It’s a great idea to lock the front door of your house, but it doesn’t do you much good if you leave the garage door open when you drive away. Unfortunately, this is an accurate analogy for security patching at many companies.
Patching security vulnerabilities is an important part of every company’s IT processes. Companies who fail to stay on top of security patches run a significant risk of being exposed to viruses and could eventually become noncompliant with government regulatory requirements. As a result, IT departments have created strict internal processes for deploying patches. Despite this mature patching process, a significant security gap still exists at most companies.
What is Actually Being Patched?
A typical mid-sized corporate environment will have hundreds of applications in use throughout their offices, both onsite and remotely. These include corporate installed applications like Microsoft Office or Adobe Acrobat; user preferred applications similar to iTunes, Firefox or Chrome; and “helper” applications such as Java and Flash—each is a potential security hole. Yet, in many environments the monthly patching process focuses almost exclusively on Microsoft patches. When third-party software (i.e., non-Microsoft products) is addressed, it is generally limited to specific applications such as Java that are known to need frequent security updates.
While Microsoft patches do cover a large percentage of vulnerabilities, they still only account for approximately 40% of the total. In 2015 there were a total of 16,081 vulnerabilities that affected 2,484 applications from 263 vendors, according to a report by Secunia Research. These non-Microsoft weaknesses represent a glaring hole in the typical IT security process.
Addressing the Patch Gap
The patching of Microsoft products has developed into a mature IT process because of the tools that Microsoft provides. For example, Windows Server Update Services and System Center Configuration Manager) enable seamless identification and deployment of needed updates in the environment. But what about non-Microsoft products?
Many companies have put manual processes in place to attempt to stay on top of a few of the more common products needing patches such as Java and Adobe, but those are a small drop in a large ocean of products with vulnerabilities. Manual update identification and deployment is simply too unwieldy and inefficient to be a viable solution. In order to adequately account for all vulnerable products a company needs a solution that is designed for the task.
There are multiple vendors addressing the third party patching landscape. Two of the best are Flexera Corporate Software Inspector and Shavlik Patch. Both of these products integrate with Microsoft System Center Configuration Manager to allow a company to utilize their existing computer management processes and tools.
The Flexera and Shavlik products have slightly different feature sets and a different underlying way of integrating into Configuration Manager, but both will enable a company to get a better handle on their comprehensive software update process.
Whether at your home or with your company, the key to preventing unwelcome visitors is to make sure all the doors have been secured, even the doors not in plain sight. CDW’s consultants can help you understand the options that each vendor will provide and determine which solution will provide the best solution for your environment.
For more enterprise management and deployment tips follow me on Twitter, or call your CDW account manager and ask to speak to a solution architect for answers to specific questions.
Lastly, stay on top of the latest in security news and check out BizTech Magazine for the latest and greatest.