VARs, Vendors Seize Patch Management Opportunity

Patch management products such as Symantec's ON iPatch 1.1, which the Cupertino, Calif.-based security vendor launched this week, bridge the gap as customers and solution providers await the release of Windows Update Services. Formerly known as Software Update Services 2.0, Windows Update Services has been postponed until the first half of next year, according to Microsoft. The patch management utility originally was due out in mid-2004.

In the meantime, VARs like Revolution Consulting, Tempe, Ariz., find that customers are eager to deploy Symantec ON iPatch 1.1, even though the product is only a short-term play.

"Our customers understand that they need to be able to patch other operating systems, and they have other operating systems. But right now, Microsoft is their priority," said Amy Hawkins, director of marketing at Revolution Consulting. "Customers are saying, 'We need to act quickly [on Windows].' "

Targeted at businesses with 10 to 3,000 seats, ON iPatch 1.1 was quickly brought to the market to address an immediate need for managed patching of Microsoft code, said Thom Bailey, director of product management for enterprise administration at Symantec.

"Patch management as a stand-alone interest, long term, is probably best-served in a suite of products," Bailey said. "You don't concern yourself with patch management in isolation of security. But we are out the door right now offering something to a market in desperate need to get a handle on patch-related vulnerability."

The child of Symantec's ON Technology acquisition, ON iPatch 1.1 can scan Windows boxes on the network and apply patches based on administrator policy. The tool can make patches on large groups of Windows PCs simultaneously, and avoid such inefficiencies as downloading patches for Outlook when a shop only runs Lotus Notes, Bailey said. ON iPatch 1.1 just patches Windows systems--not Linux, Unix, Solaris or network operating systems from Cisco Systems and Juniper Networks, he added.

Ultimately, Microsoft will provide patching for its own operating system via free tools within SUS 2.0. Point products like ON iPatch then will disappear and be folded into a broader suite of Symantec security software, Bailey said.

Still, one big advantage with ON iPatch 1.1 is its ability to handle multiple patch remediations on many clients at the same time, Bailey noted. "This is mass patching. Microsoft currently is adding intelligence on one machine at a time," he said.

Microsoft expects to change that with SUS 2.0, said Eric Berg, group product manager in Microsoft's enterprise management division. "[SUS 2.0] will provide the facility to easily deploy updates across large numbers of clients and servers in an automated fashion," Berg said.

Some VARs are already moving away from patch management point products, such as those from Symantec and PatchLink, and turning to patch management tools within product suites that address non-Microsoft operating systems. New York-based MTM Information Technologies, for one, is tackling patch management with a suite of client management software from LANDesk that also helps deploy Microsoft's recently released Windows XP Service Pack 2.

"Patch management is something we will have to wrestle with for some time to come, so it's clear that some vendors are jumping on a narrow, short window of opportunity. Even with PatchLink, which is an excellent stand-alone product, the opportunity to be a stand-alone patch management solution is very limited," said Howard Cohen, senior vice president of business development at MTM Technologies.

"Incorporating patch management into a suite is the natural progression." Cohen said. "And going forward with patch management, you will see a blurring of the lines between patching and software distribution. They are the same thing."

Other solution providers like Dominick Genzano, senior partner and founder of STI Group, Jersey City, N.J., said third-party patch management tools will still be necessary even after Microsoft serves up SUS 2.0 for free.

"I don't necessarily see that SUS 2.0 is going to be the solution everybody needs. It's still only going to handle Microsoft platforms and software," Genzano said. "Plus, if you look at the direction of SUS, unless Microsoft reworks the product entirely, it's not going to have the type of accounting and management we like to see in patch management. And when you think about spending just $8 to $15 per desktop with a third-party patch management product, that beats settling for something that may be not as good but is free."