What to look for in a patch management solution
Welcome to part 2 of our Patch Management Basics series. In part 1—Learn patch management—we covered what patch management is, how it’s different to vulnerability management, and what the components are that make a good patch management program.
In this article, we’re going to go a step deeper and explore the features that make up a great patch management solution. While we could spend days covering the data points as to why a patch solution is required, if you have landed here, you likely already know that!
Let’s jump right in.
What are the must-have features of a patch management solution?
When considering a patch management solution, the following is a list of features and capabilities that should be provided:
- Support multiple operating systems
- Device and group policies
- Third-party application patching
- Auto and manual approvals
- Security safeguard reporting
- Custom profiles and scheduling
- Perform a pre-deployment self-audit
- Configure a patch cache
- Configure a patch reboot on demand
- Create patch profiles
- Configure patch auto approvals and declines
- Deny patches for a specific piece of software on a single device
- Set a delay on a patch auto-approval rule
- Adjust the order of the automatic approval rules
- Run a patch on demand
- Delete a patch-on-demand task
- Remove an installed patch
- Install a patch immediately
- Create a patch install maintenance window
- Patch management reporting
- Review patches installed on a device
- Monitor patches and generate alerts as configured
- Disable patch management on a single customer
What problems should these patch management features solve?
When considering a patch management solution, it is important to identify what your biggest patching workloads are and to what degree that workload can or should be automated.
Typically, the largest workloads for patching are centered around four areas: deployment, approval, remediation, and reporting. Each of these major workloads has its own challenges that a patch management solution could help resolve.
- Deployment—Patch deployment can be very difficult if not impossible to be done manually. For IT teams and MSPs there are complexities around the types of patches, different operating systems, when to deploy patches so as not to disrupt the business, which devices to patch, and which patches to deploy or not deploy.
- Approval—Patch approval processes can mean different things to different organizations. The complications come when granular detail is not available. Most patch approval processes will include a set period of time for patch testing, or a delay between when a patch is available and when it is deployed to a wide set of devices. While those are important, there can be use cases where critical devices, or business applications have conflicts with versions of common/operating system level applications they were not designed for. This increases the importance of ensuring those devices are managed correctly.
- Remediation—Patch remediation is inevitable. There will always be failed patches. Without a process and plan that is pre-established and then enforced through a patch solution, how you respond to those failed patches can quickly turn from a quick check up into a much bigger mess.
- Reporting—Patch reporting is much more than a dashboard view of what is missing. Patch management reporting will include requirements for compliance, the ability to see the trend from less secure to more secure, and performance and accountability during any manual remediations.
The final challenge that those seeking a solution for patch management will need to solve is to find a solution that will enable them to do all the above at scale—these challenges need to be met and overcome across potentially tens of thousands of devices.
Going beyond solving problems and driving a positive business impact
The rise in security threats over the past five years has led to advances in patch management solutions, not only in the capabilities they provide but also their adoption by companies large and small.
From the increased focus and attention patch management has received, new processes, policies, and automations have been created to help MSPs and IT teams manage the onslaught of applications, patches, and precautions required to correctly navigate this critical workload.
The result has been the arrival of additional functionality to help keep teams focused on the difficult problems rather than dealing with routine and mundane manual bumps that occur in what should be an otherwise automated process.
Some of the key capabilities that reduce the additional manual work required (even with an existing patch solution), include:
- Out-of-band Microsoft patches
Typically, patch solutions look to address the core Microsoft bands of patches. While this covers a large portion of the day-to-day workload, there are instances where critical security patches are required. Without support for out-of-band patches, your techs will be hurled back into the patching Stone Age, deploying manually or seeking additional tools to force out the patch. - Out-of-the-box third-party application patch automation
It may be hard to believe, but the ability to deploy not just Microsoft patches, but additional common third-party patches is not a top priority for all patch solution vendors. Maybe it’s because they believe Microsoft is enough, or maybe they see updating and maintaining these third-party patch catalogs as difficult. No matter the reason, it’s critical to prevent manual patch intervention to have updated and well-maintained third-party applications. - Off network and closed network
There is no question that the Future of Work, and Work From Home (WFH) movements are here to stay. This means that MSPs and IT teams will require off-network patch management capabilities. While this is straightforward, closely related is the need for closed network patching. Closed network or “non internet connected” networks are leveraged all over the world to provide computing power in high-security locations and organizations. Patch solutions that can accommodate off-network and closed-network processes out of the box, can help prevent reverting to outdated and inefficient patching practices. - Detect and fix problems on the fly without rebooting
While most users expect that patch runs will require a reboot, this can often be a source of great friction between MSPs and their clients or IT teams and their end users. Detailing how, when, and with how much warning a reboot is required is no longer a “nice to have”. Today users are connected more, and longer than ever before. The always-on mentality means that even after Installing feature updates and full OS upgrades, the option to have control over reboots is important. Performing OS and feature updates without forcing a reboot, and handling failures and reboot requests mid-cycle is a critical feature that patch solutions will need to adopt to minimize or eliminate reboots there as well. - Wake sleeping devices, the patch must go on
Finally, as more flexible working hours are now with us, devices are on/off at more random times than ever. This can create challenges in keeping networks secure and reaching target SLAs when devices are not ready to be patched. Having “wake” or “wake-on-Lan” capabilities is another key requirement for top patch management solutions. Typically, devices will have one or two methods to be woken up: hardware-based provided by manufacturers, or through software such as Windows power management, which allows for programmatic wake capabilities.
What to look for in a patch solution vendor?
Now that we have covered the features and the problems that MSPs and IT teams face with patch management, we can start to formulate what a good patch solution vendor might provide.
It goes without saying that the above capabilities are needed, but more so there should be a commitment from the vendor that they will continue to drive forward their patch solution capabilities. Particularly surrounding the expansion and maintenance of third-party patch applications.
In addition, a good patch solution vendor should also provide your staff with the tools and resources needed to learn, train, and become familiar with policies and practices they can use to be effective. While also demonstrating how their technology can assist in enforcing and facilitating these policies and procedures. Security technology experts, online and 1.1 training, as well as peer consulting are all ways that vendors can—and should—provide to assist their partners.
As we outlined in part 1 of this series, patch management solutions are only here to enforce and automate the policies and procedures that we have designed to keep our networks safe. Matching the right solution to your current and future needs is the best measure of the right patch solution for you.
If you’re looking for a patch management solution, N‑able N‑central offers powerful, intelligent, and reliable patching whether you’re an in-house IT team or an MSP. Learn more about N‑able N‑central’s patch management capabilities.
Joe Kern is Senior Product Marketing Manager at N‑able
© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.
Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.
N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.