If you wish to remain a leading Managed Services Provider of technology solutions and services, you must defend against software vulnerabilities in your infrastructure. However, with the company growing at unprecedented rates, the Managed Services Team at Softcat faced managing a sprawling estate of 200 Windows servers that lacked a consistent, automated patching solution.
In response, Softcat created an Information Security team to compile best practices that would help it maintain control over this critical process-practices it planned to share with equally overwhelmed customers.
“Our situation was typical of a fast-growing Windows organisation,” said Softcat’s Security Analyst, Tim Lovegrove. “We deployed WSUS to assist with Windows patching, but it was hard to administer and track, even on updates to the Windows OS, and harder still across our critical third-party applications. We wanted to know that every machine on the network would receive essential updates automatically.”
A key issue, only 25% of Softcat’s servers had been assigned owners with responsibility for patching the server. Like most WSUS deployments, Softcat had used Group Policy settings to assign machines but not to determine ownership.
Moving from an all-consuming patching cycle
The WSUS patching cycle also took 90 days to complete, which was too long in today’s fast-moving world and opened the door to risk. Each quarter it took Softcat’s Microsoft system admins a month to identify and schedule the appropriate WSUS patches to rollout and then another two months to complete the deployments. At the end of each 90-day window, the patching cycle began again.
The 2017 ransomware outbreaks were the final catalyst for change. Although Softcat had patched the vulnerabilities months before, the events escalated the ‘what if’ debate to senior management.
Lovegrove commented: “Our Managed Services teams were heavily involved in helping customers recover from ransomware attacks last year, often working 24/7 shifts. Although Softcat itself was unaffected, we witnessed firsthand the effects of neglecting updates. That led us to examine our own internal procedures for patching, escalating the issue to the forefront of our network and security efforts.”
The solution needed to achieve three goals: 1. significantly reduce patching overhead, 2. decrease the patching cycle from 90 to no more than 30 days, and 3. automate as much of the process as possible and provide proof that patching had occurred.
With any automation, success lies in the detailed preparation
Softcat ships thousands of Ivanti Patch for Windows licenses to its customer base and receives positive customer feedback. Given the solution’s high regard, Softcat chose to deploy it internally within 30 days of testing it in the lab. Upon deployment, Patch for Windows scanned the Softcat estate. This provided a complete software inventory and immediately determined that 25 servers were redundant and no longer in use.
For the remaining 175 servers, the next stage was to assign server ownership within the 10 teams that run those servers. Armed with the asset inventory, Lovegrove offered owners six options for scheduling patches. They picked the option most appropriate to the role the server and its apps played in the organisation and that determined the machine groups for Ivanti’s automated patching treatment. Reporting levels were also established, offering a central view and reports on deployed patches, missing patches and vulnerable machines.
Ivanti Patch offers flexible options to fit the server’s purpose
Softcat estimates it has reduced patching overhead by 70% while increasing patching coverage. This includes third-party apps such as Java, Adobe Flash and Reader, and browsers such as Firefox, which are so often missed in a server estate. For the company’s most critical servers, Patch for Windows reduced the patching window from 90 to under 18 days.
Lovegrove said: “It’s definitely a time saver. Knowing this is in my back pocket, I can focus on wider or more esoteric security issues, instead of spending time fiddling around with what should be a simple process.”
Adherence to the three KPIs has earned Lovegrove’s team the confidence of Softcat senior management.
Lovegrove summarises his experience for others facing patching overhead: “Ivanti Patch for Windows isn’t just a more comprehensive patching solution, it’s an intelligent, granular solution that offers the flexibility to specify patch groups and categories and provides the visibility needed to help ensure patches get deployed.”