Nov 28, 2018
Just Patch Your Systems. Please.By Greg Thomas
Forget the boogeyman for a moment
Just for a moment, forget the nation-state threats. Forget the 16-year-old mastermind hacker operating out of his lair in the basement. Just patch your systems. Please.
This is not to say that we can forget about the boogeyman altogether. He’s out there, but let’s give our defenders a fighting chance against him by patching the gaping holes that we already know about. Much of the IT community has become satisfied with 80-95% patch compliance and it takes them 30, 60, or even 90 days after patches are released to get to that point. That leaves a huge gap that existing toolsets like SCCM still aren’t closing, 15 years after releasing a patching capability. Too many organizations are satisfied with being just okay at patching. That’s not only lazy, it’s also dangerous.
Identify the problem
Administrators waste days or weeks each month configuring software update groups, software update lists, and individual deployments, and then waste more time monitoring them all because of limitations of legacy tools. Beyond that, leadership and patch teams are accustomed to 30-to-90 day staged release cycles to distribute all patches and target all endpoints. It is not okay to wait weeks or months to install security patches. Once testing has completed, patches should install the next day.
Rethink the patching strategy and reduce the time to patch
Tanium Patch enables teams to rethink their entire patching workflow because of the speed and scale of our platform and our ability to patch both Windows and Linux systems. When patches are released, patch teams can begin testing immediately. With a few clicks they can block problematic patches and release patches to larger test groups or the entire enterprise. Monthly maintenance is as simple as changing a release date rule in a patch list and can even be completely automated using specifically defined maintenance windows.
All patches can be contained in a single patch list for deployment and reporting. Endpoints download only patches that are applicable and satisfy rules in the patch list. What once was time-consuming monthly maintenance is reduced to a few minutes of work and patch teams, service desk, and leadership can be automatically notified. Furthermore, operating system and Windows Update errors are highlighted so that remediation can occur.
Eliminate the headache
There’s no struggling with SQL Server Reporting Services or WSUS cleanup like in SCCM. Waiting weeks for gigabytes of patches to distribute to hundreds of distribution points or troubleshooting corrupted files on distribution points are worries of the past. Say goodbye to thousands of unpatched computers due to out of date AD/DNS records or broken WMI. Forget about sifting through lists of “Unknown” machines for troubleshooting or missing thousands of machines with unhealthy SCCM agents. There’s no more time wasted in maintenance of countless servers, update lists, and deployments.
Using Tanium, we’ve seen 350,000 endpoints complete a patch cycle in 24 hours, reducing the attack surface 30+ days earlier than other solutions. We’ve seen customers reduce their patch team’s monthly engineering time from weeks to minutes. We’ve seen compliance rates improve from single digits to 99% in a day. We’ve shown customers thousands of missing security patches as old as 2005 that they were not previously aware of. Sometimes their SCCM SUP was not even configured to evaluate some products because they were unaware those products were installed. In a single day, we’ve seen Tanium Patch outperform legacy toolsets which took months to years to properly configure and tune.
Solve the problem
By adopting a centralized patching strategy leveraging the speed and power of Tanium Patch, businesses can become resilient to emerging threats. They can focus on improving processes instead of constantly playing catch-up. As monthly patches are released, they install quickly to move through test cycles and into production. Skilled defenders and patch administrators can free up time to focus on more complex issues. Give them the time they deserve to defend your enterprise. Just don’t make patching complex because that’s the way it HAS always been done. Make it simple, the way it SHOULD HAVE always been done from day one. Use Tanium Patch.
Putting it all together
With the Tanium Architecture and Tanium Patch, we provide the speed, scale, and reduced workload that Patch teams need, resulting in higher compliance percentages. Tanium Patch is an integral part of the Tanium Operations Suite, which is designed to transform IT operations through speed and simplicity.
This is the fourth blog in our series covering Tanium for IT Operations. Read the previous installments here:
- It’s Time to Modernize IT Operations. Business Resilience Depends on It
- IT Operations Starts with Visibility to All Devices
- IT Operations Success Requires Knowing Your Assets