Patch Management – Why it pays to PUSH

By | September 16, 2005

You may have the best security implementation in the world, you might have a security policy that’s a model for the industry, but one small oversight or one missed patch and your network can become vulnerable.

Keeping track of all the upgrades and patches required is far from easy. In any one company, there may be a number of manufacturers’ websites and newsletters that the IT staff need to keep on top of to be aware of all the patches.

Then there’s the human element – updating patches and signatures is one of those tasks that’s too easy to miss. Something urgent comes up, or the update just doesn’t seem important enough, or there’s simply not enough hours in the day.

Even if your IT staff have super-human dedication and attention to detail, downloading and installing patches takes up valuable time which could be spent on something more productive. Patches to network systems also require testing. Unfortunately, there are too many stories of applications being brought down by a new, untested security update.

How should companies overcome this problem? The first, most important step, is to accept that there is a problem. IT staff aren’t perfect, and users are notoriously bad at running virus updates, whether it’s because they do not get round to it, or it slows their PC down too much, or because their laptop is away from the office when the update is scheduled.

Living with these human imperfections doesn’t mean accepting a lower standard of security. Companies can do a lot to automate patching and updating. At its simplest, this can mean ensuring that automatic updates are set up correctly, such as Windows Update and anti-virus updates on PCs. You might need to invest a little in updating to the latest versions, but it’s well worth it.

Another approach is centralised management of updates. There are limitations as to how effective this can be, for example, if users’ PCs are unavailable. It does however remove the responsibility of updating from the end user, making it more likely that updates happen when they should.

Using patch management can go a long way to reducing both manual errors and the time-spent managing the problem . Ultimately, however, this whole approach is flawed. Even if you’re completely up to date, patches may be released too late, or can create new problems & systems crashes. Keeping up with patches is difficult, particularly for smaller organisations with little IT resource.

At Network Box, we consider the patch management issue to be a major flaw in many companies’ approach to network security. The time between vulnerabilities being discovered and threats being released into the wild is shortening from weeks to days to hours, and it’s vital that security is updated as quickly as possible to counter these new threats.

On top of these new threats, the majority of virus attacks and hacks exploit network or software weaknesses that have been known about and preventable for some time. This demonstrates that, even for experienced IT staff, where a threat is known and well-publicised, it is still difficult to accurately configure and manage security solutions.

With these factors in mind, we have developed a ‘PUSH’ approach to security updates on our range of managed security appliances – this guarantees defences are always up-to-date whilst leaving network managers in full control of their networks. When one of our global operation centres identifies updated anti-spam, anti-virus or IDP signatures and software updates, they are automatically ‘pushed’ to each Network Box as soon as they are available. Since every Network Box is self contained and sits on your internet gateway these updates leave the functioning of your other network systems unaffected.

So regardless of the availability of IT staff or the size of the company, networks can be protected with the most up to date defences without the delay and complication usually associated with introducing patches or updates to network applications. And since many viruses are first spotted at weekends or overnight in the UK, these upgrades at the very least save the IT staff from out-of-hours calls, and may make the difference between a business being vulnerable or protected.

Our global network of operations centres operates 24 hours a day, 365 days a year and the time taken from release of a new signature to having every Network Box updated is less then one minute- that’s a big improvement on the hours or days which most updates & patches take to be implemented using polling or ‘pull’ technology. For small and medium businesses without large IT resources, this can be a crucial improvement on security, ensuring they are protected 24×7 without having to put the equivalent internal resources and cost in place.

Leave a Reply