Choosing a patch management solutionSubmitted by Jason Chan, Consulting Services Technical Lead, Symantec Professional Services, and Co-Moderator, patchmanagement.org mailing list
Choosing and implementing a patch management solution, whether developed in-house or purchased from a third-party vendor, is much like any significant IT implementation project. Requirements must be identified, timelines must be created, resources (financial and human) must be allocated and solutions must be examined for benefits and drawbacks. But, because the patch management market (including products, practitioners and best practices) is relatively new, I find that many IT and security professionals struggle with how to get started when choosing a solution for patch management.
There are certainly many factors to be considered in this decision, including:
- Support for the operating systems and applications in use
- Service level agreements tied to patch release
- Cost of acquisition and maintenance
- Solution complexity (and the skill needed to operate)
I argue, however, that while these issues are important, the most critical factor for selecting a patch management solution is the solution's ability to implement your organization's patch management policy. Much has been written on the key elements of patch management policy, and for good reason. A solid and comprehensive patch policy provides the foundation for successful patch management in your organization and spells out the criteria that your patch solution will be judged against.
Just as a firewall is simply a tool to enforce your organization's security policy, your patch management solution must be seen as a tool for the direct implementation of your patch management policy. Here are some important questions to ask:
- Can the product roll out patches on the schedule that your policy dictates?
- Can it support the rollback requirements that your policy requires?
- Can it facilitate the pre-rollout testing that you need?
The closer the solution's capabilities match up to the requirements specified in your patch management policy, the greater the chance of your expectations being met.
Buy or build patching toolsSubmitted by Mark Joseph Edwards, Senior Contributing Editor for Windows IT Pro and News Editor of the weekly e-mail-based Security UPDATE Newsletter. He has been involved in the computing industry since 1982.
When considering patch management solutions, administrators should determine whether a particular solution covers all of their needs or at least their most important needs. Here are some important questions to ask:
- Does the solution handle your most prevalent and most important operating systems, applications and service platforms?
- Can the solution handle patch management from various major vendors?
- Can the solution audit which patches are installed against a database of patches that are available to install?
- Is the solution prone to false detection of installed or missing patches?
- Does the vendor provide reasonable support in the event of problems?
Even with a good patch management solution in place there still may be situations where you need to develop your own scripts or programs to make sure patches are installed adequately across all applications and platforms. The somewhat recent problem with the JPEG GDI+ vulnerability is a good case in point. Microsoft issued a patch and a tool that can scan systems to see if the patch is required. However, the particular DLL that contained the vulnerability is also distributed by many third-party vendors as part of their applications. Since Microsoft isn't in a position to know which of those third-party applications include the DLL, administrators found themselves scrambling to come up with ways to find all copies of the vulnerable DLL on their systems. Many resorted to writing their own scripts or programs to help with the discovery and DLL replacement process.
I recommend that all administrators charged with patch management consider joining PatchManagement.org's mailing list, or at least consider reading the Web-based archives from time to time. The mailing list is a fantastic resource where administrators share tips and know-how regarding their ongoing experiences with various patch management solutions, patch installation and troubleshooting, various related tools such as custom scripts and programs, and much more.
More patch management resourcesEssentials of Patch management policy and practice - Jason Chan -
Whitepaper on patch management process - Microsoft -
Procedures for handling security patches - NIST -
Check out SearchWindowsSecurity.com's Learning Center: Simplified patch management for more best practices, news, tips, book excerpts and resources.
Do you build or buy your patching tools? Submit your patching tricks, and we'll post them on the site.
This was first published in January 2005