Why Fr ee Pat ch Management Tool s Coul d Cost

You Mor e
Sel ect i ng t he Ri ght Sol ut i on can Save Your Company Ti me
and Money


By KACE & Lumension
W H I T E P A P E R
Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 2

TABLE OF CONTENTS

Why Fr ee Pat ch Management Tool s Coul d
Cost You Mor e
I nt roduct ion.................................................................................................................... 3
Point Pat ching ver sus Complet e Pat ch Management ........................................................ 3
The Hidden Cost s and Missing Capabilit ies of WSUS Point Pat ching Pr oduct .................... 4
Microsoft OS and Applicat ions Only ............................................................................. 4
Requires Addit ional Point Product s even f or Windows-only Envir onment s .................... 4
Cannot Consolidat e Operat ions.................................................................................... 5
Does Not Sat isf y Regulat or y Compliance Requirement s ............................................... 5
Poor Discover y of Unmanaged Asset s.......................................................................... 6
Requires Domain Membership ..................................................................................... 6
Poor Syst em Soft ware and Hardware I nvent ory........................................................... 6
Cannot Manage Syst em Configurat ions........................................................................ 6
Overall Higher Labor and Pr oduct Cost s ...................................................................... 7
Comprehensive Pat ch Management Solut ion is t he Right Solut ion ................................... 7
KBOX Securit y Audit and Enfor cement Module.......................................................... 8
Conf iguring and Scheduling Pat ches............................................................................ 9
Pat ch Management and Deployment ........................................................................... 9
Tracking and Report ing ............................................................................................... 9
Conclusion .....................................................................................................................10

Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 3
I nt r oduct i on

Todays current economic sit uat ion underscores t he import ance of scrut inizing all
business expenses, part icularly wit hin I T. As organizat ions look t o keep operat ing
expenses down, free t echnology solut ions st art t o look more at t ract ive. However , when
choosing a solut ion for pat ching your syst ems and ser vers, it is import ant t o consider t he
t ot al cost of ownership ( TCO) and t he difference in key capabilit ies bet ween point
pat ching pr oduct s and comprehensive pat ch management solut ions. Alt hough point
pat ching pr oduct s, such as Micr osoft s Windows Soft ware Updat e Services ( WSUS) may
look more at t ract ive on t he surface, closer inspect ion oft en reveals hidden cost s and
missing capabilit ies. These solut ions ult imat ely could end up cost ing organizat ions more
money in t he end t o f ully prot ect t heir I T envir onment s. Micr osoft s WSUS lack of
scalabilit y, coverage and flexibilit y could leave organizat ions wit h fragment ed pat ch
management and weaker securit y post ure while also being a more cost ly and
cumber some opt ion for organizat ions t o maint ain.

Poi nt Pat chi ng ver sus Compl et e Pat ch Management

Point pat ching pr oduct s such as WSUS solve ver y specific pr oblems, but a maj or
drawback t o t his free ut ilit y is t hat WSUS doesnt support non- Windows syst ems and
t hird part y applicat ions. Furt her more, solut ions like WSUS do not consolidat e nor
cent ralize t he management of mixed syst ems and applicat ions, pat ch deployment s and
maint enance t ools nor do t hey have t he abilit y t o discover blind spot s t hat are not being
managed. The result is a point product wit h a fragment ed approach t o vulnerabilit y
management and lack of visibilit y of t he overall pat ching and risk post ure. The
unanswered needs f or t he organizat ion t o manage t hir d part y applicat ions and operat ing
syst ems oft en for ce t he use of mult iple disparat e t ools as well as consume large
quant it ies of st af f resources.

