Proper patching

A company can invest millions in security, but if software is not kept up-to-date with the latest patches then its ability to protect will be reduced and return on investment will remain a distant dream. To help end users ensure this does not happen, a growing number of patch management vendors are offering their solutions to local organisations.

  • E-Mail
By  Maddy Reddy Published  October 31, 2004

|~|ebi_nadeem1111.jpg|~|Nadeem Busheri, IT operations manager at EBI. |~|Just over half of a decade ago, an effective security infrastructure included a single firewall and an antivirus solution. Today, most organisations in the Middle East are investing heavily in comprehensive security solutions that include clustered firewalls, intrusion detection/prevention, SSL virtual private networks (VPNs), identity management, and URL filtering utilities.

These solutions are an integral part of any network security infrastructure, but what is commonly missed is the need to constantly update the pool of servers and workstations that run an organisation’s apps with security patches and updates.

According to a SANS (SysAdmin, Audit, Network, Security) Institute research paper, a system that is not patched is attacked every 16 minutes. Such inherent weaknesses arise from the way software is coded.

IBM, for example, estimates that software developers will have 3000 to 9000 errors per 500,000 lines of code. Considering the fact that Microsoft’s products, which are installed on almost 90% of the world’s PCs, have more than 50 million lines of codes running on them, the potential threat levels can be alarming because hackers use these vulnerabilities as entry points.

“99% of the hacking incidents happen because a system wasn’t patched even though a patch was available — the business simply didn’t have the right system in place to apply the patch,” says Sean Moshir, CEO of Patch Link.

“Patching is the last line of defence because when intruders enter the network they have already bypassed the firewalls, the intrusion prevention systems (IPS), antivirus and nothing has detected them. If a system is properly patched then hackers will not be able to penetrate it,” he explains.

However, patching hundreds of computers manually can take days and by the time it’s complete, the system is already dated as new patches are released every day. Patch Link concedes the manual process can be lengthy, as well as expensive.

It can cost up to US$300 per patch, according to the vendor. So, if a small-to-medium sized business (SMB) decided to use 40 Windows patches per year, it will have to make a significant investment. This, of course, does not include the undiscovered vulnerabilities that currently do not have any patches. Independent software vendors are yet to develop them.

Microsoft has started to bundle its Windows servers with Software Update Services 2.0 (SUS) pack, which provides standard audit capabilities and aggregated product patches.

“SUS and Windows Update 5.0 are for the users that do not have third party patching tools or have small number of PCs and their IT environment is less complex. That’s good enough for them but [not necessarily] for enterprises, therefore we highly recommend that businesses have a good patching and software deployment strategies in place, ” says Haider Salloum, marketing manager at Microsoft South Gulf.

In addition, if enterprises are willing to spend an additional US$1219 for 10 Microsoft Systems Management Server (SMS) 2003 then their network administrators can store information on a central database and create targeted divisions for patch distribution. This way businesses can also test patches in a controlled environment prior to deploying them. However, the software giant’s SMS 2003 does not support any other vendor’s platform besides Windows, so businesses are starting to look elsewhere.

“Microsoft has been offering SUS for a long time, but attacks continue to happen. The company has added more functionalities and security services, but viruses and hacks are reported every day. If the customer is consistent in applying patches and Microsoft has been successful in that model, then why do we have network security problems? Microsoft also issues alerts to its own patches with caveats. Since the software giant doesn’t provide the kind of patching features enterprises are exploring, there is demand for the services of patch management vendors,” says Anil Menon, senior vice president at Secure Synergy.

Due to increasing network security lapses and a lack of support from mainstream vendors, point patch management solutions (PMS) vendors are gaining popularity. Some analyst firms are even suggesting that they are starting to take market share from more established vendors’ products, such as IBM’s Tivoli, Novell’s Zen Works and HP’s Open View. Furthermore, Gartner Group says businesses will spend US$11 billion on systems management solutions this year while the Yankee Group believes that US$140 million will be spent on patch management.

One vendor looking to tap into the increased end user spend is Secure Synergy, which licences its patching engine from St.Bernard and rebrands it with additional security services as Patch Easy 6.3. The vendor operates an annual subscription fee model and charges between US$12 and US$20 per desktop and between US$500 and US$1500 per server. The solutions can be downloaded off the internet, or purchased directly from the vendor.

Despite the fact that a range of patching solutions are available in the region, Disney-Jawa Middle East is not convinced by their value. The animation company has opted for a network management suite, which among other services offers patch management services and software deployment.

“We didn’t choose a standalone patch management solution, partly because it did not meet our specific requirements. There was no justification in buying additional licences and applications when everything was taken care of by one application. Also, the company does not have that many computers so we did not want to complicate things,” explains Domnick Almeida Tagore, IT manager at Disney-Jawa Middle East.

Tagore’s argument may have some truth to it, considering the nature of the organisation’s IT infrastructure. The company, which has 45 workstations at its two branches in the UAE that run on Windows 2000 client and servers, decided to deploy a Altiris software solution that runs on a dedicated HP server. Being part of a global IT operation, Disney manages all its core applications from one central location in order to achieve conformity across its IT infrastructure and avoid regional overheads. ||**|||~|Almeida1.jpg|~|Domnick Almeida Tagore, IT manager at Disney-Jawa Middle East.|~|Disney-Jawa now uses Altiris for not only patching, but also for software distribution, systems inventory for its desktops, servers, notebooks, and handhelds, as well as task management, migrating data settings and remote services. Whenever a new patch is released, Disney Europe tests it and sends it across to the local Altiris server via FTP. The patch is then installed outside the company’s working hours to avoid bandwidth degradation for users.

