News Stay informed about the latest enterprise technology news and product updates.

WSUS, security suites own patch management these days

IT managers don't go for the patching tool point products as much as they used to. Broad security suites do the job.

Faced with the growing complexities of managing and securing their desktops and servers, Windows administrators have demanded more features with fewer agents from their patch product vendors in order to simplify their work.

Patch management companies have responded by broadening their portfolios and, with quickening speed, the number of vendors that specialize only in patching point products has radically diminished.

More on Windows patching
Bug-weary Windows shops may accept all-in-one tools

New security technology bypasses the OS

IT pros worried about unsecured devices

There is always debate within the IT industry about whether added functionality and product additions are a response to demand, or whether it's just marketing baloney. But experts say that IT departments are demanding a reduction in the number of agents on corporate desktops because IT staffs don't have the time or resources to devote to making sure agents and applications play well together.

"IT buyers want unified security agents and multiple functionality because the more agents there are on the desktop, the more likelihood there is that there will be agent conflict," said Nick Selby, a security analyst for research company The 451 Group.

Selby said agent conflict is not surprising due to the nature of agents, which automatically perform proscribed tasks on behalf of the software program. Agents are essentially a rootkit, a kernel-level software product that allows access to the kernel of the operating system, Selby said, and the fewer of those a system has, the better.

Another factor in the broadening of patch management company products is the improved job Microsoft does in helping customers update their Windows products through its free technology Windows Server Update Services. In the past, the idea was that WSUS was just a bare bones product and point product providers would sell a full-featured tool for patching.

"Microsoft does a pretty good job at patch management so to differentiate themselves and make their products worthwhile, patch management companies had to offer other capabilities," Selby said.

Reducing agents or, at the very least, not increasing software agents was in the minds of the IT department at Concord Hospital in Concord, N.H., when it was looking for a patch management and endpoint security product. They ended up choosing BigFix Inc.'s BigFix Enterprise Suite (BES), which provides patch management, security features, asset management and software license tracking.

"We looked at several companies, but during our decision-making process, we chose BigFix because they could offer us these capabilities using the same agents. The other choices meant additional agents and we really didn't want to do that," said Michael Goodnow, a network engineer in the hospital's IT department.

Patching vendors are branching out

PatchLink Corp. provides an example of this trend for patching companies to broaden their base. Earlier this year, the Scottsdale, Ariz.,-based company acquired Stat Guardian vulnerability software from the Harris Corp. Then it recently merged with Secure Wave SA. It then changed its name to Lumension Security, is pursuing an IPO and expects to release new products with security capabilities in January.

Other companies like BigFix, the enterprise security configuration management software company, has added antivirus and data leakage prevention capabilities. And, it has branched out with software that manages power conservation settings on Windows desktops to help reign in power consumption.

Ecora Software Corp. started life as a patch management software company, but over the last few years it has added configuration and management capabilities.

This trend is certainly not limited to the patching arena; it's been ongoing in the general consolidation of the security suite vendors, such as Symantec Corp., which has developed products with a wide range of features. It's about to release its Endpoint Security 11.0, which offers a lot of security features in one package, with an option to include its Network Access Control 11.0, code-named Hamlet.

And Microsoft announced this year that its working on a package of security applications, code-named Stirling, which should be out in mid-2009.

Of course, not every IT manager thinks unified products are the way to go. Randy Beltz, an IT manager with CCI Inc., a cell phone tower maintenance company, said his company relies on WSUS for patch updating and he's watched as other point products were swallowed up by bigger companies.

"It just seems like a lot of the time you're forced into using products with additional features," Beltz said. "The best you can hope for is that Microsoft buys the company with a great product, takes it under the wing and incorporates it in the next version of a product so you'll still be able to use it."

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.