A bet t er choice is a complet e Pat ch Management Solut ion which is compr ised of more
t han simply sending pat ches t o Windows devices. Comprehensive Pat ch Management
Solut ions address t he ent ire vulnerabilit y management lifecycle:
Aut omat ed discover y of all unmanaged and r ogue devices on t he net wor k
Full net work scanning t o det er mine vulnerabilit ies and exposures
Rapid pat ching and remediat ion of all I T asset s from a cent ralized management
console
Policy enf orcement of approved soft ware inst alled on syst ems
Ongoing validat ion and maint enance of correct pat ch and configurat ion levels on
syst ems
Robust management and report ing


Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 4
A complet e Pat ch Management Solut ion pr ovides a single plat f or m and a robust cont ent
reposit or y t hat can address Pat ch Management in a holist ic manner wit hout t he
requirement t o pr ocure mult iple point pr oduct s or t he increase in st aff ing t o aut hor
script s on an ad hoc basis for t hird part y applicat ions. The advant age t o t hese solut ions
is an overall lower operat ing cost due t o consolidat ed management as well as a st r onger
overall secur it y post ure and f lexibilit y t o proact ively address issues wit h less st affing
burden.

The Hi dden Cost s and Mi ssi ng Capabi l i t i es of WSUS
Poi nt Pat chi ng Product

When it comes t o Micr osoft s WSUS 3.0 free solut ion, t he t radit ional consumer adage
wisely ur ges us t o: Remember, if it looks t oo good t o be t rue, it pr obably is.

Mi cr osof t OS and Appl i cat i ons Onl y
Microsoft s WSUS provides organizat ions wit h t he basic capabilit y t o pat ch only Micr osoft
Operat ing Syst ems and Micr osoft applicat ions. But t hat s all. There is no support f or non-
Microsoft applicat ions or operat ing syst ems. Even t he most homogeneous Micr osoft
envir onment s have a myr iad of t hird part y applicat ions running t hat require regular
assessment and pat ch management t o ensure cr it ical vulnerabilit ies are mit igat ed and
regulat or y compliance st andards are met . The modern I T envir onment is simply t oo
diver se and het er ogeneous not t o include t he use of applicat ions such as Acr obat Reader ,
Apples QuickTime or Suns Java Runt ime Engine, an enabler of OS independent
applicat ions. Addit ionally, unless an organizat ion implement s an applicat ion cont r ol
policy, user s may also have int r oduced per sonal pr oduct ivit y or ent ert ainment
applicat ions, such as Apple iTunes, which may f urt her diver sify t he var iet y of well- known
applicat ions subj ect t o pat ching. The result is t hat organizat ions are not only faced wit h
pat ching Windows and non- Windows OSes and applicat ions, but also cust om applicat ions
t hat WSUS cannot address.

Requi r es Addi t i onal Poi nt Product s even f or Wi ndows- onl y
Envi r onment s
As crit ical vulnerabilit ies are inevit ably int r oduced t hr ough t hese non-Micr osoft
applicat ions, organizat ions t hat have chosen WSUS as t heir st rat egic Pat ch Management
solut ion are left wit h a gaping unanswered need and will have t o react ively invest in
addit ional t echnology and possibly st aff t o address t he WSUS short fall. The decision t o
go wit h t he free t ool in t his case result s in t he ult imat e need for mult iple point pr oduct s
t o solve t he pat ch management challenge, rat her t han using a consolidat ed solut ion t hat
effect ively manages t he needs of t he organizat ion while also reducing operat ional TCO.
Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 5
Even Micr osoft has not ed t hat more t han 9 out of 10 recent soft ware exposures are t he
result of user pr oduct ivit y soft ware
1
.

A business should consider mit igat ing risk across a var iet y of at t ack vect ors. The t able
below illust rat es t he breadt h of pot ent ial exposure acr oss t echnologies.

Vulnerability Surface Percentage
Windows OS & Microsoft Applications 38%
Apple & Apple Applications 24%
Other Applications for Windows
2
29%
Network, Network OS & Network Technologies 7%
Unix and Linux Only Platforms & Applications 3%
US CERT Technical Cyber Security Alerts 2006-2008
3


To consider f ocusing only on Microsoft applicat ions leaves a large exposure which can be
t arget ed.

