Keeping company information, data, and IT services available and secure requires a comprehensive approach to endpoint patching and configuration management. This work is incredibly important, but without the advantages of an automated patch update service it is also incredibly time-consuming.
Inventorying equipment and software, detecting vulnerabilities, testing patches, scheduling updates, patch deployment — these tasks aren’t always a top priority with everything else IT and SecOps are required to do. For this reason, patching and updates often aren’t done as frequently or comprehensively as they need to be.
From an IT operations standpoint, this is partly understandable. Your IT department is constantly juggling priorities, and opportunity costs are always in play. Time they spend patching endpoints manually is time they could have used to provide more direct tangible value for your organization — such as supporting new business initiatives, ensuring uptime for CRM and other critical systems, and increasing bandwidth and network security. If patching begins to detract more and more from value-generating activities, IT departments have to start making tough decisions that can increase the company’s exposure to risk.
However, putting off the mundane tasks of cyber hygiene is becoming increasingly risky as attacks become more prevalent and sophisticated. And, as workforces grow more dispersed, the attack surface your company must secure continues to grow larger.
With the right solution for vulnerability patching, it is possible for IT and SecOps teams to keep their company safe and secure while supporting value-generating activities. The way to do this is by deploying the right automated patch update service.
How are you handling vulnerability patching today?
What does the right automated patch update service do that other tools can’t? A modern, automated patching platform is specifically designed to make applying updates and patches simpler, more accurate, and more secure.
It helps you avoid configuration drift. And it provides peace of mind when you know that you’re taking steps to institute good cyber hygiene enterprise wide.
If that doesn’t describe your approach to vulnerability patching, then you’re likely using legacy tools in one of two different configurations.
1. For small and medium sized companies, it’s Windows Server Update Services (WSUS) and a number of third-party patching tools for non-Microsoft programs.
2. For large and enterprise companies, it’s System Center Configuration Manager (SCCM) and a number of third-party patching tools for non-Microsoft programs.
Both WSUS and SCCM are notoriously complex to configure and cannot reliably report on update status and history. Continuing to use them today can be a sizable drain on time and resources. They are on-premises only, they aren’t built for multi-OS environments, and they require at least some manual labor for patching and verification.
Simply put, these legacy systems weren’t built for the ways that business systems are used today. So why do so many companies still rely on them? Because these tools are widely distributed and are thought of as free. However there are many hidden costs. (For in-depth information on this subject, see Automox’s whitepaper.)
Before we unpack the inherent cost and time inefficiencies of using only on-premises, single-OS, legacy technology, let’s first take a moment to remember how we got here.
It’s no coincidence that Microsoft released WSUS in the same year they formalized Patch Tuesday. That was all the way back in 2003. Once a month (and sometimes more often) for the last 18 years, Microsoft has broadcasted to the world all the vulnerabilities found in their software during the previous month. Other companies, such as Adobe, Oracle, and Linux/Red Hat, have followed Microsoft’s lead and also announce their vulnerabilities once a month or a few times per year.
But Patch Tuesday isn’t all bad news. Microsoft and the others also release patches that fix the vulnerabilities. Deciding which patches to apply and deploying them to the affected servers and endpoints is left up to each individual company. Once the vulnerabilities and the patches are announced to the world, the race to update and exploit begins.
Hackers, cybercriminals, black hats, jerks — call them what you will, there are a lot of people out there who want to steal your data. These bad actors also pay attention to Microsoft’s Patch Tuesday announcements and begin trying to develop exploits as soon as the vulnerabilities become public. Some vulnerabilities — called zero-day vulnerabilities — are immediately exploitable. And so, the day after Patch Tuesday has the de facto name Exploit Wednesday.
This constant arms race has become more high-tech and sophisticated in the almost two decades since it became official. But for the most part, WSUS hasn’t. This is a problem because a fully patched and correctly configured infrastructure is the cornerstone of strong corporate security.
System center patch management
The bad actors on Exploit Wednesday are betting that they can exploit the newfound holes in your network faster than your system center patch management can remediate them. And some of the exploits are extremely high-profile. Already this year, bad actors were able to weaponize a zero-day vulnerability to attack Microsoft Exchange servers.
According to a Ponemon Institute study, the majority (74%) of organizations believe that they can’t patch fast enough because they don’t have enough staff. This aligns with the fact that it takes 102 days on average to patch critical vulnerabilities. But lack of people might not be the only problem, as more than half (57%) of companies still use intensively manual processes like WSUS, spreadsheets, and emails to track and assign patching tasks.
When WSUS debuted in 2003, the world was much more Windows-centric. Though it is useful for patching Windows OS and Microsoft products, it offers only rudimentary endpoint management and is notoriously inefficient for handling modern infrastructure and multi-OS environments. Limited reporting and poor endpoint visibility can also create extra work for IT staff as they perform time-consuming manual tasks, such as checking endpoint patch status.
SCCM patch management limits your enterprise
For companies that know they’re too big for WSUS, Microsoft has a similar enterprise-level tool available to them. SCCM is a paid patch management tool that uses the WSUS platform to check for and apply patches. The difference is that it includes some automated patch management features and gives users more control over patch deployment. Even with these extra features, SCCM still doesn’t have the full complement of capabilities that modern patch management platforms offer and that IT and SecOps teams need.
