For Patch Management, Do Like the Bad Guys and Use Automation - Security Boulevard

For Patch Management, Do Like the Bad Guys and Use Automation

Automation engines within unified endpoint management systems can keep up with software patching and offer benefits over typical dedicated patching solutions.

For many IT pros, evaluating their company’s exposure to software vulnerabilities and deploying patches can vary from a planned, orderly process to one resembling an urgent game of whack-a-mole. That’s usually due to the continuously evolving nature of vulnerabilities and exploits and the diversity of software in use at most companies.

It’s also a case of asymmetric warfare. IT managers are trying to tend to normal network and endpoint management tasks while keeping up with CVEs, assessing exposures and deploying patches efficiently. Hackers instead have a clear and singular focus on finding new or unpatched vulnerabilities, often using automated tools.

IT managers should take a cue from the bad guys and use automation to help them even the contest. Tools such as unified endpoint management (UEM) solutions can streamline normal operations to enable more time for planning and optimization while decreasing the need for mole-whacking.

Making Patch Management Less Patchy

Part of the patch management challenge is in the different types of applications in use. These fall into three main categories of Microsoft Windows and related apps, common third-party applications including Java or Flash and specialized or department-specific apps for finance, engineering, marketing and other areas. The need to stay current with multiple, different patching tools, notifications, schedules and methods often leads to unpatched vulnerabilities and an increased risk of breach.

Microsoft patches are generally easily deployed through WSUS or Windows Update. Java and Flash patches also are readily deployable but usually only after you know how urgent they are or if there are compatibility considerations for custom implementations. Third-party applications often require manual monitoring to know when patches are available, and then can require cumbersome preparation and time-consuming repackaging processes before deployment.

None of the existing dedicated patching tools are masters at all three. However, security-focused UEM solutions can directly access Microsoft’s patching database and deploy patches. UEM systems also have a common third-party application catalog to manage patching. However, the biggest differentiator is that UEM solutions offer extended capabilities to import, customize and deploy patches for applications not contained in standard catalogs.

Yes, No, Maybe or Hope for the Best?

Keeping patches current is important, but experience shows that universal and automatic patch deployment can cause a host of other problems including user complaints and non-compliance. Knowing how, when, to which endpoints and in what order to deploy them is the key.

While security is a major IT concern, most employees understandably are more concerned about getting their work done. Any downtime to patch and update systems is likely to be seen as a distraction that can be delayed or ignored. IT managers have to take those practical considerations into account to encourage user cooperation with security needs.

Here’s where UEM automation shines. You can create and schedule multiple different patch jobs based on the specific applications, machine, location, connectivity method or time of day. This works regardless of whether a patch uses an MSI, InstallShield, Wise, .exe or other installer. Urgent patches can be deployed immediately or you can schedule a patch job to run after hours or overnight using wake-on-LAN, where you can boot up endpoints, update them and then shut them down. The users start up their newly updated machines the next morning and get to work without interruption.

Other Benefits of UEM Solutions

Beyond patching, UEM solutions offer a variety of other benefits. To get a handle on varied configurations, a UEM system will present a logical dashboard view of all of endpoints organized according to your company structure and network topology. It creates a detailed inventory of all endpoints and automatically shows the most critical, up-to-date list of CVEs affecting each. A close-up view of each endpoint shows both authorized and rogue applications, system info and device drivers with red/green indication of whether they are current.

Extended automation capabilities enable you to replicate patching as well as any process that you would otherwise have to handle in person or in a remote session. Unlike macros, every step within a script is documented and can be changed as needed. Scripts can be tested and debugged prior to use, including with the ability to see exactly what it will look like on the user machine GUI.


Unified endpoint management is not a patch management panacea or cybersecurity all-in-one. It is, however, a powerful tool for day-to-day IT management functions that automates much of the necessary repetitive tasks needed to stay ahead of threats and vulnerabilities.

Jonathan Lange

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Jonathan Lange

Jonathan Lange focuses on ITSM and IT security solutions consulting and customer acquisition for baramundi software USA in Framingham, MA. He has advised small and large businesses worldwide on how to keep their infrastructure up-to-date, safe and efficient. He holds an ITIL certification and has a B.A. in Business Administration & Engineering/Industrial Engineering from Karlsruhe University of Applied Sciences.

jonathan-lange has 1 posts and counting.See all posts by jonathan-lange