Cannot Consol i dat e Oper at i ons
Though many businesses may be a Windows only shop in t heir choice of Operat ing
Syst em ut ilizat ion, numerous organizat ions implement a variet y of operat ing syst ems
( such as MAC OS X, Sun Solar is, HP- UX, Red Hat Ent er prise and SUSE Linux) . Having a
well-r ounded Vulnerabilit y Management Solut ion allows organizat ions t o ef f ect ively
address t he OS pat ching needs across diverse I T environment , simplif ies operat ion
burden, and reduces operat ing expense. I n addit ion, it eliminat es t he requirement of an
addit ional pat ch solut ion when ut ilizing WSUS.

Does Not Sat i sf y Regul at or y Compl i ance Requi r ement s
This breadt h of applicat ion and OS support may be par t icular ly import ant in light of
compliance considerat ions. For example, if a companys financial compliance int ernal

1
Microsof t Securit y I nt elligence Repor t : January t hrough June 2008, Vinny Gullot t o, et al.
2
I ncludes Wi ndows only as well multiple OS Applicat ions
3
Source US-CERT ( www.us- cer t .gov) Technical Cyber Alert s as of Oct ober 31, 2008
Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 6
cont r ol syst em ut ilizes I T/ applicat ion securit y, t hen t her e are a set of high level crit er ia,
which may be assessed by audit under Sect ion 404 of SOX. I n an audit checklist f or SOX
404 compliance, t here may be a requirement t hat pat ching ext end t o every product
ut ilized in t he I T cont r ol syst em. Since WSUS misses non-Micr osoft applicat ions, WSUS
alone cannot earn a check mark for t he audit list it em. Some ot her met hod of pat ching
t he non- support ed applicat ions must be specif ied t o meet compliance requirement s.

Poor Di scover y of Unmanaged Asset s
Since WSUS is designed t o only manage Windows syst ems, it relies heavily on Act ive
Direct ory t o under st and what asset s are deployed in t he I T envir onment . Un- managed or
rogue devices will not be ident ified f or furt her inspect ion. This lack of visibilit y or
int elligence result s in danger ous blind spot s t hat can leave poorly managed asset s
complet ely vulnerable t o at t ack, under mining even t he best at t empt s t o ensure st andard
adherence t o securit y policies.

Requi r es Domai n Member shi p
WSUS assumes, and in fact , requires t hat all managed Windows syst ems be members of
t he domain. Many I T envir onment s simply cannot guar ant ee t hat all of t heir crit ical
Windows syst ems are being effect ively managed t hrough Act ive Direct or y. Asset s not
being managed t hr ough t he domain will not be eligible for t he WSUS pr oduct . This in
effect means t hat any organizat ion running isolat ed workgroups will not be able t o
deploy WSUS in t heir envir onment .

Poor Syst em Sof t war e and Har dwar e I nvent or y
Since WSUS is solely focused on Windows pat ches, it does not capt ure invent or y
inf or mat ion about inst alled non-Windows soft ware and local hardware. This lack of
cont ext limit s t he usefulness of WSUS, and anot her t ool will be needed t o collect t his
inf or mat ion.

Cannot Manage Syst em Conf i gur at i ons
Pat ch Management is j ust one part of a comprehensive vulnerabilit y management
process. According t o Gart ner, 65 percent of all net wor k exploit s are at t ribut ed t o syst em
misconf igurat ions, by far t he largest cause of net wor k securit y problems. Securit y
conf igurat ion set t ing issues can be at t r ibut ed t o j ust as many of t he known vulnerabilit ies
t hat need t o be managed in order t o have secure and r unning operat ions. The drawback
t o WSUS is t hat it does not provide secur it y best pract ices or nat ive capabilit ies t o assess
and remediat e misconfigurat ion issues.

Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 7
Over al l Hi gher Labor and Pr oduct Cost s
The need f or mult iple point product s and t he st aff ing burden required t o manage WSUS
is a concern t hat even Gart ner has ident if ied. According t o a recent report by Gart ner
4
,
some organizat ions cont inue t o t ake t he at fir st glance less-cost ly but more manual-
int ensive pat h by using Micr osoft 's Windows Ser ver Updat e Services ( WSUS) t o pat ch t he
operat ing syst em and Windows applicat ions because it ' s free. Alt hough Micr osoft has
improved WSUS, client feedback suggest s t hat WSUS is not as r ich in cont ent ( pre-
req/ co-req) and as r obust in t arget ing and report ing as t he focused pat ch solut ions.
Thus, organizat ions accept ing WSUS as good enough have significant ly higher labor
cost s f or cont ent analysis, t est ing and deployment . Alt hough Micr osoft is making
improvement s t o WSUS, we do not believe it will be a best -of -breed solut ion f or pat ch
management .

