| certifications | security - David Chapman
Top 6 Patch Management Tools and Their Features
Patch management is the process for managing patching of operating systems and in many cases applications that require them. In the most basic scenario of a handful of computers, this could be accomplished by manually going to each and patching everything.
This can be very error prone though. What if you forget to apply a patch? Did you forget a computer? Worse yet, how do you report on patching using this method to ensure all machines are up to date. In this post, we'll discuss why tools are needed for this to help ensure patching.
Why is Patch Management Important?
It is easy to ask, what is the importance of patch management? Patching is important because many of our operating systems and applications have vulnerabilities in them. This is not by design and usually occurs due to a coding error or bug. Patch management tools help us report on what patches are available and assist in the patching process to ensure all of the latest required patches are installed. For companies that have regulatory compliance needs such as PCI, HIPAA or SOX, this is extremely important because auditors will ask for compliance reports.
How to Choose the Right Patch Management Tool
Choosing the right patch management tool can sometimes be more of an art than a science. Make sure you go into this with a patch management strategy. Most people choose an iterative process where a tool is tested and usually picked. It is usually best to have your sights on 2-3 different tools and equally evaluate them prior to making a selection. Many times organizations use the first tool they try out because they do not have the time or resources to investigate others. Years later the question is asked as to why that tool was selected in the first place as it didn't quite meet all of their business needs.
That sounds easy enough, but where does one even know where to start. The easiest way is to take a few of the top tools and apply some filters such as budget and supported platforms to make sure they match up with your budget and use cases. Make sure you have a patch management checklist of needs that you have in order to have a patch management software comparison. It may end up that only one tool meets all of those needs but if more than one does then you can ensure you're getting the best one for the needs of your business.
Supported operating system(s) is the biggest criteria to ensure all of your environment is supported. Many tools will patch applications as well. This is something each business needs to determine for themselves though as to what level of patching is needed and the scope of it. It may be important to decide on a cross platform patch management tool.
Top 6 Patch Management Tools
Whether you have infrastructure on premise to accommodate a patch server may dictate whether you need a cloud based patch management. For some businesses they may prefer to host in the cloud, while others may wish to host on prem but the decision is an important one. If using a cloud based solution, do you have enough bandwidth for the communication and the patch download.
SolarWinds Patch Manager
SolarWinds is a tool that many people should be familiar with. It is one of the largest and well known monitoring and patch management tools. Unfortunately, recently, it had a bit of bad press so many people may only know about it because of the negatives. But the size of the attack actually shows the popularity of the software.
SolarWinds Patch manager is a great tool that integrates with WSUS and SCCM for those that have it deployed. It also has patch management compliance reporting which is an important feature for those under regulatory compliance and need to prove via audit that patching is completed and in order.
ManageEngine Patch Manager Plus
ManageEngine is a suite of tools that some people may not have heard about but they have been around for a bit. They have a plethora of automation tools from Active Directory Management, Password Self Service and of course Patch Management which is why we're here in this article! ManageEngine's Patch Manager Plus is a great tool because it supports Windows, Linux and Mac which hits most of the deployments out there. It also has support for 3rd-party applications.
GFI LanGuard is another tool that has been kicking around for quite some time. It is a very useful suite of tools that can provide patch management. Much like ManageEngine it supports Windows, Linux and MacOS. It also claims support for 3rd-party applications and browsers. While outside of the true scope of this article, this tool does vulnerability scanning to help detect and determine missing patches. This can be valuable as vulnerabilities and security issues are typically what drive patching.
NinjaRMM is one of the newcomers compared to the other tools we have discussed, being founded in 2013. RMM stands for Remote Management and Monitoring and what would an RMM be if it couldn't handle patch management? Currently it supports Windows and Mac. It also has the ability to integrate with WSUS which can help streamline the patch download process, saving bandwidth on the Microsoft side of your patching. It praises itself for granular control over approvals of and the actual patching process.
ConnectWise is a tool that many may not be familiar with unless you've been in the Managed Service Provider (MSP) space for any length of time. It is commonly resold through MSPs and sometimes rebranded. Its primary focus is on Microsoft based operating systems. It does support 3rd-party applications (Microsoft and non Microsoft) but that is a licensed option per its product guide.
Itarian Patch Manager
Itarian is a newcomer, even newer than NinjaRMM, being founded in 2018. Some of the features are somewhat limited but that is likely because of its newness. This patch manager works on Windows and Linux. It also boasts flexible 3rd-party application patching capabilities which over the years has grown from a nice to have to a must have feature.
Best Practices for Using Patch Management Tools
Regardless of your tool, it is important to have a patch management process in place. For example, will patching be automated or manual, what schedule will it run on and what days and times can that patching be done? It can be helpful to set up a patch management process flow diagram so that you know what happens when new patches are released. For Microsoft, that is easy as it is the second Tuesday of the month. Others are not as steadily released but a process should be followed.
Setting up patching in groups is a very good best practice. Start out with a set of test servers and let them bake in the patches for a week or two. Once you feel comfortable, approval and rollout patches to other systems. When large OS changes are made, it can break low level tools like antivirus. A few different vendors have had problems over the years with OS patching crashing the OS and it’s nice to find this out before your production servers start crashing after a round of patching. Along with this, ensure you have a rollback plan in case those issues do not show up until later on. Some incompatibility issues take time to show up.
Ensure your patching process has compliance reports. It is easy to kick off those patches and assume they work but sometimes they fail. A compliance report review can help ensure patching was successful. If it was not, you then have an exception list to work through and correct.
Last but not least, do not go overboard with your patching. You want an easily repeatable and executable process. It is easy to get overwhelmed, trying to enable all features, options and processes. If you start to get overwhelmed, go back to the business need and use case and ensure your patching meets that. From there, if you have room, then possibly add to your process or patching scope as necessary. If the process is too complicated and involved, it is more likely to get skipped.