atching devices has historically been a process that requires software on-premises. Whether it’s Microsoft’s WSUS server, a local repository that is leveraged, scripts, or perhaps even an enterprise class system, generally the solution has lived on-prem. As more organizations move to cloud-native services there is no reason that IT admins cannot take advantage of a cloud-native patch management service.

IT admins know that patching is one of the most important tasks that they can to do protect their organization. Updated code is a significant inoculation against a potential breach. Generally, exploits emerge for vulnerabilities over time and hackers are counting on organizations simply skipping the patching process. Patching historically has been time consuming, expensive, and tedious. It’s one of those tasks that IT organizations know is critical, but yet find it difficult to execute on. Perhaps IT doesn’t have a full list of all devices or maybe not enough access rights to all devices. Or they may just be fearful of having systems crash after a patch. And, often the reason is that they don’t have the right tools.

Patching has become more critical over the last decade as a number of regulations such as PCI, HIPAA, FISMA, GLBA, and others are requiring updated machines. The core options for IT admins have been:

  • Manual patching or scripts – perhaps the most prevalent solution in today’s DevOps world is manually patching. Often developers, ops personnel, and IT admins will just write scripts or embed a command to update a device into a script. These folks may use Chef, Puppet, Salt, Ansible, or other configuration management solution. These are most often used with Infrastructure-as-a-Service providers such as AWS or Google Compute Engine. The trouble with this approach is that it is simplistic. As soon as a patch is released, the next Chef or Puppet run will automatically update the server. There is no sense of control over whether the patch may be high risk or not. Further, this approach generally misses applications and development frameworks. As well, Windows, Mac, and Linux desktops and laptops generally are missed as well. This is a quick and dirty solution that works well for small organizations.
  • Single OS solutions – Microsoft Windows Server Update Services (WSUS) is an excellent example of a single operating system solution. Many IT admins will run a WSUS server for their Microsoft Windows machines to update with. The benefit of a WSUS like solution is that it affords IT admins more granularity and intelligence when looking at patches. IT admins can decide which patches their devices should get and which ones aren’t as relevant. Unfortunately, as the name of this section implies, it’s a point solution to a problem that requires a platform. IT organizations aren’t just using Windows anymore. They have Macs and Linux devices as well. They also have numerous applications which aren’t from Microsoft or another single vendor solution. These solutions had their place when organization had a very small number of platforms, but in today’s heterogeneous, cloud-native environment they add more work than they solve.
  • Legacy, on-premises software – a number of patch management solutions emerged in the early 2000s. These solutions were enterprise-class pieces of software with heavy duty implementations. They required servers and agents on every machine. They took professional services teams to implement and then dedicated resources to run. They were for the largest enterprises in the world where there could be a group that just focused on patch management. But what about smaller, more agile organizations? What about firms that don’t have any infrastructure on-premises anymore other than their WiFi equipment? There is a mismatch between these solutions the modern approach to software solutions and services.

Recently a category of solutions has emerged to deliver patch management as a service. These innovative, cloud patching solutions are lightweight to implement and manage, but provide deep operating system and application support. A lightweight agent is deployed on each machines which can live on-premises, in the cloud, or in any remote location. Essentially to a patching-as-a-service solution, a distributed, global network of devices looks like one contiguous set of devices. Through a central, web-based console IT admins have full visibility and control over patch status and patch application.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

More posts like this:

Patch Management