As most of you probably know already, a patch is just a fast fix for a bug in computer programs. It’s never really been intended as a panacea for problems—its utility lies in the speed in which it can be devised and implemented. However, what might not be common knowledge is the fact that the patch management sector is going beyond its bread-and-butter of simple patches.
“The patch management discipline is definitely evolving,” said Chris Farrow, director of the Center for Policy and Compliance at Configuresoft, which provides enterprise configuration management and regulatory compliance assessment software. “If you look at all the stand-alone patch management vendors and solutions, all of those are moving beyond just patch management. From the vendors’ standpoint, all those guys have now started expanding and changing the focus because that particular market is saturated.
“Everybody and their dog had a patch management process in there,” he added. “Everybody’s got—at a base level—the same functionality, so it’s very commoditized. It’s so commoditized that people take it for granted. The prices have been driven way down and that’s why a lot of vendors have expanded their scope and are going above and beyond that. The drivers now are high-profile security items and regulatory pressures. I think everybody’s either moving to a security context or more to the whole systems management provisioning area.”
While some of the conventional patch providers remain, both their numbers and influence on the field are dwindling, Farrow said. “There are still guys out there who are pushing the utility-type application who are very much focused on the simple act of patching. The stand-alone utility guys are playing a much smaller part in that process because they are, at the bare minimum, a very light assessment and bit-moving product.”
Many consumers who have already gone through one or more of these utility-patch providers are demanding solutions that are more comprehensive, accurate and scalable. “Customers are looking for a larger, more holistic approach that involves a larger-scale assessment of the overall box and dependencies of different things on that box,” Farrow said. “They don’t just want to lay code down—they actually want to have the ability to see some kind of impact analysis. ‘If I lay this patch down, what does it tie into? Will it affect anything else on this box?’”
In the realm of certification and training, there are some vendor-specific offerings around patch management out there. Additionally, Farrow cited vendor neutral SANS GIAC as having solid patch content in their Windows and security essentials tracks’ curricula. One of the challenges of building credentials around patch management is that the security field generally lacks consistent standards and best practices around tools and technologies. “Anti-virus has some, firewall has some, but beyond that, there’s not a whole lot out there,” Farrow said. “There are no standards for IDS (intrusion detection systems) or intrusion prevention or auditing tools. I’m not sure if the industry itself is a little skeptical, or if there hasn’t been enough push from the marketplace. If the customers demand it, you can be sure all the vendors will jump on board.”