“Prior to deploying the solution, we did it the old fashioned way, which was going from machine to machine and patching it manually, or the ‘sneakernet’ way as they call it these days. What used to take days now takes minutes to update nodes across the entire network. Also, we have a lot more time to attend to other tasks since everything is automated,” says Tagore.

The reason solutions like Altiris appeal to businesses is because they do not require an annual updating fee. They may be expensive to purchase, but organisations like Disney-Jawa prefer to pay all at once rather than being tied up in an annual licensing contract.

“Also, the services extend beyond standard patching. We apply patches usually once a week depending on our requirements. For a small homogenous network like ours, which requires a minimal volume of patches, the IT team didn’t see the need for additional patching applications,” Tagore says.

While Disney is content with its approach, it may not necessarily be the best option for large corporations in the Middle East. Businesses in the region have complex IT infrastructures; hence they require a dedicated patching solution.

Emirates Bank International (EBI), for instance, deployed an automated patch management solution in 2003. The bank has a heterogeneous IT infrastructure that includes more than 5000 PCs and 150 servers spread across 40 different locations, but the solution did not suit the financial institution’s changing needs.

As such, the bank’s 150 IT staff members were faced with an uphill battle of having to patch thousands of computers every week, in addition to providing IT support. The whole process became burdensome for the bank as IT staff would spend between 10 to 14 days applying patches to PCs. The Windows environment, which had machines running everything from Windows 95, 98, ME, 2000, XP and Server 2003, did not help the situation.

Eventually, EBI decided to deploy a different security solution. After evaluating several vendor’s products, including comprehensive network management suites and patching solutions, the bank decided to deploy Patch Easy 6.3.

“The previous manual patch deployment was a nightmare for us as it would take days and we could not afford to do that. We wanted to use one solution that had minimal deployment time. Now, with the new solution, it takes less than a day. That’s a saving of nearly two weeks of time alone. The new solution has made things simpler for us,” explains Nadeem Busheri, IT operations manager at EBI.

||**|||~|sean_moshir_patchlink11.jpg|~|Sean Moshir, CEO of Patch Link. |~|Since the deployment of Patch Easy 6.3, the bank’s IT security team is able to monitor all security issues. It receives daily bulletins and alerts from both vendors and Secure Synergy, the security services arm of Patch Easy.

Based on the availability of the patch from a centralised patch console, the IT team downloads it, tests it in a sandpit (test environment) to make sure it is safe and dispatches it to the branch servers. Once that is complete, the solution is deployed.

Priced at US$16 per node/client for an annual subscription fee, the bank runs the patch agent on 2000 machines, which translates to more than US$32,000 per year in recurring costs.

To minimise the patching overhead while ensuring the integrity of its other 3000 nodes, the Dubai-based finance house has classified its network into critical and non-critical nodes based on the importance of the applications operating in different departments.

While most patch management solutions efficiently handle the updates of standard applications such as office suites, browsers and the operating system, the problem arises when a business has to patch a bespoke application. For example, software that has been developed inhouse may not have a patch that will work with it.

To accommodate this, high end patch management vendors such as Big Fix and Patch Link are offering development tool kits so customers can develop their own patches. For instance, Big Fix Patch Manager claims to have extensive patching features and the ability to manage up to 75,000 computers. The solution includes a development environment that allows customers to author patches or fixlets. ||**|||~|Greg_bigfix2111.jpg|~|Gregory Toto, vice president, product management at Big Fix. |~|“Most competing tools provide only simple package creation scripts without the patch creation policies. A lot of solutions do not have a delegation of the rights to author the patch. Coupled with weak or few administrative rights restrictions, these tools allow anyone with access to the server to arbitrarily send anything to any client on the server without any authorisation procedure,” says Gregory Toto, vice president, product management at Big Fix.

However EBI’s Busheri argues that regardless of the sophistication of the patching tool or firewalls, IPS or even antivirus, network vulnerability should be treated with diligence.

“A customised application doesn’t have that many issues as a commercial application, since it’s specifically developed for a particular environment. However, for commercial patches, it’s not only the deployment… the key is when you receive a patch it has to go through a stringent quality assurance test…where it has to be tested with the existing applications. A lot of the time, the patch can actually cause more damage than the threat,” Busheri adds.

For example, Microsoft recently issued a warning that it Windows XP Service pack 2 (XPSP2) will have compatibility and functionality issues with other vendor’s apps. The software giant identified 60 such apps including its own and other enterprise software from vendors such as Computer Associates, Veritas and Symantec.

“Patching is like [administering] medicine to a patient while antivirus, firewalls and mail filtering services are like the immune system… they protect you from external threats in general. Patching shouldn’t be mixed with other security products — they are two different things. One protects, while the other provides the [remedy],” says Busheri.

Whether patch management products really take off in the Middle East in the short-term remains to be seen. Although Gulf states are expected to spend US$66.7 million this year, 60% of that money has been allocated for antivirus purchases, while the rest has been shared largely between IPS, firewalls and VPN security applications — leaving a minimal share for patching vendors.

However, in the long-term, the outlook may be rather better, as Heini Booysen, senior analyst at IDC Middle East’s software group, says spending on those tools that currently account for the bulk of IT spending will plummet over the coming years and demand for other security measures, such as patching applications, will go up.

For the likes of Patch Link’s Moshir though this is rate of end user adoption will not be quick enough. He warns that patch management cannot be seen as something that users deploy at some point in the future and that, if they have antivirus solutions in place today, then they should also be deploying patch management products.

“Regardless of the market, be it the US or the Middle East, everybody has the same problems. The patch management market is just as big as the antivirus market. If businesses have an antivirus, they need patch management solution,” Moshir says.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code