IT Briefcase Exclusive Interview: Security Patch Management with Lawrence Garvin, SolarWinds

Patch management has been a recurring issue and topic of discussion within organizations for years. As hackers become more evolved and develop new methods to exploit vulnerabilities, managing computer security becomes increasingly critical.

In the below interview, Lawrence Garvin from SolarWinds explains how security patch management can operate as one of the best lines of defense for protecting a corporate computing infrastructure.

• Q. In your opinion, what impact can effective patch management have on an organizations level of IT security?

A. It will absolutely increase the level of IT security. A SolarWinds Patch Management survey conducted earlier this year indicated that 17% of respondents reported a security incident that could have been prevented by a patch that was available, but not installed.

If we look back, historically, at the most notable major exploits affecting Microsoft products, they were all attacks that came after the availability of a patch:

• * Code Red (Jul 2001) – MS01-033 rel. Jun 2001
• * Nimbda (Sep 2001) – MS01-027 rel. May 2001 and MS01-044 rel. Aug 2001
• * SQL Slammer (Jan 2003) – MS02-039 rel. Jul 2002

We continue to see similar issues today, except they are targeted to Adobe Flash, Oracle Java, and Adobe Reader.

Installing available patches is the single most significant (and easiest) thing that an organization can do to protect themselves from the technology security threats present in the world today.

• Q. What do you see as the biggest administrative challenges that companies face when trying to optimize security patch management?

A. Not having a structured patch management process with appropriate tools in place. As a result, we see three manifestations:

• * Microsoft security updates are applied unilaterally without appropriate risk analysis (because they are unilaterally available through Microsoft Update or WSUS). Sometimes these security updates cause bigger operational issues than the risks they’re designed to protect against.
• * A critical lack of awareness of the availability of third-party security updates, combined with a lack of awareness of the application footprint installed in the organization. It’s not uncommon for an organization to have multiple (insecure) versions of Java, Flash, and Reader installed. Each of these versions present their own collection of security risks.
• * Where awareness does exist, and even assuming a proper process definition is in place, the failure to implement an appropriate toolset for centrally managing the patching of third-party applications. Despite the availability of tools from a number of vendors in recent years, I’m continually surprised by the number of WSUS and Configuration Manager administrators who are unaware that their existing platforms can be extended to assist with the management of third-party patching.

• Q. It is now thought that up to 80% of viruses are transmitted through third party applications. How can effective patch management help businesses overcome this security issue?

A. Current patch management practices are critically dependent upon the end-user invoking each of the various update prompts for the products installed on their system that have automatic updating capability. Typically these prompts inject themselves into the end-user’s environment while they are trying to complete other work (or when the product needing an update has been launched to do that work). In addition, many third-party products do not have this capability, or it has to be invoked manually, which means it never gets invoked. An effective patch management strategy requires the centralization of this process, and the removal of the obligation, and choice, from the end-user, combined with the scheduling of the patch installations at the earliest possible time with the least disruption to the worker’s productivity.

• Q. How has the evolution of BYOD affected security patch management, and how can organizations begin to overcome these threats?

A. BYOD presents special challenges to an organization because typically the device must be configured to be centrally managed, either through policy-based settings, or the installation of agent software. Additionally BYOD devices are exposed to external networks with exponentially higher risk factors for infection.

Until recently, the only major area this presented concern was with Windows-based notebooks. Smartphones have not generally been a risk factor because of the control exerted by the carriers and software vendors regarding the ability to install software, which mitigated the likelihood of infection to a great extent.

However, recent developments in the Android market have brought entirely new considerations to risks associated with Android-based devices, both personally owned, as well as company owned – although the latter are less likely to be installing such apps from the Android marketplace.

In addition, we also have the introduction of Windows 8 devices, some of which will continue to be patched in the traditional manner (e.g. via Microsoft Update or WSUS), but Windows RT and Windows Phone 8 will  only be updatable via the Windows App Store. The inability to centralize the management of these devices (or require additional investment, e.g. Intune and System Center Configuration Manager) will complicate matters significantly.

• Q. How can tools such as Patch Manager, PatchZone, and the new Head Geek program offered by SolarWinds help companies improve patch management and, therefore, get a leg up in the IT security battle?

A. SolarWinds Patch Manager brings the ability to inject the necessary third-party updates into the WSUS and SCCM environments, supplementing the centralized capabilities already provided for Microsoft products. It allows the patch management processes for the operating system and all applications to be managed as a single process, rather than multiple independently-managed distributed processes.

PatchZone provides a vendor-neutral information source for all topics related to patch management. This includes:

• * Information regarding the availability of updates for third-party products, as released by vendors
• * Conversations about patch management best practices
• * Suggestions and guidance for the use of patch management products

The Head Geek program brings dedicated and knowledgeable people into those conversations, specifically for the purpose of engaging with IT Professionals, and providing real-world ideas and practices for staying ahead of this ongoing battle with IT security.

Lawrence Garvin, M.S., MVP, MCITP, is a Head Geek and technical product marketing manager at SolarWinds, an IT management software provider based in Austin, Texas, and focuses on SolarWinds Patch Manager. He has been working with Microsoft Windows Server Update Services (WSUS) and Software Update Services (SUS) since the release of SUS SP1 in 2003, and update management, generally, since the creation of Windows Update in 1998. Prior to joining EminentWare (now part of SolarWinds) in 2009, he offered Windows Server Update Services expertise, as Principal/CTO of Onsite Technology Solutions,  to companies worldwide including deployment, implementation, and troubleshooting advice.  Lawrence is also an independent WSUS evangelist and is a frequent contributor to WSUS forums and other online community sites. .