Compr ehensi ve Pat ch Management Sol ut i on i s t he Ri ght
Sol ut i on

KACE, in part ner ship wit h Lumension, delivers a complet e pat ch management solut ion
fully int egrat ed int o t he KBOX Syst ems Management Appliance. KBOX Pat ch
Management saves organizat ions t ime and money by providing a comprehensive and
reliable pat ch management solut ion t hat is also easy-t o-use and aff ordable. This gives
organizat ions robust secur it y wit hout t he t ime, complexit y and cost of t radit ional
soft ware solut ions. The KBOX agent leverages t echnology fr om Lumension, t he indust r ys
leading pat ch management solut ion f or reliable vulnerabilit y det ect ion and remediat ion.
Ut ilizing Lumensions cont ent reposit or y, KBOX pr ovides one of t he largest pat ch
reposit or ies including pat ches f or Windows and Mac operat ing syst ems, as well as a wide
range of applicat ions fr om vendor s including Micr osoft , Apple, Adobe, Symant ec and
Mozilla. KBOX also ut ilizes Lumensions Digit al Fingerpr int Technology t o accurat ely and
reliably assess and remediat e vulnerabilit ies. All of t hese capabilit ies are managed
t hrough t he int uit ive KBOX web-based management console, where administ rat ors can
cont r ol scanning and dist r ibut ion schedules t o minimize business disrupt ions. This br oad
coverage eliminat es t he hidden cost s associat ed wit h point pat ching pr oduct s by
consolidat ing vulnerabilit y assessment and pat ch deployment fr om a cent ralized
management console, empowering organizat ions t o accomplish more wit h less st aff ing
burden.

KBOX Syst ems Management Appliance allows convergence of pat ch management
capabilit ies wit h best of breed I T syst em management pract ices and provides t he
foundat ion for a more successful and cost -effect ive pat ch management implement at ion
over WSUS in several ways, including:
Comprehensive support for het er ogeneous environment s, including mult iple
OSs and br oad coverage of common t hird part y applicat ions
Consolidat ion of operat ions wit h a single solut ion

4
Gart ner: The Pat ch Management Market : Collision or Coexist ence? Ronni Col ville, March 2008
Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 8
Meet ing compliance requirement s f or pat ch and vulner abilit y management
Aut omat ed discover y of all asset s in t he I T environment , including
unmanaged and rogue devices
OVAL-based vulnerabilit y scanning of all managed syst ems
Assessment of secur it y conf igurat ions as well as pat ches
Securit y conf igurat ion policy enf orcement
Reducing t he TCO of Pat ch Management

KBOX Secur i t y Audi t and Enf or cement Modul e
I n addit ion t o pr oviding a more complet e solut ion f or Pat ch Management , t he KBOX
Securit y Audit and Enforcement Module pr ovides t ools f or policy compliance which are
absent in WSUS. This module pr ovides open st andards- based configurat ion management
and monit or ing and assessment of comput ing syst ems t o ensure adherence wit h
regulat or y requirement s or specif ic company-def ined policies. KBOX vulnerabilit y
scanning also enables cust omer s t o quickly assess t heir compliance post ure, by
leveraging def init ions wr it t en in Open Vulnerabilit y and Assessment Language ( OVAL ) .
OVAL is t he inf or mat ion secur it y communit ies st andard endorsed by US Comput er
Emergency Readiness Team ( US Cert ) and t he Depart ment of Homeland Securit y. I t
promot es open, publicly available securit y cont ent and st andardizat ion of it s t ransfer
across securit y t ools and ser vices. This includes set t ing t he t est ing schedule
( Securit y/ OVAL Tab) , and result s report ing. Over 1700 pre-defined t est s are included,
and new t est s are added as t hey are def ined and published.

