Patch management tools look for and analyze new patches, scan devices on networks to find vulnerabilities, and deploy the correct patches. Some products also test the patches to verify that they work. But automated systems aren’t a cure-all. Truck manufacturer Paccar has been using several patch management tools "with varying degrees of success," says Vice President and CIO Patrick Flynn.

Paccar has used products from McAfee Security, Microsoft and On Technology to automatically deploy patches to PCs and servers, Flynn says, cutting the time it takes for deployments and improving their accuracy. "We don’t have to send an army of people out there [to deploy patches]. From a labor perspective, the return on investment has to be pushing 100 percent," he says. "But there’s still a long way to go before we get to where we need to be" because the tools don’t ensure that all of the company’s more than 12,000 PCs and servers are getting the correct patches when they need them.

"If your success rate is 90 percent, you still have 1,000 devices to find and update," Flynn says. "There isn’t really an integrated one-size-fits-all tool for patch management. If you’re a global IT organization, you need a variety of tools to deploy patches for security, operating systems, browsers, applications. And patches have to be applied to servers, desktops and PDAs. How do we manage all that software? It’s one of the biggest problems facing our industry."

The management tools have been fairly easy to set up, Flynn says, but there can be some complexity when integrating patch tools with existing software. He says companies should have someone dedicated to overseeing patch management software to ensure it’s being used most efficiently.

A Hard Patch

Paccar’s experience is mirrored by others. After the Slammer attack illustrated companies’ vulnerabilities, RBC Centura Banks issued a corporate mandate to bring all its production servers up to date on required patches. "We checked into doing it manually and knew we had a sizable task in front of us," says James Williams, manager of information delivery.

Managers estimated it would take more than 12,000 man-hours to complete the task, including deploying and testing patches on more than 220 servers. RBC opted instead to use Ecora’s PatchMeister to deploy patches, and the process took about 2,000 hours in just over a month. Williams says there was still manual work involved, when technicians had to tweak some of the patch deployments for particular servers. But the automation software did provide time and labor savings, Williams says. "It helped us to quickly identify the status of the servers and told us which patches we needed to apply in our NT and Windows 2000 environment." The bank uses the software to evaluate and deploy anywhere from two to 15 patches per month.