A stitch in time

QUEENIE NG / Singapore

FOR many MIS managers, patching or fixing software is not new. But with the sheer number of patches released everyday and the shrinking time between announced vulnerabilities and outbreaks, they are facing increasing demands to ensure timely and accurate security fixes.

Patch management is a process to ensure that (after the need for fixes/patches has been identified) patches are effectively prioritised, managed, scheduled and implemented, and that all modifications to the computing environment are recorded and managed properly.

Double trouble

Today, the lead bogeyman in patch management is not technical know-how, but the volume and frequency at which new patches are released. According to the CERT Coordination Centre, newly-discovered vulnerabilities double every year.

Besides having to patch vulnerable systems in time, an MIS managers’ nightmare is exacerbated by the shrinking window of time between the availability of a software patch and an outbreak.

Ang Ah Sin, regional marketing manager for Asia South Region, Trend Micro, cited recent virus attacks as examples. In the case of the Nimda virus, Microsoft released the first patch on October 17, 2000 and the virus only struck one year later on September 18, 2001. In contrast, for the MSBlaster.A. outbreak on August 23, 2004, the company released the patch a mere 26 days before the start of the attack.

This means that companies have less time to patch software, as the threats exploiting ann-ounced vulnerabilities are materialising much faster.

Tough task

Beyond frequency, patching software, especially the core of an operating system across a vast geographical network, is a complicated job.

Companies spend thousands of man-hours performing manual fixes. A wrong patch or failure to patch the needy systems may render the entire patch deployment process useless. In addition, the deployment of incompatible patches may risk crashing

mission-critical applications. Worse yet, even one vulnerable system can lead to an outbreak in the entire network. Since patch management requires tiresome manual pro-cesses, Ang said ensuring a 100 percent success rate in patching accurately and on time is difficult—especially in companies with a high percentage of mobile users. “As such, in companies with 10,000 systems, a 99 percent success rate will mean 100 vulnerable systems.”

The labour-intensive updating system which most companies are using today to implement patches also creates another challenge—limited scope. Damien Wong, vice president and general manager of Meta Group, Singapore, said that many companies are inundated with just security fixes released by major software vendors such as Microsoft. “With time and budgetary constraints, they only have the resources to address their Microsoft server software, leaving other server platforms and endpoints unpatched,” said Wong.

Yet the fact is Microsoft is not the sole offender in software vulnerability. Over the past 12 months, members of the vulnerability research community have discovered devastating software flaws in Cisco, Sun, Linux and other mainstream platforms.

Country cousins

Another difficulty with patch management is the lack of integration testing and validation within the process. Most companies have no method of testing a patch’s potential conflicts with current software. “It is most important [to test] software that is not related to the patched software. For example, patching Windows may affect an Oracle database,” explained Wong.

For Asian companies, there is also the concern that patches may affect non-English versions of OSs. “Since some patches are created immediately to correct a vulnerability, the level of quality of a patch released hours after a vulnerability disclosure can be limited on non-English operating systems,” said Mervyn Alamgir, Product Line Manager, SonicWall.

Choice of three

With these constraints in patch management, vendors have come up with automation tools to give MIS managers a hand. According to the Meta Group, patch management tools can be divided into the following categories:

• Dedicated patch management tools: These support both endpoint and server software. Some examples are PatchLink Update, BigFix Patch Mana- ger, Shavlik HFNetChkPro, and Configuresoft ECM/SUM.
• Server automation/management tools: These offer broader OS support and additional management capabilities. Examples are Opsware, BladeLogic, CenterRun, and Consera.
• Electronic software distribution and management tools: These perform more traditional application distribution and inventory functions. Examples are Novadigm, Marimba, Novell ZENworks, and Microsoft SMS.

For companies that currently do not have any server/endpoint management or software distribution/inventory tools, the research firm recommends that they should consider products with built-in patch management capabilities. However, companies that are only looking to augment their traditional management or distribution solutions would be better served by implementing a dedicated tool for the task.

Wong said these solutions will be able to not only automate the targeting, distribution, and installation of patches, but also the aggregation of new patches as they are made available by software vendors.

Most companies are currently using a manual, ad hoc process in patch management, which exposes them to security vulnerabilities and drains their limited IT resources. But that is set to change.

The Meta Group predicts that 40 percent of IT organisations will implement dedicated patch management processes and point solutions on their servers. By 2007, that number will grow to 75 percent, including both servers and endpoints.

“The trend in Asia is very similar to that in the rest of the world, and exacerbated by the fact that many companies operating regionally have to contend with geographical and regulatory diversity,” said Wong. Even with these multiple complexities associated with patch management, companies are advised to grit their teeth and get on with the job of patching.

It is either that—or risk suffering the attacks exploiting the thousands of vulnerabilities discovered every year.