Patch Management solutions?

Hi guys,

I am at the RSA Conference and checked out the booth of Shavlik Technologies, a company that focuses on managing updates across a network. I was unfamiliar with such software/processes, and was wondering what solutions are employed in the NPO sector. Do we rely on WSUS and standard imagery to affordably manage patches? What other software/strategies are cost effective for NPOs?

-Kevin

I script and use the Ct Offline Update tool produced by Heise Security.  It gives me a lot of flexibility, especially for systems/networks that aren't connected to the Internet.  [ This article describes version 3.0 ] of their product, but they are actually at [ version 5.2, which you can access by downloading ] from this page.

We use WSUS v3.0.  Works great for us.

Thanks guys. This may be an area that we can write something on be it a blog post or article.

Also I just discovered this:

http://www.gfi.com/lannetscan/

which claims to do patch management too. I'll give it a spin and see how it works.

-Kevin

I think you'd be able to set up something yourself that would be no additional license cost with WSUS 3.0 and NAGIOS / WireShark.  Seems like a lot of money to me for the service.

shipley.c:

I think you'd be able to set up something yourself that would be no additional license cost with WSUS 3.0 and NAGIOS / WireShark.  Seems like a lot of money to me for the service

WSUS, I get.  But Nagios / Wireshark?  I'm not sure how exactly that helps him monitor updates.

Nagios' native plugins can monitor whether a service is running.  But I suppose you could get creative and write a tool that looks deeper inside Window's "guts" and finds some sort of a status (via a counter?) that tells whether or not an update is needed.

(I've seen Nagios plugins to do this for Debian packages, but not for Windows)

I'm totally lost on how Wireshark might be a fit...

Nagios and Wireshark give many features that the product he linked has beyond patch management.

Finding a robust patch management solution is becoming more and more difficult as machines are less and less accessible to the management console.  I have found success using <a href="http://www.kaseya.com/products/patch-management/features.aspx">patch management</a> from Kaseya.  Because of the agent based framework, I have connectivity to every machine that is connected to the Internet, independent of location. 
 

Personally, I have done several implementations with SUS and have had no issues with the setup itself. It's better running if you have a pretty clean / maintained AD structure before considering implementing it.