10 Replies Latest reply on Dec 31, 2012 3:12 AM by cpl_goodwin

    Monitoring unpatched systems?

    Joep Piscaer

      I was reading up on Thwack, and saw an article about how unpatched systems can lead to all kinds of funky business, like bank fraud. The article goes on to describe how SolarWinds Patch Manager can save the day by keeping all systems and (especially) applications patched up.

      That got me thinking; do we need some kind of monitoring for this to keep our infrastructure running smoothly? For instance, an unpatched environment can lead to privilege escalation vulnerabilities like we saw with Intel processors and a bug in the BIOS in 2009. These vulnerabilities can have a devastating effect on our infrastructure like service outages, downtime and data corruption. Of course, there are other examples of unpatched software causing downtime, performance problems or security risks.

      http://cdn1.computerworlduk.com/cmsdata/news/12376/patch%20tues%20lead_thumb230.jpg

      I would like to be notified by my monitoring software that the system is not healthy due to unpatched BIOS, hypervisor, storage array or Ethernet switch firmware, etc. There are vendor-specific tools out there (Windows Server Update Services, VMware Update Manager, Dell Repository Manager, to name a few), but they vary in features, compatibility and usability, and don't capture the entire infrastructure's state.

      Do you implement version and/or patch monitoring in your environment? If so, do you use a centralized (vendor-neutral) tool or vendor-specific tools?

        • Re: Monitoring unpatched systems?
          Sohail Bhamani

          I have seen both done in the many client environments I have visited this year.  I have also seen where some customers will heavily firewall sections of their networks allowing only very limited access and not patching at all in those instances.  I guess in the end, you have to do something.  That something could be some of the things you have mentioned or also could be blocking access across the board using firewalls or access lists.

           

          If I were the operations person who was responsible for this, I would most definitely use something like SW's patch manager since it just makes sense.  In todays fast paced IT world, any useful tool or utility will need to be used to keep up.

           

          Sohail Bhamani

          Loop1 Systems

          http://www.loop1systems.com

          • Re: Monitoring unpatched systems?
            byrona

            We utilize the BMC Numara Asset Core for Patch Management solution (we invested in this days before SolarWinds acquired a patching solution ) and it allows us to manage Microsoft patches as well as other 3rd party patches as well.  We can go in and see which systems are not compliant with our patch rules.

             

            We also do as Sohail.Bhamani has suggested and firewall our environment using White List only access so only the absolutely necessary ports are allowed through.

            • Re: Monitoring unpatched systems?
              bsciencefiction.tv

              We have a team dedicated to patch management.  They test out every patch/update and are very selective on which ones get implimented.  They the use a custom SCCM management system our developers created to patch all systems.  We then have rules on which patch level is allowed to connect to the network.

              • Re: Monitoring unpatched systems?
                RandyBrown

                Patch management is hard when you have hundreds of servers, dozens of vendors, and a hospital environment where downtime is to be kept to an absolute minimum.  That said ... we, like so many others, do attempt to keep our servers as up-to-date as possible.  WSUS is currently our patch management system of choice for Windows servers and workstations.

                 

                A single pane of glass that shows "health" based on the patch level of server OS, server BIOS, data switches, fiber channel switches, SAN hardware, etc. would be very nice. 

                • Re: Monitoring unpatched systems?
                  robertcbrowning

                  I agree with all the above. Many of my clients have taken the easy approach of limiting the quantity of vendors and then use those few vendor's tools to patch manage. (And then I've bolted those displays into Orion!) But a single pane is still the simplest way to consolidate and then identify today’s most important problem.

                  • Re: Monitoring unpatched systems?
                    joelgarnick

                    I think SAM actually accomplishes some of this (some of the firmware update notifications), but it doesn't do it all that elegantly...it just throws a warning on the component and then you have to go dig around in the system to find why it went into warning.  Firmware updates have become more and more of a problem for us as we find systems that have been running untouched for years and have firmware revisions as old as 2006.  We are in the process of rolling out the vendor specific monitoring solutions (IBM Director/HP Insight Manager) and use altiris to push OS patches.  I don't think we do any software patch monitoring unfortunately....

                    • Re: Monitoring unpatched systems?
                      UKTonyK

                      In these days of Virtual infrastructure and the 'on a whim' build of servers that that allows, it is imperitive that full monitoring of devices is available. Especially as a device built from a template could very well have the same SusClientId of one, or many other devices, giving a false impression of the state of the infrastructure. SW Patch manager is a very good start to be able to visualise where patches are required, but a single screen to show the health, or otherwise, of all servers, incorporating BIOS levels, firmware, patches, etc would be ideal, but far from easy to develop I imagine. ( ps a scan of all devices to show where SusClientIds are duplicated would be good too! ).

                      • Re: Monitoring unpatched systems?
                        storn

                        In my previous life we used AutoIT to bundle patches together. We utilize CA Desktop and Server Management to stage and deploy patches.

                        This process worked well for us, however we only had one SME with AutoIT, when he left the company, we had to come up with a new approach for patching our systems. If Solarwinds PM was out, we certainly would have looked at it than.

                        • Re: Monitoring unpatched systems?
                          jeremymayfield

                          I have tested Kace, and many other systems, there is no golden compass for patch management.  Best thing it to follow the industry best practices, train your users correctly, and stay current with education.  Then ask management for a nice budget and get a solution that will work for a couple of years until you can get more money to improve the solution.

                          • Re: Monitoring unpatched systems?
                            cpl_goodwin

                            I also agree to the above, a Single View to see all Server OS patches and BIOS / firmware updates would be a great help! As when you log a call with any vendor for a hardware case there first get out of jail card that they play is Firmware / Driver version. If we had a way to keep on top of all the firmware  / driver versions it would help speed up our cases.