Patch management and client resilience

Keeping computers updated with the latest software patches is essential to protect company data from worm- or viral-based attacks. But in large organizations with hundreds or thousands of machines configured for diverse users, keeping systems current with the patches they need is an ongoing challenge for IT staff. All too often, unpatched software vulnerabilities leave systems exposed, and company data at risk.

This article looks at how a configuration and lifecycle management solution for client devices can help organizations achieve client resilience by enabling IT administrators to gain control of the IT environment and help ensure client devices are secure, available, and compliant with established corporate standards.

An increasingly urgent situation

As IT professionals know, patch management doesn't occur in a vacuum, but is part of the larger challenge of keeping systems running safely, consistently, and optimally. That challenge has become even more urgent recently given the following developments:

Over the first half of 2005, Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the 7,360 documented in the second half of 2004. It was also an increase of 142% over the 4,496 documented in the first half of 2004. This massive increase in variants is important because each variant represents a new, distinct threat against which administrators must protect their systems and for which antivirus vendors must create a new antivirus definition.

In this same period, Symantec documented 1,862 new vulnerabilities. This was the highest number recorded since the Internet Security Threat Report began tracking new vulnerabilities in six-month intervals. 49% of these vulnerabilities were classified as 'high severity.'

Phishing continues to grow. Over the first six months of 2005, Symantec blocked 1.04 billion phishing attacks, compared to 546 million in the last six months of 2004, a 90% increase. Between January 1 and June 30, 2005, the volume of phishing messages grew from an average of 2.99 million messages a day to 5.70 million.

Organizations are under increasing regulatory pressure. Regulatory compliance - and the obligations it places on top management - is fueling the need for a tightly managed approach to patching. Consider the Sarbanes-Oxley Act. Compliance with Sarbanes-Oxley is not a one-time event. Instead, companies need to achieve sustainability in their compliance programs. This includes demonstrating the effectiveness of IT controls on an ongoing basis, including patch management.

Given such an atmosphere, it's understandable how failure to deploy patches promptly or correctly can cripple an organization.

Ensuring a resilient client

Symantec believes that the only way organizations can ensure their client systems are secure, available, and compliant with corporate standards is by effectively gaining control over the IT environment. And here a configuration and lifecycle management solution for client devices is essential. Such a solution can reduce the complexity and cost of managing the lifecycle of client devices by automating manual tasks (such as deploying and configuring client firewall and anti-spyware software), rolling out new devices, managing software patches, and retiring client devices.

With a configuration and lifecycle management solution, administrators can:

Identify and deploy missing patches. The solution should provide IT administrators with the tools needed to proactively and automatically execute an organization's patch management process. This includes scanning for and identifying installed, missing, and available Microsoft security patches; packaging and deploying appropriate patches using grouping and targeting capabilities; and providing accurate reporting.

Take control of the client environment. This is done by provisioning, configuring, and updating operating systems, applications, and hardware. Administrators should be able to automatically remove unauthorized applications and content (such as MP3 files). A security configuration library should be included to deploy and configure components including anti-virus, client firewall, anti-spyware, intrusion prevention, and end-point policy compliance for mobile and remote computers. The library should also include packages to deploy and configure Windows XP SP2, which provides a number of security enhancements.

Rapidly and continuously perform asset management tasks. This is essential for complete and accurate audits across distributed heterogeneous environments. The solution should provide tools for agentless discovery of network devices, agent-based hardware/software inventory management, software usage and license management. Administrators should also be able to detect unauthorized applications.

Create images, design packages, test standard configurations, and automate OS migrations. Administrators should be able to test configuration management tasks by deploying them to a test machine or virtual environment before deploying them across the organization and into the production environment.

Rapidly resolve end-user Help Desk issues. The solution's security features should provide organizations with the access control and encryption options they require to prevent unauthorized access and to promote compliance with corporate and regulatory standards. Security features should include default encryption of login information, mandatory passwords, host address blocking, numerous levels of authentication and AES encryption.

Rapidly restore information, operating systems, and applications. Administrators should be able to manage and resolve virtually any potentially disruptive event, from security threats to hardware/software failures, end-user errors, and constant business and technology change. For the enterprise, this means the ability to rapidly return clients to stable operations, no matter what happens.

Conclusion

In the first six months of 2005, the average time between the disclosure of a vulnerability and the release of an associated exploit was six days. During the same period, on average, 54 days elapsed between the disclosure of a vulnerability and the release of a patch by the vendor. This means that, on average, a period of 48 days existed between the release of an exploit and the release of an associated patch. During this time, systems are either vulnerable or administrators are forced to create their own workarounds to protect against exploitation.

Patching these vulnerabilities and preventing downtime can be a costly endeavor. Gartner Inc. has estimated that IT spends up to two hours a day managing patches, at a cost of about $300 per server to install a single patch.

To properly remediate, an IT team needs the right combination of tools and processes that allows them to efficiently and securely deploy updates, test patches, and roll back any changes, if necessary, to a specific point in time. With a configuration and lifecycle management solution for client devices, organizations are better able to eliminate system exposure to holes and vulnerabilities, ensuring client resilience, enhanced security, availability, and compliance with corporate standards.