixing – or remediating – vulnerabilities is key to decreasing the risk of successful cyber attacks like ransomware. Actual statistics vary based on the study, but it’s estimated between half and upwards of 80 percent of successful breaches can be traced to an unpatched vulnerability. But with the number of vulnerabilities on the typical corporate network – even those with robust remediation programs – counted in the thousands or tens of thousands, fixing vulnerabilities before cyber bad actors can find and exploit them first is a daunting challenge. Patch management software is designed to help remediation teams patch vulnerabilities more efficiently, set policies for the remediation of different classes of vulnerabilities, and track and report on remediation progress.
Where did the Word “Patch” Come From?
Much like the common term “bug” (which originated in the early days of computer development), the term “patch” dates back to the time before computer keyboards. Many decades ago (up until the late 70s), computer programmers didn’t type on keyboards to program computers, but rather fed “punch cards” into computers of that day. Punch Cards had holes strategically placed in them that the computer could “read” to understand the instruction, much the way computer code is used today to communicate the wishes of a programmer to the computer today. When there was an error in an instruction, the programmer couldn’t simply backspace or delete the offending text, but rather would use a small piece of tape to cover holes responsible for the error. The tape was literally a “patch” that modified the instruction by virtue of covering a hole or holes on the punchcard. Since software patches today effectively correct errors in code (in today’s case, errors that often result in security flaws), the re-purposing of the term “patch” seems entirely appropriate.
What Does Patch Management Software Do?
Patch management software can deliver a number of functions that can aid remediation teams as they attempt to address what can be mountains of vulnerabilities. For example, patch management software can centralize all information about vulnerabilities and remediation plans in one place. It can establish patching schedules and cadence for specific systems. Patch management software can enable vulnerability remediation teams to set policies for patching, that is, establish rules for when and how systems are updated. Patch management software also provides reports for remediation teams and their management to track progress, and ultimately reduce vulnerability-driven cyber risk.
How Does Patch Management Software Help Improve Cyber Security?
Bad actors use a number of means to gain access to a corporate network. Phishing (enticing an employee to click on an attachment in an email or voluntarily provide their credentials on an imitation or fake website) is a popular initial access technique, for example. Another is purchasing stolen credentials, or credential “stuffing” (randomly attempting to use stolen credentials across countless networks and services in an attempt to find the right key for the right lock). But, perhaps the most effective tactic cyber criminals use to gain a foothold on a corporate network is the exploitation of vulnerabilities, or security holes in the software installed on corporate devices. Since corporate networks have thousands or tens of thousands of devices (computers, servers, printers, routers, switches, etc.), they also maintain hundreds of applications and operating systems running on those devices. Unfortunately, since software is created by humans, and humans are fallible, the software running on these devices has flaws that bad actors can discover and use to gain unauthorized access to the network. These flaws – or vulnerabilities – can number in the thousands or more, and upwards of 50 new vulnerabilities are discovered each day (over 61 per day in 2022, for example). Patch management software- and vulnerability management software generally – can help reduce the time it takes for remediation teams to identify vulnerabilities, prioritize them, and patch them, ultimately reducing the cyber risk of the organization. As vulnerabilities can be identified by bad actors via the use of readily-available scanning tools that can literally scan the internet for a given vulnerability in 5 minutes, vulnerability exposure in today’s security landscape means networks are indiscriminately targeted. That is, your organization may not be specifically the object of a cyber criminal’s interest, but rather just an opportunity for attack based on a random scan that happened to identify an exploitable vulnerability on your network. Given these realities, patch management software’s potential to reduce the organization’s vulnerability risk can go a long way to minimize overall cyber risk.
What are Examples of Patch Management Software?
Patch management software is often included as part of an RMM (Remote Monitoring and Management) solution, of which there are many. Some examples of RMM tools that include patch management software are Kaseya, Atera, Pulseway, Itarian, NinjaOne and Automox. Some conventional cyber security products include a patch management software element, for example GFI Languard, Syxsense, SentinelOne, Tanium or SanerNow, all endpoint protection solutions that include patch management functionality at some level. Name brand companies like Solar Winds, Qualys and ManageEngine provide a suite of IT management solutions that include patch management software, while one of the more well-known patch management software products for Windows devices is built by Microsoft: Microsoft Endpoint Configuration Manager, better known in the industry by its original name, System Center Configuration Manager (SCCM). Other solutions focus on vulnerability and/or patch management exclusively, for example, JetPatch, Vulcan Cyber, Nucleus and Vicarius.
Who Uses Patch Management Software?
The short answer to the question of who uses patch management software is the team responsible for vulnerability remediation. Typically, that’s a function within the IT department. In larger organizations, there may be a dedicated group of professionals that spend the majority or all of their time remediating vulnerabilities, while the function is often shared among any and all members of the IT team in less sizable organizations. One of the challenges in vulnerability remediation, and subsequently the use of patch management software, is that the team responsible for identifying vulnerabilities – and the team most impacted by unpatched vulnerabilities – is typically not the team responsible for remediating them. The information security team nearly always is the group responsible for identifying vulnerabilities, and they then turn that information over to the remediation team to conduct patching operations using patch management software. As one might imagine, this bifurcation of responsibilities and ownership can easily cause conflict, as the two groups often have strikingly different priorities. Security teams are responsible for protecting the organization’s data, and, although that is certainly important to IT professionals, the IT team is responsible for myriad daily operations tasks that can be overwhelming. These include everything from a constant stream of help desk inquiries to new employee on-boarding to network disruptions to equipment upgrades. Add to this inherent operational conflict the ownership and reporting challenges faced by both teams. As information security becomes a more prominent concern among senior management teams, there’s more pressure on the security team to reduce the number of vulnerabilities on the network. Yet, the security team doesn’t typically have the ability to directly impact the vulnerability risk of the organization, as they’re not responsible for remediation. Mature organizations with a holistic view of cyber security are able to navigate these challenging political waters, but it’s more easily said than done.
