[Translate to english:]
[Translate to english:]

OS/Windows | IT Security

Managing endpoint software diversity, productivity and risks

29. October 2021, Avatar of William FendtWilliam Fendt

It’s a classic good news/bad news situation. The good news is that users today have a seemingly limitless array of software products they can install to help them accomplish various tasks.

The bad news -- at least for IT pros -- is that each new package inevitably becomes another vector for cyberattacks that must be monitored and mitigated.
Hardly a day goes by without some software vendor, cybersecurity organization or white hat hacker reporting a sometimes-more, sometimes-less critical security vulnerability. A glance at the NIST NVD and other security portals makes that painfully clear. Many users automatically associate security issues with Windows or MS Office applications because of the number, visibility and impact of past security issues that affected software used by an overwhelming majority of businesses. While Microsoft products are far from being vulnerability-free, the company in recent years has significantly reduced the incidence of security issues and maintains an active monitoring and patching program.

Managing the deployment of Microsoft patches can be time-consuming. But staying on top of vulnerabilities found in an expanding range of other applications on user PCs can be an even greater challenge. For example, the use of video call apps such as Zoom or BlueJeans has skyrocketed since the start of the pandemic. PDF editing and reading tools from vendors other than Adobe are in wide use. And many PCs now have at least three browsers installed, each with its own set of vulnerabilities.

That’s just for starters. Other applications include:

  • Remote management tools
  • Printer drivers (which are often more like applications than mere “drivers.”)
  • Security solutions
  • CRM, ERP and other back-office systems 
  • Image editing
  • User-required or preferred apps

The list goes on.

Every vendor delivers patches

The vast majority of software vendors now provide regular updates and patches to quickly close critical security gaps and zero-day exploits. That’s good.

However, it is also important to realize that "regular" + "many applications" = "many patches" - possibly on a large number of PCs. This in turn indicates the time, effort and support IT teams need to roll out any given patch, assuming that your endpoint hardware and software inventory reports are current and sufficiently detailed.

IT managers also need tools to manage patches and apply them to individual systems or groups of systems with pinpoint accuracy. Such central administration is urgently recommended for a number of reasons, not the least of which is that few employees have sufficient admins rights on their PCs. Just one click on a link in a fraudulent “critical patch” email and you have a company-wide ransomware attack on your hands. 

In addition, not every computer in every department needs the same update. For example, Excel macros that use an "exotic" spreadsheet function may not work after an update. Sometimes rarely used functions in one version are not supported in its successors. That requires testing in a controlled environment to see if the macro still works. If it doesn’t, you can perform a rollback and adapt the macro as needed. 

That’s why IT admins need a level of network transparency that enables them to identify which endpoints need more prep while moving ahead with patching other systems. It’s also why a patch management solution with automation must be both comprehensive in scope and highly adaptable to a company’s specific needs. That’s the approach we take with baramundi Patch Management & Managed Software solutions.

What patch management automation should include

Automation for patch management is a must, not only for Windows systems but for iOS, Android and macOS devices. There’s no sense in securing the Windows endpoints while leaving the others unpatched or needing manual intervention.

Automation must also enable rollbacks because software vendors can withdraw security-related updates for various reasons. You can quickly run into serious problems If your patch management solution can’t handle this.

Better automated patch management = better security

The automation features in baramundi Update Management & Managed Software eliminate the need to search for, package and parameterize updates, or worry retroactively about compatibility and performance. Automation also improves IT productivity, recruitment and retention by off-loading repetitive tasks and freeing staff time for higher-value projects such as digital transformation and AI, or training for new certifications. At minimum, it reduces worries about keeping up with everyday maintenance of critical IT systems.

Automation increases security and productivity and, arguably, company competitiveness and growth by enabling technical staff to focus resources on optimizing corporate IT infrastructure.

Read more

Entries 1 to 3 of 3