Skip to main content
Tag

Reporting

patch management

Patch Management Solutions: What Matters in a Vendor

By Blog, Patch Management

Far too many successful cyberattacks have involved known vulnerabilities that were allowed to go unaddressed.

While it’s clear that no organization can afford to approach patch management haphazardly, the reality is few IT teams have the time or resources to do anything other than pick and choose which urgent tasks will receive their attention. To avoid this conundrum, savvy organizations will look to the various commercially available patch management solutions to help their IT departments take a more comprehensive approach to this highly critical mission.

What are the Hard & Soft Metrics?

It’s important to understand that not all patch management tools are created equal. Careful consideration is essential to ensure that a particular vendor and its solutions will meet an organization’s needs amid a backdrop of ever-evolving cyber threats.

Evaluation should initially focus on the “hard metrics” to determine how a prospective vendor’s core product features stack up against an organization’s key technical criteria. Designating specific criteria – patch coverage, support for third-party patches, ease of deployment, etc. – as “table stakes” will allow an IT team to quickly and easily identify solutions that align with their needs and eliminate other vendors from as the evaluation process progresses.

From there, IT leaders and operations teams can move to reviewing solutions for “soft metrics.”

These include patch coverage and other attributes crucial to comprehensive patch management, as well as the “decision trigger” features that have the potential to impact an organization significantly. For example, many IT teams would find the ability to run patch management from the cloud to be a considerable advantage, especially when devices are dispersed beyond their organization’s network, as is common in today’s remote and hybrid work environments.

What are the Solution’s Reporting Capabilities?

The importance of reporting can’t be overstated when evaluating potential patch management solutions. When reporting is optimal, IT staff will spend far less time compiling documentation for their organization’s Board and other key decision-makers.

Merely reporting a complex list of vulnerabilities can make a report almost unintelligible. The best patch management solutions allow organizations to draw actionable insights from their reporting to drive valuable security improvements. In most cases, unified solutions will enable better reporting. This is especially true when an organization’s coverage needs extend beyond assets that patching would traditionally cover, such as hardware devices on the IOT side

Bottom line: If a choice must be made between key product features and reporting capabilities, organizations will be better served by sacrificing some technical criteria for the sake of optimal reporting.

Where is a Vendor Directing Future Investments?

It’s essential to know if a vendor is investing for the future (they all are), but also whether or not they’re investing in the direction of where market demand is headed and at a pace that will keep up with that demand.

Firmware patch management, for example, is quickly becoming a critical problem within the IOT space, as doing so within its interface and with its reporting simply isn’t scalable because it’s poised to become an essential feature for many – if not most – organizations moving forward, a prospective vendor should already be directing investment toward that area.

It’s also essential to determine whether or not a vendor is striking a good balance between maturing their existing patch management platform and introducing new features, as those that are will be better able to reduce some of the disruptions that can accompany future innovation.

What About Automation and AI?

More than a buzzword, automation has become a significant driver of conversations surrounding patch management. With IT staff constantly being asked to do more with less, organizations are prioritizing anything that will alleviate the load and increase satisfaction in their day-to-day work. By this point and in this environment, every vendor should be focusing on developing automation capabilities that will allow IT teams to spend less time setting up patch deployment and management.

While AI is not currently impacting the patch management space, it is poised to do so in the very near future. Current AI isn’t 100% accurate but does exceptionally well when solving incredibly complex issues where accuracy isn’t important. If it can help move the needle in terms of prioritizing tasks, identifying change, and automating tuning of the dial, patch management would be an ideal space for utilizing AI

Take Away

Patch management should never be left to chance.

By taking the time to identify the right patch management tool and vendor for their needs, organizations will be much better positioned to ward off cyberattacks and ensure business continuity even in the face of ever-evolving security threats.

For more insight on choosing a patch management solution, check out this webinar with GigaOm CTO and research analyst, Howard Holton: Analysts Insights: Gigaom Radar for Patch Management.

April 11, 2023
Love0
|||||||||

Can You Trust Your Vulnerability Report?

By Patch ManagementNo Comments

Can You Trust Your Vulnerability Report?

Vulnerability reporting is critical, but not every patch management tool provides data you can rely on. Compare Microsoft ‘WSUS’ and Nessus to Syxsense.

IT Reporting Isn’t Always Accurate

If you have yearly governance audits, you know how stressful it can be when your patch management tool provides inaccurate reports or evidence that auditors can use to fail your accreditation. Let’s explore several industry standards to compare the results of the toolset against the devices themselves, to see if there are conflicts or discrepancies—something you should know before your audit.

We will base our accreditation on an industry standard of PCI/DSS compliance. Any company which processes credit card information should conform to a level of PCI/DSS. The different levels of PCI/DSS are dependent on the size of the business or transactions processed by that business yearly.

Another critical thing to note—if a data breach occurs, the amount of compensation paid in the form of fines vary dramatically on that level. This is why companies that process billions of transactions a year must attain the highest level of PCI/DSS to safeguard their business.

Evaluating WSUS and Nessus Reporting

The two well-known patch management tools we will use in this review are Microsoft ‘WSUS’ and Nessus. Nessus uses the Tenable detection engine and is know as one of the industry “go to” tools for audit software.

We have a device installed with Windows 10 Enterprise (1903) and Windows Server 2012 R2, and several updates are needed on both systems. To create a baseline for comparison, we have used Syxsense to deploy all updates missing to the device, and have rebooted multiple times to ensure all updates have taken.

Windows 10 Enterprise | Feature Update 1903

1. Syxsense records no updates are needed.

2. Next we performed a full scan of the device using Nessus which uses the Tenable detection engine.

Nessus reports two updates are needed.

3. We did the same for WSUS and performed a full scan.

WSUS reports everything is up to date.

Windows Server 2012 R2

1. Syxsense records no updates are needed.

2. Next we performed a full scan of the device using Nessus which uses the Tenable detection engine.

Nessus reports a huge host of updates are needed.

3. We did the same for WSUS and performed a full scan.

WSUS reports only 1 update is needed.

4. We downloaded the binary from the Microsoft site and tried to install it manually.  You can see from the screen shot that the update reported by WSUS was not actually needed.

Manually running the patch binary.

Examining the Results

We are most surprised that the patch management toolset, known globally as one of the best and most accurate detection toolsets, provided the most false positives against WSUS and Syxsense. If our customers were using this toolset alone, we can only imagine what issues they would have using these reports as evidence of compliance against PCI/DSS.

What should concern anyone using WSUS for their compliance needs is that WSUS reported an update was needed, but could not even be installed manually.

Many tools do not detect or correctly report patch supersedence (which is when a new patch makes the need for an old patch obsolete) and are showing that superceded patches are required and devices are non-compliant or vulnerable even though they are in-fact fully patched and complaint.

Can you imagine failing a PCI/DSS because of vulnerabilities which you were not even vulnerable for?

Leverage Syxsense Vulnerability Reporting

Over the few tests conducted, Syxsense proved to be the most consistently reliable at detecting the updates needed. If you are not using Syxsense for your vulnerability reporting, we recommend using multiple patch management toolsets to compare multiple sources. However, the penalty for failure for any breach could cost millions of dollars.

Additionally, Syxsense allows you to manage and secure vulnerabilities exposed by open ports, disabled firewalls, ineffective user account policies, and security compliance violations from remote workers. Gain visibility into OS and third-party vulnerabilities while increasing cyber resilience through automated patch management and vulnerability scanning.

Experience the Power of Syxsense

Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
April 15, 2020
Love0