The KBOX Securit y Audit and Enfor cement Module also provides several easy-t o-use
ways t o enf orce PC conf igurat ions f or impr oved securit y. First t he KBOX includes a
number of pre- configured policies t hat are ready t o be deployed. The Quarant ine
capabilit y for example enables t he administ rat or t o sever communicat ions bet ween a
compromised node and all ot her syst ems except t he KBOX. The ot her main policies
include:
Enfor cing XP Firewall set t ings
Enfor cing I E secur it y set t ings
Enfor cing ant i- vir us set t ings
Disallowing programs

These policies t ypically enforce set t ings on PCs even when t hose syst ems are remot e and
not connect ed t o t he KBOX. The KBOX also includes easy-t o-use wizard-based
conf igurat ion of condit ional, mult i- dependency and mult i-st age K-scr ipt s t hat can be run
on a deskt op or ser ver. This allows users t o easily creat e and enforce new secur it y
policies wit hout having t o learn a script ing language.
These capabilit ies, combined wit h t he KBOX flexible approach t o discover ing and
managing even non-domain asset s, dramat ically reduce t he complexit y and overhead of
a successf ul pat ch management process.
The consolidat ed syst em and securit y management capabilit ies of t he KBOX pr ovides
great er operat ional eff iciency and lowered TCO due t o less resources and t ime needed t o
manage t he pat ch management pr ocess. I n addit ion t o t he expanded capabilit ies of t he
Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 9
KACE Syst ems Management Appliance, t he award- winning solut ion delivers granular
capabilit ies t hat deliver more versat ilit y over WSUS.

Conf i gur i ng and Schedul i ng Pat ches
KBOX gives administ rat ors t he flexibilit y t o implement t he pat ch management process
t hat fit s t heir envir onment best . Administ rat ors can choose t o download only t he
operat ing syst em and applicat ion pat ches relevant t o t heir net wor k, eliminat ing t he need
t o manage pat ches t hat are not applicable. KBOX also allows different gr oups of
machines t o have different schedules for vulnerabilit y assessment and remediat ion.
These gr oups can be dynamic based on f ilt er ing cr it eria, so t hat t he pat ches can t hen be
mapped ont o pre-appr oved det ect and deploy dynamic groupings t o ensure end syst ems
receive t heir updat es wit h minimal if any I T int er vent ion required. Administ rat ors get t he
cont r ol t hey need t o enf orce different policies f or differ ent populat ions of machines, such
as providing daily assessment and remediat ion of PCs, and weekly assessment and
remediat ion for ser vers.

Pat ch Management and Depl oyment
As t he mobile user populat ion grows, maint aining secur it y and associat ed pat ch levels
wit h t he KBOX can be highly aut omat ed, and set up t o provide remot e mobile worker s
opt ions t o ensure t heir crit ical access t o I T ser vices is not delayed. End users, part icular ly
t hose who are remot e and mobile wit h limit ed t ime on t he act ual net wor k, can pr ior it ize
t heir wor k using now/ lat er/ snooze opt ions for pat ches r equiring reboot s. I n addit ion, t he
huge number of pat ches released ever y mont h can make ident if ying, pr ior it izing and
t racking pat ches a challenge. KBOX offer s int uit ive sear ch capabilit ies and views t hat
allow administ rat ors t o quickly f ilt er t hr ough large numbers of pat ches and easily t rack
pat ch deployment st at us.

Tr acki ng and Repor t i ng
Administ rat or s coordinat ing pat ching updat es across complex and dist r ibut ed user bases
get visibilit y int o t he pat ching phases on a per machine basis, and can cont rol scheduling
of t he pat ches wit h t he abilit y t o set up pat ch windows wit h hard st ops t o ensure no
int errupt ion f or users during business hour s.
KBOX also pr ovides summary dat a on pat ch management and deployment pr ogress and
st at us. This allows administ rat ors t o quickly conf ir m pat ches have rolled out successfully
and t hat syst ems are in compliance, and ident if y and remediat e any syst ems where
pat ching has failed. KBOX makes it simple t o generat e pat ch compliance report s wit h a
wide range of pre-packaged report s, an easy-t o-use report ing wizard for creat ing cust om
report s and int egrat ion wit h 3rd part y report ing t ools.



Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 10
Concl usi on

WSUS acquisit ion cost makes it appear t o be an ent icing solut ion for pat ch management .
Looking deeper int o t he needs of t he organizat ion leads t o select ion of a more complet e
Pat ch Management Solut ion which result s in reduced long-t erm r isk and opt imized
operat ing expense.
Funct i on KBOX Syst ems
Management Appl i ance
WSUS
Poi nt Pat chi ng Pr oduct
Pat ch Mi cr osof t OS yes Yes
Suppor t f or 3r d par t y
appl i cat i ons and OSes
yes No
Consol i dat e Pat ch
Management oper at i ons
yes No
Di scover unmanaged
asset s
yes No
Suppor t f or non Act i ve
Di r ect or y envi r onment s
yes No
Secur i t y Conf i gur at i on
Management
yes No
Ful l syst em i nvent or y
col l ect i on
yes No
Dynami c pol i cy based
depl oyment
yes No
Reduces st af f bur den yes No
Lower s Pat ch
management TCO
yes No
Gr anul ar Pat chi ng
Cont r ol
yes No
Compl et e sol ut i on does
not r equi r e addi t i onal
poi nt pr oduct s
yes No
KBOX vs. WSUS Functional Comparison


Why Fr ee Pat ch Management Tools Could Cost You Mor e
Copyright 2009 Lumension and KACE Net wor ks, I nc. All right s reser ved. Page 11
KACE Corporat e Background
KACE is t he leading syst ems management appliance company. The award- winning
KBOX family of appliances delivers easy-t o-use, comprehensive syst ems management
capabilit ies. KACE cust omers usually inst all in one day and enj oy t he lowest t ot al cost
compared t o soft ware alt ernat ives.
KACE is headquart ered in Mount ain View, California. To learn more about KACE and it s
product offer ings, please visit ht t p: / / www.kace.com or call 1- 877- MGMT- DONE.
Helpful Links:
KBOX Syst ems Management Appliances
KBOX Syst ems Deployment Appliances
Virt ual KBOX Appliances

KACE Cor por at e Headquar t er s
1616 Nort h Shoreline Boulevard
Mount ain View, Califor nia 94043
( 877) MGMT-DONE of fice for all inquiries
( + 1) ( 650) 316- 1050 I nt ernat ional
( 650) 649-1806 fax
Sales and part ner ing: [email protected]
Support : support @kace.com
Ot her I nfor mat ion: inf [email protected]
On t he Web: ht t p: / / www.kace.com
About Lumensi on, I nc.
Lumension, I nc., a global leader in operat ional endpoint securit y, develops, int egrat es
and mar ket s secur it y soft ware solut ions t hat help businesses pr ot ect t heir vit al
inf or mat ion and manage cr it ical risk across net wor k and endpoint asset s.
Lumension enables more t han 5,100 cust omer s wor ldwide t o achieve opt imal secur it y
and I T success by delivering a proven and award- winning solut ion port f olio t hat includes
Vulnerabilit y Management , Endpoint Prot ect ion, Dat a Prot ect ion, and Report ing and
Compliance offer ings. Lumension is known f or pr oviding world- class cust omer support
and services 24x7, 365 days a year .
Headquart ered in Scot t sdale, Ar izona, Lumension has operat ions wor ldwide, including
Virginia, Flor ida, Luxembourg, t he Unit ed Kingdom, Spain, Aust ralia, I ndia, Hong Kong
and Singapore. Lumension: I T Secured. Success Opt imized. More infor mat ion can be
found at www.lumension.com.
Companv and producL names conLalned mav be Lrademarks and/or realsLered Lrademarks of
Lhelr respecLlve owners.