As an IT Professional, you’ve got your hands full. Any opportunity to do more with what you already have is worthy of attention most any day. But, these days with hiring freezes in place for a majority of the industry, the ability to automate something like the publishing of patches could not be timed better. To that end, I’m happy to announce that you can now subscribe to patches in SVM to have them automatically published as new versions of application become available.
What Is This?
Just being aware of new software updates for a large portfolio of applications is a big challenge already. Prioritizing and taking action on such updates is what SVM does best. Now you can have the best of both worlds by having action taken as soon as a new patch appears thanks to this ability to selectively publish new SPS and VPM patches automatically as new versions become available. Better still, you can set criticality, CVSS and Threat Score limits to only automate versions of patches you deem worth of publishing.
Why Is This Important?
Flexera now offers the most patches of any provider in the industry. That might not seem like a problem, but you can’t (and shouldn't) manually deploy them all—there just isn’t enough time, and many teams don’t have the resources needed to keep up with just a subset of identified software vulnerabilities. Prioritizing patches applicable to your environment and working through them efficiently is the key to effective software vulnerability remediation. Automation of patch deployment helps you patch faster while reducing time-to-resolution. SVM’s intelligent approach to patch automation means you can limit this automation to just those patches you deem worthy of testing and deployment.
Does Automating Patching Sound Risky?
SVM can automate a lot of patches, but not all of them. No solution can automate them all (even if filtered down with effective prioritization insights). Our SPS patches can all be automated, and those VPM patches that are “deployment ready” (meaning we have the file, criteria and tested command lines build and validated for you) can be automated (over 1,200 of them). The aim of this new capability is to help you automate some of your patches, limited not only by what patches are ready out of the box, but by your own thoughtful selection and optional vulnerability and threat filters.
Automate the usual so you can focus on the unusual. Routine, repetitive patch deployment efforts for applications that you have high confidence will not result in issues are perfect candidates for automation.
Finally, we are not recommending automating to production, but to pilot systems. Testing is still a necessary step to reduce risk of deploying a bad patch. While we test patches to ensure they function as expected, anyone that has been responsible for patching and deployment for more than a few months will have a story about unexpected results. This can be because of a conflicting application, an unusual endpoint configuration, security restrictions, etc. Testing is simply a necessary step but automating the publishing of a new patch to test systems as soon as updates become available can dramatically increase the time to remediation and reduce your risk window.
How Does It Work?
Before subscribing to patches, there is one external dependency to address first. Patch automation is made possible via a new version of the Flexera SVM Patch Configuration (Version 2.x) tool, which is part of the Software Vulnerability Manager Client Toolkit.
The SVM Toolkit installer contains updates to the Flexera SMV Patch Configuration tool as well as some optional tools documented in our online community. The SVM Toolkit installer can be downloaded at:
https://resources.flexera.com/tools/SVM/SVMClientToolkitInstall.msi
Note that if you already have a previous version of the SVM Toolkit installed, the installer will upgrade you to the latest version.
With the updated SVM Patch Configuration tool installed, simply right click on any SPS template or VPM patch and choose “Subscribe to Patch”.
You can subscribe to all new patch updates (and publish any new updates as they become available) or publish a new patch only when the configurable thresholds for prioritization are met. Keeping in mind that testing is still required, we recommend setting thresholds starting with just a few patches and slowly increasing the how many over time. Add more patch subscriptions as you confirm you can comfortably manage the volume of patches subscribed through the testing and deployment process.
To reduce the risk of getting overwhelmed, we also suggest starting with simpler applications that you feel are of relatively low risk. Then, add applications that you feel would offer the most value and set criticality and threat limits to publish only those that are a priority. Over time, you can add more applications and/or reduce the criteria for automation to increase the volume of automatically published patches.
In Closing
Patch automation is the latest in series of recent updates that solidifies SVM as the best way to manage the identification, prioritization and remediation of software vulnerabilities in your environment.
- SVM boasts unparalleled research which simplifies prioritization by weeding out the junk found in public resources, rescoring for consistency, consolidating vulnerabilities addressed by any given patch to a security advisory, and layering in an easy to consume Threat Intelligence score to help you focus on those vulnerable software titles most likely to be exploited.
- SVM detects more third party software vulnerabilities than any product on the market.
- With the introduction of the Vendor Patch Module (VPM), SVM now boasts the best third-party application support on the market with a vast library of patch data and out of the box patches that are ready to deploy.
Now with intelligent patch automation capabilities, SVM can do even more to help you keep your organization safe from the risk of software vulnerabilities. It is available now, so give it a try! SVM Cloud customers can take advantage of this new capability right now, and if you are on-prem, simply download and install the latest version to start automating patches today!
