|
Introduction
It's a simple truth: applying patches is the only definitive way to keep vulnerable systems from being exploited. Accordingly, the vast majority of organizations acknowledge the need to have a formal patch management strategy and solution. Furthermore they clearly recognize that the demands in this area are escalating due to the proliferation of new vulnerabilities and the rapid emergence of associated threats. Seemingly irreversible conditions require that organizations not only deploy more patches than ever before, but also that they do so with a much greater degree of urgency.
Given this situation, it intuitively makes sense to implement an automated patch management solution. However, IT and security personnel inevitably need to provide more than just their intuition to justify such an investment. This paper is intended to address this necessity by enumerating the cost savings and other associated benefits of automated patch management. Ultimately it will be demonstrated that, relative to a manual approach, an automated solution can reduce the annual cost of patching from $222 to $40 per computer - resulting in an expected savings of over $180,000 per year for an organization with 1000 computers.
Cost/Savings and Benefits Analysis
There are many factors and dependencies associated with an analysis of the benefits of automated patch management - not all of which are straightforward. The assumptions, choices, and rationale provided in the following sections are based on the experience of the authors, the expertise of the developers and engineers at PatchLink, and the continuous feedback collected from PatchLink's extensive customer base.
Overview of Benefits
The benefits of automated patch management can be assigned to two general categories: quantitative and qualitative. The primary distinction between these is whether reasonably defendable estimates can be calculated for the given benefit.
The most significant quantifiable benefit is the reduction in administrator effort that results from automating many portions of an otherwise manually intensive exercise. Understanding this further is facilitated by Figure 2, which provides a summary of the individual tasks that comprise the major steps of a typical patch management process. To be clear, the benefit here is one of achieving greater efficiency of operations.
It could also be argued that administrator and end-user productivity gains due to incurring fewer successful attacks deserve to be classified as quantifiable benefits. However, it is probably more appropriate to classify these as red herrings. The problem in this case is that the potential gains hinge on the anticipation of remediating a vulnerability much sooner than would otherwise be possible (which is fundamentally different than doing it more efficiently). But there are several challenges with this notion. First, the presence of intermediate steps in the process which are necessarily manual diminishes the potential improvement in the overall ?elapsed time' before a patch is applied and, more importantly, complicates its quantification. The second challenge is assigning a value to whatever degree of improvement is actually attained. By how many will the number of successful attacks actually be reduced? One can only guess.
Finally, there is the point that taking advantage of any gain in this area requires the patch management process to be executed more frequently. In the extreme, it would need to be conducted every time a patch became available - as opposed to the widely favored approach of executing it at regularly scheduled intervals (e.g., monthly). Overall, it is expected that the cost of these extra cycles (i.e., rollouts) would offset the productivity savings attributable to experiencing a few less successful attacks. In any event, this potential benefit is simply too difficult to defend concretely and, therefore, is relegated to the qualitative category.
It is important to realize, however, that just because it is not easily quantified does not mean that the ability to remediate vulnerabilities sooner, at least in some cases, is not a valid benefit. In reality, it can and does save organizations from successful attacks. It's just that the actual number of such occurrences is irregular and highly unpredictable. Instead, the real value in this case is a general level of risk reduction that yields a range of qualitative benefits.
|
