Patch Management Software Catching On

Bill Cory, director of business development at Internet Effects (IEFX), a Hillsboro, Ore., systems integrator focusing on network security, said his firm found that talking about patches was an effective way to catch the attention of potential customers. "We're a startup, so getting our foot in the door can be challenging," he said.

Security patches can be a big headache for companies, which often don't patch systems because they don't have time, he said. His firm sells BigFix software, which automatically scans systems for vulnerabilities and allows administrators to deploy Microsoft patches with a single command.

Curt Vinson, president of Lyme Computer Systems, a Lyme, N.H.-based solution provider, said his company recently landed a blanket purchase agreement with the U.S. Department of Agriculture for Scottsdale, Ariz.-based PatchLink's patch detection and deployment software. Lyme Computer Systems will outfit the USDA's 15,000 offices with the solution.

In the agreement, the USDA cited the need for an automated, comprehensive patch management system to handle the slew of patches released weekly. Administrators don't have the resources to tackle the growing problem, the agency said.

Patch management software makes sense, Vinson said, adding, "The cost justification alone is tremendous."

Enterprises worldwide spend more than $2 billion annually investigating, prioritizing and deploying security patches, said Eric Hemmendinger, analyst at Aberdeen Group.

Sean Moshir, CEO of PatchLink, said the patch management market is where the antivirus market was several years ago.

"People are beginning to understand it," he said. "In the next year or two, they'll realize that patch management software is a must-have. If you don't have it, you'll be opening up your company to all kinds of vulnerabilities," he said.

The company in October released PatchLink Update 4.0, which features cross-platform functionality and access for patches from Microsoft, Novell, IBM and other vendors. Single-user licensing, including an annual subscription and maintenance, is $15 per user for Windows and $120 for Unix/Linux and NetWare, with a minimum 10-user license.

The software notifies administrators of new patches and which machines need them and provides a system for automatic deployment if the administrator decides to install them.

BigFix, Emeryville, Calif., this month released its Enterprise Suite 2.0 with new support for Linux in addition to existing support for Microsoft and expanded reporting capabilities. Pricing is $25 per seat for a 1,000-seat deployment with volume discounts.

Patch management is emerging as a promising source of new revenue for security VARs and integrators looking beyond the already-mature firewall and antivirus markets, said Scott Texeira, BigFix's director of business development.

"Patch management is something that we see a big demand for, and we don't think it's going to go away anytime soon," said Paul Rohmeyer, COO of Icons, a security consulting firm in North Brunswick, N.J.

Icons works with St. Bernard Software's UpdateExpert patch management and remediation tool. Microsoft's HFNetChk, a tool for checking patch status of all machines in a network from a central location, also is helpful, he said.

However, because enterprise networks contain a variety of software and hardware, patches must be tested before being deployed to ensure they don't interfere with certain applications, he said. Microsoft can't test a patch for all of the possible types of network environments, which can make automatic deployment problematic.