10:00 CET on the 30th August 2012 Entry written by Morten Stengaard, Director, Product Management & Quality Assurance.
What is Patch Management and how can we ensure that Secunia CSI supports a targeted and efficient patch management process?
About one year ago we asked ourselves this question, and we set out on a journey to find the answer. With the release of Secunia CSI 6.0 today, we are encouraging companies to take a targeted approach to patch management and supporting them in optimizing their current processes, and I strongly believe that we are setting new standards as to what can be expected from a complete patch management process as well as solutions supporting this. With Secunia CSI 6.0 we offer a patch management solution that is truly second-to-none, and which will help you increase the state of security in your environment as well as to comply with internal and external policies and regulations.
When establishing best practice recommendations as to what a complete patch management process should include – as well as any patch management solution that supports this – we believe four elements are essential: Vulnerability Intelligence (VI), Vulnerability Scanning (VS), Patch Creation (PC) and Patch Deployment (PD). That is, Patch Management (PM) is basically the sum of these four elements:
VI + VS + PC + PD = PM
Vulnerability Intelligence tells you which known threats are out there and which programs these affect. Various vendors provide vulnerability intelligence, and when deciding which source to rely on you would probably want to go for a trusted vendor in the industry, so that you can be confident that you get timely and vetted information.
The vulnerability intelligence then needs to be correlated with the actual programs that you have in your environment, so that you get a complete overview of your ‘portfolio’ of programs and related vulnerabilities. Hence, a patch management solution should include a scanning tool that automatically identifies all programs in your infrastructure and correlates this inventory with the vulnerability intelligence. When knowing the criticality of each vulnerability, as well as the number of hosts affected in your environment, you are able to prioritize your remediation work to get the most ‘bang-for-the-bucks’ or highest ROSI (Return on Security Investment) if you will.
Then you need to create the actual security update, or patch, to be deployed. I am sure every system administrator out there knows how much time is often spent on scripting and searching different vendors’ websites for information in the patch creation phase. Hence, it is needless to say that security updates provided ‘out-of-the-box’ can save you a lot of time and efforts. Patch creation capabilities and security updates offered out-of-the-box should therefore be an integral element in any patch management solution. And here I mean not only the updates available from the usual suspects, such as the top 5 or 10 third-party programs (in addition to Microsoft) that are available in some update catalogues, but a comprehensive solution with a catalogue, which is continuously being extended and tested by a dedicated team.
Finally, you need to be able to deploy the patches, for which some organisations use configuration management tools such as System Center Configuration Manager (SCCM) from Microsoft or Altiris Deployment Solution from Symantec, while others use the free and less feature-rich alternative from Microsoft, Windows Server Update Services (WSUS). No matter which patch deployment solution you use, this should be easily integrated with the other elements to make the patch management process as efficient as possible.
Secunia CSI 6.0 combines Vulnerability Intelligence, Vulnerability Scanning and Patch Creation with Patch Deployment tool integration to enable complete, reliable and cost-efficient Patch Management.
So with the release of Secunia CSI 6.0, I truly believe that we are setting new standards as to what can be expected from a patch management process and solution. But please have a test drive and judge for yourself.