Automation eases the pain of software patching The three biggest challenges for IT managers are security, reliability and performance. Ideally, an organisation’s software will excel at all three but in practice we know that isn’t true. Even the best-laid software development plans let bugs through which can cause problems in all these areas. So patching the organisation’s …
Now tell us the product(s) that achieve it? I'm always open to trying an solution that eases the patch dilemma.
Currently we use something called DesktopCentral, they maintain a repository and deal with most 3rd party apps (Adobe Reader, Java etc), but the ability to automate it is limited and convoluted..
Teased? Downright misled! This is what the source article states:
"Over 85% of the cyber intrusions ASD responds to could be prevented by following the Top 4 mitigation strategies..."
And this is what the paraphrasing gave us:
"The Australian Government Department of Defence found that operating system and application patching could have stopped 85 per cent of all security incidents it experienced,"
A cyber intrusion is a subset of security incident. Patching will do little or nothing to address insider threats, poor system management practices, or sloppy handling of sensitive materials on the part of employees. Patching is important and can be difficult, but it is not 85% of the puzzle pieces needed to make up the whole picture.
The article slipped in without emphasising application white listing as a necissary adjunct to patching (which is much harder at enterprise scale than patching outside of locked down call centre type environments).
For most organisations patching is a horrendous activity, in order of difficulty
a) understanding what applications you have installed
b) understanding what applications are actually run (or are a depenancy)
c) understanding what patches are available
d) understanding which you can apply without breaking compatibility
e) distributing patches
f) tracking when patches have actually applied
then trying to do all of that on a regular cycle, for end user devices (i.e. off network and powered down regularly) when it’s going to be looked at as pure cost and inconvenience by the business.
Its worthy of proper discussion
i. Evaluating the patches and trying to predict what they will break
j. Planning the test cycle
k. Resources for testing the OS and apps
l. Dry runs in Production
m. Change management
n. OS backups
o. Service outages to perform the patches
p. Watching the install doesn't throw up any unexpected errors
q. Sanity checking Production services
...
Installing patches is easy. Planning and resourcing patch installs is the time-consuming part.
That said, tools like Tivoli Endpoint Manager look to do a great job of automating steps c, e & f on Windows, Linux and Unixen
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
