Ensuring patch compliance across all endpoints

A compliance level refers to the percentage of computer devices that have been successfully patched or otherwise re mediated such that they are no longer vulnerable. Setting a reasonable goal for compliance levels is often a difficult concept. At first glance, a completely patched environment (100%) would appear to be a realistic goal.
With sheer number of vulnerabilities on the rise, the main objective of organizations is to ensure 100% patch compliant status of all managed endpoints. Patch Manager Plus helps achieve 100% patched and compliant status through a constant cycle of endpoint evaluation and remediation. When an endpoint is detected to be non-compliant with a patching policy, the platform automatically acts to bring the endpoint back into compliance and logs the activity - all of which can be automated with Patch Manager Plus.

Patch compliance management involves:

  1. System Health Policy

  2. Patch Manager Plus provides a compliance policy called system health policy that can be used to define standards that identify if systems are non-compliant. The system health policy is used as a baseline to define the health status of managed systems.

    How to define the System Health Policy?

    Generally, patches are released with varying severities ranging from Low to Critical. Based on these patch severities, Patch Manager Plus classifies the system into three categories to quickly identify the health status of the systems in the network. Based on the severity of the missing patches, the systems are categorized as Healthy, Vulnerable, and Highly Vulnerable. The default health policy is as below:

    • Healthy Systems are those that have up-to-date patches installed.
    • Vulnerable Systems are those that have missing patches in "Moderate" or "Low" severity levels.
    • Highly Vulnerable Systems are those that have missing patches in "Critical" or "Important" severity levels.
    Customize System Health Policy at ease

    Patch Manager Plus also allows you to customize the health status of your systems by selecting the patch severity levels i.e. the number of missing patches, for various health states.

    Thus by pre-defining system health policy, Patch Manager Plus maintains and monitors the patch compliance by detecting all vulnerable systems in the network and by deploying the right patch fixes to re-mediate the vulnerabilities.

  3. Patch automation

  4. An automated patch management system can assist in keeping your environment fully patch compliant i.e fully patched at all times. By enabling this automation of patch management process, Patch Manager Plus ensures that endpoints are compliant with latest version of software and that their missing updates are patched always. Patch automation involves scanning systems for missing patches, creating automated deployment tasks to vulnerable systems, effectively deploying the right patches to the systems and finally collect information if the entire enterprise is patch compliant or not. Thus automated patch deployment eases the process of maintaining patch compliance i.e if each system in the enterprise environment has the appropriate patches installed.

  5. Reports to demonstrate patch compliance across endpoints

  6. The different patch reports demonstrate patch compliance across endpoints by monitoring and reporting the vulnerability and patch status of each system. Automated email alerts for new updates, missing patches and failed deployments let administrators see which systems are non-compliant. It is possible to define patch compliance checks with the help of missing patches and vulnerable systems report.

    1. The Vulnerable Systems Report gives away details of healthy and vulnerable systems in your network. Thus, information on how many systems are non-compliant i.e not fully patched with critical updates can be collected.
    2. The Vulnerable Patches Report lists all the missing patches in the network. This can be used to determine which patches need to be deployed to achieve fully patched status across the enterprise.

    Dynamic patch reports let administrators easily discover which devices are non compliant w.r.t patching and quickly re-mediate vulnerabilities.