Is it Risky to Use the Auto-Update Functions in Patch Management Software?
Yes and no. The goal of every remediation team should be to enable as many auto-patches as possible to 1) quickly plug security holes before they can be exploited, and 2) conserve remediation resources for patching efforts that are most prudently done with human involvement. As we discuss later in this post, the vast majority of patches are highly unlikely to cause unexpected disruption, but the perception of patches constantly breaking things persists. That having been said, some software updates are likely to cause an issue, must be tested prior to deployment in a production environment, and should be deployed in off-hours in anticipation of issues. The trick is to know which patches are which. Later in this discussion, we’ll summarize how trackd is addressing this challenge head on using an innovative, ML-based approach completely new to the patch management software community.
How Much Does Patch Management Software Cost?
Patch management software pricing varies greatly, largely because it’s often bundled with other IT management functionality. Some vendors may break out patch management software to deliver independently, while others include it with other tools. Because of this, pricing can vary widely, from $3 per device per month for stripped down patch management software, to much higher prices (over $100 per user per month) for more sophisticated solutions. Generally, pricing is based on the number of specific devices on which the software or agent is installed, while more complex licensing arrangements can be implemented for large deployments. With such a wide selection of patch management tools available, it behooves any organization with a vulnerability remediation program to find one that can be incorporated into the IT/security budget.
What are the Top Considerations for a Team Purchasing Patch Management Software?
There are a number things to consider when considering the purchase of patch management software, including:
- Are you looking for patch management software only, or a more comprehensive security or IT operations management solution that includes patch management functionality?
- Cost, of course, is always a consideration, and is often related to the item preceding this one. Thus, again, it’s important to understand which functionality you need for your remediation program and not pay for features and capabilities you either don’t need or have access to from other solutions you already own.
- Does the patch management software include data-based intelligence that helps you determine which patches to apply via auto-updates and which should be manually applied? This is a new capability in patch management software that can materially decrease your organization’s MTTR (mean time to remediate).
- Does the patch management software provide a real-time dashboard that’s easy to understand and supported by robust reporting options? The reporting functionality should enable the production or creation of reports that are designed to be consumed by senior level executives.
- Does the patch management software integrate with other IT systems and software?
- Is the product easy to use, and is the time to train a new user reasonable? This is often in the eye of the beholder (all software vendors declare that their software is “easy to use”), but can also be helped by effective and timely support. In this sense, like all software solutions, you’re buying the company as much as you are the software itself.
What are the Key Challenges for Patch Management Software?
Patch management software can provide a very helpful centralized location to manage a critical, but complex, function: vulnerability remediation. However, solutions until recently have relied heavily on human interaction and judgment to execute a vulnerability remediation strategy; it’s one hundred percent up to the remediation team to determine how best to patch any of the many vulnerabilities on a typical network. Will auto-patching be safe, or might it cause an unanticipated interruption? Do we need to test this patch before deployment? Should a particular patch be applied in off-hours in anticipation of a likely disruption?
Vulnerability management solutions over the past 5 years or so have made significant progress providing context for vulnerability prioritization, so remediation teams now have some tools to help them deploy their limited vulnerability remediation resources wisely. Conversely, those tasked with vulnerability remediation are left with no context or insight into the most efficient means of applying patches. Patch management software can help organize a function with a seemingly infinite number of moving parts, but existing products do little to inform remediation teams with the intelligence they need to build the most efficient patching strategies. Companies like trackd are changing that game.
Are There New Innovations in Patch Management Software?
Most of the improvements in patch management software over the past decade have been more evolutionary than revolutionary, a streak trackd is working to end. One of the best kept secrets in the world of vulnerability remediation is this: the vast majority of patches are safe to apply without fear of disrupting network operations. Estimates vary, but the number could be as high as 98% of applied patches are never rolled back (patches that disrupt network operations and break systems are often “rolled back,” meaning the previous version of the software with the vulnerability is re-installed in an effort to stabilize the network and return to normal operations). This means that upwards of 9 out of 10 patches can be applied without human intervention, leaving just a few percent of patches to be applied by vulnerability remediation teams, greatly reducing their workload, as well as the organization’s cyber risk.
The challenge, however, is to understand which 2 or 3 of those 100 patches are likely to cause disruption, and which 97 or 98 can be put on auto-pilot. This is where trackd’s patch management software innovation helps to identify the 2 or 3 patches that are likely to cause problems, and perhaps more importantly, give the remediation team the confidence to leverage automated patching for the 97 or 98. trackd leverages a growing database of actual patches applied on networks across several industries and proprietary ML technology to demonstrate, empirically, the disruption risk of applying the patch. Effectively, trackd provides the intelligence to remediation teams – actual patching data – to feel confident that a given patch has been applied x times elsewhere with no issue, and therefore the remediation team can be confident auto-applying that patch won’t impact their network operations.
