When Softcat recommends Ivanti’s windows patching solution to clients, it does so with real insight, as it has been using the product to save time and cut overheads in its own patching processes
It stands to reason that to remain a leading Managed Services Provider of technology solutions and services, you must address software vulnerabilities in your own infrastructure. Rapid growth, which had created a sprawling estate of 200 Windows servers and no consistent, automated patching solution, meant that this was becoming more and more difficult for Softcat’s Managed Services Team.
In response, Softcat created an Information Security team to compile best practices that would help it gain control over this critical process – practices that it planned to share with customers experiencing similar problems.
“Our situation was typical of a fast growing Windows organisation,” explained Softcat security analyst Tim Lovegrove. “We deployed WSUS to assist with Windows patching, but it was hard to administer and track, even on updates to the Windows OS, and harder still across our critical third-party applications. We wanted to know that every machine on the network would receive essential updates automatically.”
A key stumbling block was that only 25% of Softcat’s servers had been assigned owners with responsibility for patching. Like most WSUS deployments, Softcat had used Group Policy settings to assign machines but not to determine ownership.
Another problem was that the WSUS patching cycle took 90 days to complete, which was too long in today’s fast moving world and opened the door to risk.
Each quarter, it took Softcat’s Microsoft system admins a month to identify and schedule the appropriate WSUS patches to roll out, and then another two months to complete the deployments. At the end of each 90-day window, the patching cycle began again.
The 2017 ransomware outbreaks were the final spur to action. Although Softcat had patched the vulnerabilities months before, the events escalated the ‘What If’ debate to senior management.
“Our Managed Services teams were heavily involved in helping customers recover from ransomware attacks, often working 24×7 shifts. Although Softcat itself was unaffected, we witnessed first-hand the effects of neglecting updates. That led us to examine our own internal procedures for patching, escalating the issue to the forefront of our network and security efforts,” explained Lovegrove.
The solution needed to achieve three goals: 1) to significantly reduce patching overhead; 2) to decrease the patching cycle from 90 to no more than 30 days; and 3) to automate as much of the process as possible and provide proof that patching had occurred.
Softcat ships thousands of Ivanti Patch for Windows licences to its customer base and, given the positive customer feedback, chose to deploy it internally within 30 days of testing it in the lab. Upon deployment, Patch for Windows scanned the Softcat estate. This provided a complete software inventory and immediately determined that 25 servers were redundant and no longer in use.
The next stage for the remaining 175 servers was to assign server ownership within the 10 teams that run them. Armed with the asset inventory, Lovegrove offered owners six options for scheduling patches and asked them to choose the one most appropriate to the role the server and its apps played in the organisation. Their responses determined the machine groups for Ivanti’s automated patching treatment.
Lovegrove also established reporting levels that provided a central view and reports on deployed patches, missing patches and vulnerable machines.
Softcat estimates that Ivanti Patch has reduced patching overhead by 70%, while increasing patching coverage. This includes third-party apps, such as Java and Adobe Flash and Reader, and browsers, such as Firefox, which are so often missed in a server estate. For the company’s most critical servers, Patch for Windows reduced the patching window from 90 days to under 18.
Lovegrove is unequivocal in his praise for the solution. “Ivanti Patch for Windows isn’t just a more comprehensive patching solution. It’s an intelligent, granular solution that offers the flexibility to specify patch groups and categories and provides the visibility needed to help ensure patches get deployed.”
He added: “It’s definitely a timesaver. Knowing this is in my back pocket, I can focus on wider or more esoteric security issues, instead of spending time fiddling around with what should be a simple process.”
Ivanti Patch for Windows Benefits
Ends the 90-day WSUS patching cycle and reduces time to patch critical servers by 72 days
Provides scanning, deployment and reporting that helps ensure patches are applied
Cuts patching overhead dramatically, allowing admins to focus on larger security issues