Newly discovered zero-day vulnerabilities and sophisticated attacks constantly make news. In practice, however, most successful attacks can be traced back to a few factors. Deciding what risks, threats, and vulnerabilities to remediate is critical. Many times, breaches involve vulnerabilities where a patch was available but was not applied because it was not categorized as a priority. Other patches are not updated in time because organizations don’t have the resources, while other security patches have long been available but were not installed for other reasons. This is where intelligent patch management software comes into play.

Some Guidelines for IT Health

In the human body, vitamins, folic acid, iron, copper, selenium, and zinc support the immune system. Similarly, exercise, the requisite amount of sleep, and alcohol in moderation also help. We all know this but don’t always stick to the guidelines of what is recommended.

It's similar with IT: while IT departments know that PCs, servers, and infrastructure should be kept secure, it’s sometimes difficult to keep on top of it. One reason for this is the large number of patches for newly discovered vulnerabilities and security threats. Another is the time it takes to check and roll out updates. Sometimes this means that a patch update isn’t yet completed before the next one is pending.

Manufacturers of widely used software such as Microsoft, Adobe, and Oracle have been delivering their patches on fixed dates for years. One such date is “Patch Tuesday”, on which Ivanti regularly informs and carries out an assessment. These updates always contain bug fixes for several products. Companies therefore must thoroughly check that none of these patches cause compatibility problems before an update is initiated.

Patch updates are delivered in a number of ways. For Windows and Microsoft Office products, updates are fulfilled via the Windows update function. For other products, updates are only available on the manufacturer’s website or must be searched for and installed manually within the program. In addition, these manufacturers often have their own dates for new updates. As a result, the already thinly stretched IT department doesn’t have enough time to keep on top of all possible updates.

Fortunately, many patches seal security holes that the manufacturer or white-hat researchers have already discovered, in which case there is no danger until the patch is released.

However, when the patch is released, the vulnerability will also be known. From then on, the patch can be used in reverse engineering to determine how the vulnerability can be exploited. It currently takes an average of 22 days for an exploit to become available. Half of the currently known exploits are first used within 14 to 28 days after a patch is available. Some, however, are used within just a few days.

Patching—A Race Between the Attackers and the Defenders

The situation is even more urgent in cases where a patch closes a previously known or exploited vulnerability. The attackers now know that their exploit will probably soon be ineffective, and so will be keen to use it as quickly and successfully as possible.

Unfortunately, the attackers are often much faster than the defenders. It typically takes between 100 and 120 days for companies to administer a patch once it becomes available. This means that attackers have three to four months to exploit vulnerabilities. Not all of these vulnerabilities are classified as “critical” and allow attackers complete access to the attacked systems. Nevertheless, these figures clearly show that many companies remain vulnerable to known and already closed security holes for too long.

This situation has been exacerbated recently by the need for employees to work remotely. First, home computers are not always adequately secured compared to those company-issued. And second, users may be given more access rights than they actually need, so remote workers are expected to install patch updates themselves. Both scenarios carry an increased chance of an unwanted attack.

The Right Patch Management Strategy for Companies

A successful patch management strategy for today therefore relies on an automated solution that minimizes compatibility problems through continuous configuration control. In addition, the implemented patch management solution should understand the systems used so that updates or patches don’t fail due to issues such as lack of disk space or insufficient memory.

However, you can only protect what you know. It happens again and again that users install no-cost image editing software or a free video player because they find this application more practical than software selected by the company. But subsequently users don’t then bother to update this software regularly. If the IT department doesn’t know about this “Shadow IT”, it can’t run the updates either. A two- or three-year-old software version then runs on the computer, including the security holes that have since been closed by the developer, leaving the computer open to exploitation.

The patch management solution used should also be able to detect systems that are not restarted regularly (which is often necessary to apply a patch). It should also recognize redistributable versions of C++, Java, Adobe Reader, and similar software. These programs come with the installation of other software on the computer, but then run “under the radar” of the IT department. Usually, nobody knows what versions are actually required and what patch levels they are. Cyber criminals therefore attack very old versions of these programs with well-known exploits repeatedly and successfully.

Ivanti Security Controls covers all of these aspects. The solution combines patch management, privilege management, and whitelisting in one solution, meaning that devices can also be patched via a free cloud component when they are outside the company network—and the IT department remains in control of the process.

The initial implementation takes around two hours. The appropriate agents then appear on the end devices and install patches according to company specifications. Changes to the network firewall aren’t necessary. Ivanti Security Controls regularly scans all client systems for missing patches, downloads necessary patches from the providers, stores them in a central repository, and pushes them to the computers or groups of computers that need them, thus ensuring that all computers are always up to date.

A recent and exciting addition to Ivanti’s patch management portfolio is the recently released Ivanti Neurons for Patch Intelligence. The module collects additional information that plays a decisive role in the distribution of new patches. Information on the reliability of new updates and on problem solving is collected and aggregated from thousands of specialist forums, media reports, and crowdsourcing. This enables administrators to decide quickly what patches they want to subject to a more detailed examination.

By connecting to Ivanti patch management solutions such as Ivanti Security Controls and Ivanti Neurons for Patch Intelligence, you’re also able to determine information about the status and speed of distribution. An easily understandable dashboard provides information about the current status and compliance with SLAs for the provision of patches at any time.

Automate Other Routine IT Tasks

Keeping software up to date with patch management significantly improves security. In addition, other routine tasks can also be automated. This is where Ivanti Neurons for Discovery comes in, providing precise information within a few minutes about the assets in your company network. This short video outlines how this works.

Ivanti Neurons for Discovery - Demo

Modern IT environments are constantly changing. That’s why Ivanti Neurons for Discovery ensures continuous visibility in real time through active and passive scanning, network scanning, and third-party connectors. This not only gives you an up-to-date, uniformly structured hardware and software inventory, but also an insight into software usage and the data for maintaining your CMDB (Configuration Management Database) and your AMDB (Asset Management Database).

On this basis, other time-consuming tasks can then be automated with Ivanti Neurons for Healing. Ivanti Neurons for Healing covers the areas of compliance, user productivity, business continuity, and resource organization. It frequently detects and solves IT issues before users even notice them. In addition, the use of intelligent bots to process inquiries and complaints contribute towards faster diagnosis and resolution of problems that could not be solved in advance. This video outlines the benefits of Ivanti Neurons for Healing.

Ivanti Neurons for Healing - Demo

Patch Management + Automation = IT Management of the Future

For people, a healthy lifestyle is ideal. What’s ideal for IT is using up-to-date software and knowing the network status of devices. Both are necessary so that the organisation functions smoothly. Basic prevention avoids many problems; regular checks identify issues before they cause serious damage.

Everyone is responsible for their own body. In IT, early detection, prevention, remediation, and treatments are the responsibility of administrators. Since IT staff must take care of hundreds or even thousands of devices, individual diagnosis and treatment isn’t possible without automation. The IT immune system is strengthened quickly, effectively, and safely with an automation solution that not only identifies problems and peculiarities, but also registers them and takes them into account for future changes—and repeats these tasks continuously and independently.

On this basis, companies can then provide self-healing and self-securing for devices—along with self-service for change requests—proactively, predictably, and automatically. This in turn relieves the IT department, promotes employee satisfaction, and noticeably increases the level of security.