Patching IT environments has always been a challenge, it’s one of those things that we don’t really talk about anymore because the problem was solved with WSUS wasn’t it?
Well, no actually, WSUS only addresses part of the problem – and it could be argued that it doesn’t really do a very good job; it can be quite labour intensive and ultimately only patches the windows OS and certain MS applications, other applications such as Adobe Reader are not covered by WSUS and as such often get left out when considering whether the environment is patched reasonably upto date… Strange when one of the most common read-only document formats that is used today is Adobe Reader – furthermore Adobe release a security patch almost every month many of which are to address a newly discovered security vulnerability in the software.
The graph below illustrates how the average OS and browser vulnerability numbers stack up against those of 3rd Party software’s:
In light of this graphic patching the OS would seem to be less important than patching the 3rd Party apps from an attack-surface perspective, granted you won’t have all those apps running at the same time in your environment but many of them will be and it may only take a single document with exploit code embedded to infect or compromise control of your systems to an attacker.
So patching of 3rd Party apps really is important but staying on top of that from an administrative perspective is no small task and that’s without deploying and verifying deployment of the patches. This is where Shavlik Protect and Empower comes in and neatly solves the problem for us.
Firstly Shavlik does not only support the core MS products but a multitude of 3rd Party application vendors, is deployed on-premise, is installed onto a Windows Server OS and uses a SQL back-end:
Secondly, Shavlik makes managing the patching of your environment easy and automatic once it has been set up. Machines can be grouped for targeted patch deployment and patch deployments can be scheduled for silent hours or staged to minimise the impact the deployment has across the environment.
So how does it work, how do we gather information about patches for many different application types and versions from multiple software vendors? The Shavlik Content team receive notifications and patches from the multiple software vendors and then package this information into XML files for distribution to the on-premise Shavlik Server, in turn the Shavlik Server enumerates the machines within scope of the patch discovery, assesses their installed software and it’s associated patch status and then downloads and deploys the patches the different machines require, once the patches are available for install the installation proceeds based upon the installation schedule set in the Shavlik concole. All of this is possibloe without even deploying an agent onto each end-point; Shavlik is normally agentless to ease the administrative burden but also to speed up discovery and deployment by not requiring an agent.
Another problem that has plagued WSUS is the patching of mobile users laptops – when using WSUS the laptops will only be patched when they are connected to the corporate LAN (depending on OS version) – for this use case Shavlik Agents can be used.
The agent can be deployed to manage devices such as laptops that will be used off the corporate network – once installed the agent will contact the Shavlik server to pick up the poicy for the device it is installed upon, this policy will dictate how the agent will scan and patch the device – by default the agent will get XML patch details from Shavlik and the individual patches from the vendors themselves ensuring the devices are kept up to date in line with your corporate patching strategy. With WSUS management of such devices once they are off the network is nigh on impossible since the WSAUS server does not know what IP address the device is using – Shavlik solves this problem through the use of the Shavlik Empower Cloud Service.
The Shavlik Empower Cloud Service is a cloud hosted console that allows you to manage patch strategy on the mobile devices without them having to be connected to the corporate LAN. The Shavlik Empower cloud also adds Mac OS support to manage and control the application of Mac OS patches in and outwith the environment through a browser based interface.
That’s not all, an additional bolt-on can be purchased called the Shavlik Power Pack – the Power Pack adds power operations to the product enabling machines to be brought online and shutdown using Wake on LAN technology – meaning those GOLD VM’s that only get patched twice a year can be kept up to date and when used as templates for VM deployment, the resulting VM’s do not need to get upto 6 months worth of patches as they have been kept up to date. The power pack also adds the ability to schedule power downs during silent hours to minimise on power use in the environment but in a non-disruptive way.
So, in summary:
- Shavlik Protect offers comprehensive patch management for both data centre and client computers, Empower adds integrated asset visability.
- Mac OS, Windows and 3rd party patching all in a single solution.
- Easy to use and instant value – Shavlik can be installed configured and a discovery run in 30 minutes.
- Virtualisation options include offline, template and hypervisor patching (Shavlik also offers Hypervisor patching as well so that updates across the virtualisation hosts can be coordinated through the same console.)
- Reduce IT headaches and increase IT security.