Davidson Healthcare in Lexington, N.C., got a wake-up call recently when a vulnerability scan discovered that the network was missing more than 4,000 cumulative patches on its 30 servers and 500 workstations.

"I had this bad feeling about those patches," says Kevin Buchanan, who runs Davidson's 10-person IT department. "The problem was that we couldn't keep up with the volume of Microsoft's patches. They were releasing them way too often, there were too many of them, and a staff like ours had no way to manage this. Yet if we didn't, we knew we'd be at risk."

Buchanan quickly secured funding for automated patch management software from Shavlik Technologies.

Adam Hansen, manager of security at Chicago law firm Sonnenschein Nath & Rosenthal, has a similar tale. With nearly 2,000 servers, desktops and laptops spread across 11 U.S. offices, Hansen knew his firm had to get an automated patching solution, and quick.

"About a year and a half ago, this all came to a head," Hansen says. "We did a vulnerability assessment and found we were only about 15% in compliance in terms of patching." He began looking for something that could automate patching and provide real-time reporting.

Sonnenschein Nath & Rosenthal went with PatchLink, another of the pure-play patch vendors that were first to market with automated patch tools.

"The old way of doing things, deploying patch by patch, is not effective in the long term," Hansen says.

There's widespread agreement on that point among enterprise IT executives, analysts and vendors. Any lag between detecting a vulnerability and correcting it leaves an organization open to attack. And with their own set of automated tools, hackers can strike almost as soon as new vulnerabilities are discovered.

But users are finding that even with automated patch management tools, patching can be a complicated, laborious and often problem-causing process because patches have been known to break applications.

First things first

According to Meta Group analyst Peter Firstbrook, the first step is a network assessment. "My biggest piece of advice to customers evaluating patch management solutions is to take a step back and evaluate your own organization first," Firstbrook says. "So much of what has to be done is process and procedure."

Even the best tools won't save you if you don't have the right processes in place and the people and computing resources to back them up, he adds.

Davidson used to patch machines when they needed to be serviced or when a new image was pushed out. Now the patching is an ongoing part of IT maintenance, typically performed in off-peak hours, Buchanan says.

The patching path not taken

The issue for IT executives is not whether to automate, but which product to buy. There are the pure-play patch products from Shavlik, PatchLink and others. There are patch tools that are part of larger software suites that include life-cycle management, change management, security management and configuration management. Plus, there are Windows-only tools from Microsoft.

Angela Triola, an infrastructure analyst at ENT Federal Credit Union in Colorado Springs, tackles patching with Enterprise Configuration Manager (ECM) from Configuresoft. ECM performs a variety of functions, including vulnerability assessment, change management, compliance, remediation and patching. Triola says everything from finding patches to testing to deployment to verification has now become manageable.

"We rely heavily on Microsoft," Triola adds, "so the fact that Configuresoft works well with Microsoft was very important to us." She says that Microsoft's own patching advances, including the forthcoming Windows Update Services (WUS) patch management software, will not change the need for third-party tools.

Other IT professionals agree. "Essentially, even with [Software Update Service], WUS or [Systems Management Server], you're still taking a patch-by-patch approach," Hansen says. "You still need the entire platform to see this through from start to finish."