How to Compare Patch Management Software
Agent or agent-less? Point solution or suite component? CISOs and analysts offer dos and don'ts for finding the patch management software that's right for your organization.
By Mary Brandel
November 09, 2009 — CSO —
Patch management software helps organizations acquire, test and install code to fix known vulnerabilities in operating systems and applications. It also helps them assess exposure and prioritize patches (given your specific environment), identify missing patches that need to be remediated and produce real-time reports for compliance and other auditing needs.
Since its emergence early this decade, patch management has become "operationalized," says Ronni Colville, an analyst at Gartner. For instance, the function is being subsumed into PC configuration management vendors' suites, such as Symantec (Altiris) and Avocent (LanDesk). However, she says, in most cases, these systems don't offer the richness of capability provided by point solutions.
Three main players remain in the point solution market: BigFix, Lumension and Shavlik. Still, Colville says, "no vendor can make a full business on just patch management, so they've brought in other functions." For instance, BigFix has broadened its security focus to include more configuration functions (such as inventory and software distribution), she says, while Lumension and Shavlik have begun to include functions such as security configuration, endpoint vulnerability assessment, and data leakage prevention.
Meanwhile, some companies continue to use Microsoft Windows Server Update Services (WSUS) to patch Windows operating systems and applications because it's free, but it's also more manually intensive.
Patch Management Package Selection: Two Prime Considerations
Configuration management versus patch management. A primary decision is whether to turn to a configuration management system for its patch capabilities or to a point product that may or may not also offer configuration capabilities. According to Colville, the reasons organizations choose the latter is they're not ready to commit to a full lifecycle configuration suite, or their current configuration management tools don't provide a best-of-breed patch management capability. The trade-off of having both in your environment, of course, is the need to deal with multiple agents and consoles.
Eric Maiwald, an analyst at Burton Group, suggests first evaluating your configuration management system for its patch management capabilities, since it might be advantageous and less expensive to maintain the same architecture for both functions, especially if it already works well in your environment. However, if you change your mind, the functionality will be more difficult to remove because the single-vendor approach means the software is embedded more deeply into your architecture.
Agent versus agentless. As Shavlik explains, agentless systems are based on push technology and on a centralized design. Server-based software scans the machines in the enterprise and initiates all actions on those machines. With agent-based solutions, client-based software scans the machine and communicates its findings back to the central console.