Evaluating patch management software: 6 key considerations

What is patch management software?

Patch management software helps IT departments acquire, test and install code changes for the software running in the enterprise. It can also assess vulnerabilities within the software, prioritize patches and produce reports on patching activities and status.

“It will help you with all the change management issues that exist with patch management,” says Terrence Cosgrove, an analyst in Gartner’s IT Service Automation research group. “It will help you stick to maintenance windows, and it will do things that will make this as unobtrusive as possible. Then it will report to you how successful you’ve been and how compliant you are. At a high level, that’s what the tools do.”

Patch management software is a critical capability within IT environments today, as successfully deploying patches (a large portion of which fix vulnerabilities in the code that can be exploited by hackers) has become both increasingly complex and critical.

Organizations typically have a wide range of operating systems and applications running on numerous devices in various locales (on premises and in the cloud, in on-site devices and in remote and mobile endpoints), which makes tracking and prioritizing patches as they’re released by vendors a daunting task without the help of electronic tools.

At the same time, attackers continue to exploit known software code vulnerabilities and are expected to do so as organizations struggle to keep up with patches. In fact, Gartner, the information technology research and advisory company, forecasts that 99 percent of the vulnerabilities exploited by the end of 2020 will be known to security and IT professionals at the time of the incident.

The best patch management software may be multiple tools

Given the breadth of software systems in any given organization and the volume of patches being released by vendors, it’s not surprising that a number of patch management software options are available to handle the load.

Most IT departments will need more than one patch management tool, as some tools work better with certain systems and types of platforms, experts say.

“There are a few tools that really go as broad as possible, meaning they try to patch everything, but outside of small and midsize organizations, for, say, any with more than 1,000 employees, they will need several different patching tools in most cases,” Cosgrove explains.

He points to Microsoft’s System Center Configuration Manager, a widely used system that works well for Microsoft software but isn’t as useful for managing patches for non-Microsoft software systems, as case in point. Many enterprise IT shops use that for Windows patches but implement other patch management tools to handle patches from other vendors.

Additionally, patch management tools can be delivered and configured in various ways. They can run on premises or in the cloud. They can be appliance-based, stand-alone solutions or part of a larger software product suite.

Moreover, patch management tools are sometimes offered as part of client and server lifecycle management suites or plug-ins that augment those products, Cosgrove adds.

Patch management tools generally offer a similar list of functionality, including capabilities for IT asset inventory, cataloging patches within the company’s IT environment, patch prioritization, patch deployment and installment, and reporting.

Patch management tools also offer integration with other key systems within IT operations, such as IT asset management, lifecycle management and provisioning programs as well as security information and event management (SIEM) software products.

Experts agree, however, that the best patch management tools are those that best meet each organization’s own unique needs.

Patch management software comparison

IT leaders need to consider their environments, what systems they’re running and what management suites they have in place as they evaluate which patch management tools best suit their needs, says Richard Stiennon, chief research analyst at IT-Harvest, an industry analysis and consulting firm.

Stiennon and other consultants advise IT leaders to consider

• the type of systems that will benefit from the patch management tools being evaluated – whether it’s for Linux or Microsoft Windows for desktops, or other types of platforms; whether the patch management tool is designed for desktops, servers, laptops and mobile devices; and how that matches with the organization’s needs.
• whether a new system is being evaluated to support areas currently being patched manually or to replace an existing patch management capability and how costs and needed IT skills compare between what’s presently in place in the organization and what could be deployed.
• whether the patch management tool can communicate with multiple platforms – from network printers to hardware like switches and routers – so it can evaluate and patch a myriad of software platforms. “Multiplatform is key,” Stiennon says.
• whether an agent-based tool offers the right features or whether agentless is a better match for the organization’s environment and needs.
• how well can the patch management tool can handle various types of patching, such as patching endpoints in remote locations or patching third-party systems.
• and how much automation the tool offers.

Additional capabilities to consider

Scott Laliberte, managing director at Protiviti and leader of the consulting firm’sGlobal Information Security Practice, says it’s critical that the selected patch management tools have visibility into the IT department’s assets so it can accurate search for available patches.

“You have to make sure they have an inventory capability or can tie into it, so they have a discovery process,” he says.

Stiennon says vendors generally all offer fairly comprehensive products. But they do tend to compete on fees and speed, so IT leaders should also evaluate patch management tools on cost as well as how quickly they can download and push out patches.

Patch management best practices

Similarly, Stiennon says some patch management tools offer more in reporting capabilities than others, with some vendors offering metrics that score the enterprise on how it improves over time and how it performs against peers – a particularly attractive feature for any organization that has a solid patch management process in place.

“You’re never going to get to 100 percent, but if you’ve got a nice high score and it’s 20 percent higher than anyone in your space, then you can at least tell your board you’re doing a good job,” Stiennon says.

Impressive results, however, won’t come with software alone, Laliberte says.

“The solution itself doesn’t solve the challenge of patch management. You need staff and processes,” he says, citing the long-held mantra that it’s about people, process and technology.