One reason for SCCM’s prevalence is that many companies are already paying for it; enterprise-level Microsoft licensing contracts (E5 and E3) have SCCM built in. This means that the program is already available to your IT team and likely ticks the box for “patch management tools” in the minds of C-suite members and other purchasing decision makers. While legacy patching solutions may be a step up from manual patching, they can still be overly complex and tedious to use.
If you’re tired of working with outdated tools, then schedule a demo of Automox today and see how much simpler your life can be.
In addition, SCCM won’t cover all your bases. It is built on WSUS, and for that reason it integrates best with Windows-based systems. It does offer some support for patching alternative server and workstation OS, however these pathways can be difficult to configure. In fact, patching third-party apps is one of the top challenges for IT managers. To cover all their bases, they have to purchase multiple tools designed for patching alternative OS and third-party applications—adding significantly to the cost and complexity of patching.
On top of those add-on tools, SCCM requires a Windows server and a SQL Server license to run. This in turn requires more SQL expertise on your staff than would otherwise be necessary. And you will need to add your patch update server to the list of servers you need to patch. Instead of continuing to spend on outdated legacy tools that require manual work, moving to a comprehensive automated patching platform lets companies make an intelligent investment in their future.
As you can see, the costs of your “free” solution can add up quickly.
What is automated patching?
Automated patching works by automatically scanning every endpoint on your network to determine which devices need patching. Updates and patches can then be set for automatic deployment, as they’re available or at specific times based on rules you establish.
Automox achieves this by installing a lightweight (<10mb), cloud-native agent on all endpoints. Once installed, the agent displays endpoint patch status and automatically connects to Automox’s central policy engine to check for updates.
The advantages of an automated patch update service like Automox make endpoint management at scale more efficient so you can apply software updates and configurations to servers, workstations, and remote devices. Without the limitations of legacy tools, an automated patching platform can reach endpoints regardless of whether they’re connected to the corporate network — even those outside of a VPN.
Automated patching saves time and money
So, what does a quality automated patching and update platform look like?
1. Intuitive and easy to use
A well-designed solution does the labor intensive patching work for you from the start, so you can invest time on important tasks instead of learning a new solution. Automox achieves this by delivering service through a cloud native, SaaS platform that makes adding devices as simple as plug-and-play. There is no go-between server to configure or professional services team required to get started.
2. Deploys patches more quickly, accurately, and efficiently
The right automated patch management platform provides complete visibility of the current patch security for every endpoint in your infrastructure. Automox shows you all connected endpoints from a single pane of glass, allowing customers to manage their network from anywhere. This visibility increases patch accuracy, giving users control over which devices receive which patches and at what time. And it simplifies reporting with in-depth information on patch status and history so IT departments, executives, and compliance auditors can quickly view the information they need.
3. Deploys patches to different devices, OS environments, and schedules
Modern server rooms and BYOD workplaces run on multiple operating systems, and expectations for uptime are near 100%. A complete automated patching solution doesn’t make you choose between endpoint security and uptime, regardless of what devices are on your network or what OS they’re running. Automox is designed to work for Windows, iOS, and Linux, and can be configured with Worklets™ to automate patching for in-house and third-party programs too.
Step outside the perimeter with cloud patch management
A cloud patch management platform takes all the advantages of automated patching and makes them even more useful by increasing the speed and agility of threat responses.
With a cloud patch management platform, you can support a modern, remote workforce by removing the hassles of endpoint permissions. This eliminates the need for patching via VPN while enabling automated remediation of vulnerabilities on remote devices.
With a cloud-native cyber hygiene solution like Automox, there is zero infrastructure maintenance. Unlike legacy on-premises tools, there are no servers to procure and deploy and no patch repository or distribution points to build or duplicate if you have geographically separated locations. There’s nothing to download and install on a regular basis, no server provisioning, no ongoing maintenance. As a cloud-native solution, Automox only requires customers to install a micro-agent on endpoints in order to work.
The advantages of an automated patch update service mean that IT and SecOps teams can have confidence that their server and workstation cybersecurity is always running and easily available. Automox customers have told us that one of the advantages of an automated patch update service they appreciate the most is getting up to half of a full-time employee’s time back so they can work on priorities other than patching.
Automated patching is essential for today’s cybersecurity
The speed at which new vulnerabilities are being discovered and exploited has outpaced the capability of legacy tools to keep up. Upgrading from legacy, on-premises patching and update management tools to a cross-platform, globally available cyber hygiene platform enables companies to get a step ahead of cyber security threats. No matter how ambitious your cybersecurity goals are, they start with good cyber hygiene habits and a secure network.
If you’re still thinking about improved system center patch management as a tradeoff between security and productivity, then you’re using yesterday’s tools to fight tomorrow’s problems.
Instead, by implementing a capable automated patching and configuration management tool, your IT and SecOps teams can pursue more specialized security projects and devote more time to supporting value-generating activities.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.