A new age of worms and malicious virus attacks has the patch management software market moving at a feverish pace, but new research from the Burton Group cautions that the patch is by no means a be-all, end-all "magic pill" for enterprise security.
In the report, analyst Trent Henry said that the Midvale, Utah-based research firm found that some independent software vendors (ISVs) not only create software that needs to be patched, they routinely create patches that need to be patched themselves -- or the patches cause other systems to crash.
In some instances, Henry said, vendors "quietly" issue patches that a customer could miss if they are not constantly doing
Even with a successful deployment, the best patch solves only 50% to 75% of the problem, leaving a sizeable chunk that a patch cannot fix, Henry said. One example is a denial of service (DoS) attack, which has nothing to do with how a network is patched, because it simply floods a site with more requests than the data buffers were programmed to handle.
Further complicating matters is the fact that patches are issued to fix problems with infrastructure, giving both the enterprise and "the bad guys" access to information about a security issue at the same time, Henry said. Hackers can then pick apart the patch for underlying flaws to exploit.
"Then it's kind of a race to see who can move first -- what's going to be first, the worm or the patch?" Henry said.
The alternative is disaster
Despite its limitations, patching must be done. It may be costly for an enterprise to patch thousands of workstations, Henry said, but it is not nearly as costly as having them compromised by an attack.
Henry said Burton Group advises companies to deploy a patch in a test environment first before rolling it out across the network.
"Today, patching is still a very manual process. … We advise organizations to establish a "test bed" network so they can understand what impact path it can have," he said. "At
Smaller companies are also advised to implement automated patch management software because it is too easy to miss a patch when doing manual updates or relying solely on Microsoft and its Windows Update. The result is that a company could become an infected network or a carrier of malicious code.
Burton Group also sees a strong burden on patch management vendors if they hope to remain strong in the market over the next 12 to 18 months. Henry outlined "tough requirements" of such vendors, including capabilities for cross-platform support, patch vetting and distribution, resilient target ID, directory integration, continuous assessment testing, recovery, scalability, quarantine and reporting.
Patching not a problem for some
BayRing Communications, a telecommunications company based in Portsmouth, N.H., is one company that has had success with patch management software.
Martha Jo McCarthy, a network administrator, said her company has been using Ecora Software Corp.'s Patch Manager application for the past two months, and she has been impressed with the results.
"We bought it, and the first time I used [Patch Manager], it literally did in one hour what typically takes three full-time days," she said.
McCarthy said that BayRing went with Ecora, which is also based in Portsmouth, because its offering addressed the critical task of updating patches for its network with an "all-inclusive" package.