San Francisco - Gartner Symposium/ITxpo — Depending on who you believe, manually feathering critical security patches into the enterprise -- for example those issued by Microsoft on "Super Tuesday" -- can cost hundreds if not thousands of dollars to deploy. Not only can that drudgery add up in terms of costs, but the regression testing that must be done to make sure new security patches don't hose your desktops can be costly. Even worse, the testing can delay the deployment of critical security patches which can be a problem in this age of zero-day exploits (moving to zero-hour exploits).
If there was ever a need for a technology that helps IT managers win in their race against the malware clock, patch management is it. In becoming a one-stop shop to automate the testing and patching of a multitude of applications across a multitude of operating systems (servers and notebooks/desktops), an investment in Patchlink Update -- a subscription-based solution that consists of a hosted service, a centralized deployment server, and agents for the nodes that need regular updating -- could be short money. Amongst the sea of solution providers here at Gartner's Symposium whose wares typically run in the hundreds of thousands of dollars, Patchlink only costs $1600 per server (a single server can handle 5,000 to 10,000 nodes) and $18 per node ($75 if the node is Unix). Both costs are on an annual basis.
One of the most interesting aspects of Patchlink, according to my interview of the company's marketing director Don Leatham (available as an MP3 that can be downloaded or, if you’re already subscribed to ZDNet’s IT Matters series of audio podcasts, it will show up on your system or MP3 player automatically. See ZDNet’s podcasts: How to tune in), is how Patchlink grabs the patches as soon as they're available and tests them against up to 200 common system configurations. While your enterprise destkop, notebook, or server images may not be a direct match to any of those 200 configurations, just the fact that Patchlink is doing so much testing means that if Patchlink flushes out an incompatibility, it's very likely that it will have saved you the trouble of finding the same problem through your own testing. Once a patch sails through Patchlink's battery of tests (essentially a step of prequalification), Leatham suggests deploying patches to your own set of test systems. Here, too, with this interim step that should be taken before a full enterprise roll out, Patchlink comes in handy because, through its policy administrator, IT managers can automate a staged rollout. Test systems can be the first stage, and then within hours, a set of real-user guinea pigs could be the second stage, with the rest of the enterprise being the third. Patchlink automates all such staging.
Said Leatham in the interview:
Patching is a strategic function within the IT space. We established ourselves as experts at gathering security content, usually in the form of patches but it can also be in terms of vulnerability remediation. We bring those into our environment. We test them. We make sure they work and then we wrap them in metadata to make sure they can function within our [patch management] environment and then our customers subscribe to the various platforms. They download the patches and vulnerability remediations [from us] into their environment and they're allowed to establish policy, at which point automation takes over and allows those patches and vulnerability remediations to be deployed throughout their organizations.
Another cool feature of Patchlink is the way it keeps tabs on patched systems. If for example, through installing some other software, some DLLs get overwritten in a way that essentially "backrevs" a patch, Patchlink will detect the compromise to some previously applied patch and automatically redeploys the correct software.