Feb 10, 2021

Patch Management: Challenges and Solutions for Implementing an Effective Strategy

Many security incidents occur when criminals exploit known vulnerabilities in their target’s environment — often those vulnerabilities are unpatched assets

By Greg Thomas, Director of Product Management, Tanium

Patch management is not a new practice.

But many organizations still struggle to perform it effectively.

We wrote this article to fix that problem. We will explore:

  • Why patch management is so important
  • How to perform patch management effectively
  • Why many organizations still fail at patch management
  • How you can perform patch management effectively with Tanium

Why patch management is more important than ever

Patch management has been a fundamental security practice for decades.

Here’s why.

Many security incidents occur when criminals find and exploit a known vulnerability in their target’s environment. Often those vulnerabilities are unpatched assets.

By performing effective patch management, you reduce this risk. You close known vulnerabilities in your environment and raise the barrier to entry for criminals. 

This practice has been important since organizations adopted assets.

But in recent years, patch management has become truly critical.

Just consider a few trends:

  1. Organizations have more assets than ever. They have more devices, more applications, and exponentially more opportunities for missing patches.
  2. Criminals are getting better at finding unpatched assets. They are using automation to rapidly scan the web for any asset with missing patches.
  3. The impact of a missing patch is greater than ever. A single missing patch on an asset can now create a global, organization-wide security incident.

These trends are large.

They are dangerous.

And they are accelerating.

But you can prevent the risk they create by performing effective patch management. 

Here’s how.

How to perform patch management effectively

Effective patch management is simple.

It needs to achieve only one primary objective — it must keep all of the assets in your environment up to date with all of their patches at all times.

To achieve this objective, an effective patch management process must be able to:

  • Create Patch Visibility. It must be able to identify every asset in your environment, inventory every patch they are supposed to carry, and identify which of those patches are applied and which are missing.
  • Successfully Apply Patches. It must be able to apply every missing patch it identified in your environment — on every asset — and to validate that each of those missing patches was actually applied properly.
  • Maintain a Short Patch Window. It must be able to identify and apply missing — or new — patches quickly and efficiently enough to minimize the amount of time any asset remains unpatched in your environment.

As we said — at its heart, effective patch management is simple.

And yet most legacy patch management tools fail to meet these simple requirements — or to achieve their primary objective — in modern environments. 

Here’s what those tools get wrong.

Why legacy patch management tools often fail in modern environments

The core problem is easy to understand.

Legacy patch management tools were designed for legacy environments.

In those legacy environments, organizations deployed fewer assets. Those assets were known and provisioned by IT, and they all lived on-premises all of the time.

But times have changed, and so have asset environments.

In modern environments, organizations deploy to a large volume and diversity of assets. These assets are often provisioned by users and unknown to IT, and they increasingly live off the corporate network in remote and mobile networks.

Legacy tools were not designed to handle this large volume and diversity of distributed assets. And when they are used to perform patch management in modern environments, they often fail to deliver on the practice’s most simple requirements. 

Legacy tools typically:

  • Lack Patch Visibility. They fail to accurately catalog the environment’s diverse and distributed assets, let alone the patches missing on those assets.
  • Struggle to Apply Patches. They cannot share large patch files with large volumes of distributed assets without potentially crashing their networks.  
  • Produce Long Patch Windows. They demand a lot of effort, leading to long patch windows, long timelines to compliance and even intentionally ignored patches.

In short: legacy patch management tools fail because they were designed for legacy environments only. To perform effective patch management in modern environments, you must leverage a modern patch management tool.

Here’s what that looks like.

How to effectively patch modern environments with Tanium

Tanium was designed for modern asset environments and uses a lightweight, distributed architecture. 

This allows Tanium to continuously scan the asset environment and to rapidly deploy large patches to assets without network strain — no matter the volume or location of those assets.

By leveraging this modern architecture, your organization can:

  • Create Comprehensive Real-Time Patch Visibility. Customers typically find 10-20 percent more assets in the environment than they knew they had. Tanium then evaluates the patch status against the patch catalogs for its device or application vendors.
  • Apply Large-Scale Patches Quickly. Tanium uses edge computing to rapidly share and apply big patch files to hundreds of thousands of assets without generating network strain. It then validates the application of the patches and reapplies those that initially failed.
  • Reduce Patch Windows to Hours or Days. Simplify, streamline and automate much of the patch management process. Our customers frequently apply critical zero-day patches in hours after their release and non-critical patches in hours or days.

The result: Tanium frequently produces 99 percent patch visibility and coverage within 24 hours of installation — and maintains this visibility and coverage with minimal effort.

How to know if Tanium is right for your organization

To see if Tanium might improve your patch management process, just ask yourself:

  1. What is my current patch visibility level? Is it more or less than 95 percent?
  2. What is my current patch coverage level? Is it more or less than 95 percent?
  3. Do I always apply patches to every asset in my environment that needs them?
  4. What is my current patch window and timeline to full compliance?
  5. Do I ever have to ignore patches and choose not to apply them to any of my assets?

If you aren’t happy with your answers, then take the next step with Tanium.


For more information, read my previous blog post, 10 Ways Tanium Improves Patch Management.

If you’re ready to see it in action, sign up for a demo today.