Discussion in 'Business & Enterprise Computing' started by evo800v, Apr 25, 2019.
How do you go managing patch compliance with disconnected end users machines using Batchpatch?
Purely a frontend for WSUS, so anything not connected/reporting wouldn't be covered. We were going for servers and "high risk" workstations, which deemed to be select machines in finance, and sysadmins, which aren't guaranteed to be in the office, but are covered 90% of the time.
Going on a pretty flexible version of essential 8 - better than doing nothing
Hadn't seen Qualys Patch (possibly cos it came into existence early this year), signed up for trial but waiting on access.
Still talking/waiting on HCL, wanted to at least see bigfix in action, even if it is IBM software, but even their sales guys are lazy.
So talking to Qualys their Patch Product is OEM'd Ivanti but from what I'm lead to believe is tied into the Qualys vulnerability scanning framework and then leverages the Ivanti patch to remediate.
Yea I did see a lumension or shavlik digital signature in one of the qualys deployed patches.
Patch managment is pretty rudimentary, you can schedule recurring patch jobs... but can't automate adding new release patches to a job, allegedly "on the roadmap"
Have seen nothing in the patching space that even half impresses, tempting to just put MSP's NinjaRMM on servers and turn on patch management there, which is also Ivanti powered, with about the same level of schedule control, just miss out on the vulnerability ratings.
Early days but and only scratching the surface as to what's possible with Batchpatch but this thing is magic compared to what I'd been working with.
I'd say it has far the best scheduling capabilities of any I've seen. Just feels bad paying for a tool thats one job is to prod wsus
If I don't find something else with reasonable vulnerability assessment, usable 3rd party support and 1/2 decent scheduling though... probably gonna be batchpatch.
On the whitelisting topic, airlock is going well, haven't enforced anything other than my machine yet due to the massive variety of random unsigned shit that people occasionally need to run. The process of reviewing/approving apps is easy enough, though there is a bit of room for improvement when it comes to navigating away from the massive list of shit you were working through.
I suspect we will just be using Nessus to prodocue reports post patching for validation and scripting additional registry cangest requried by some udpdates.
I met David the Airlock founder at Cyber Conference. Had a quick demo looks promising at first glance I'll try and do a POC soon.
Another one for consideration for patch management.
Automox works across Windows, Mac and Linux operating system versions, providing you with full patching and configuration control for clients, servers, virtual machines, containers, and cloud instances. No servers, configurations, or networking to manage.
What is good for patching onprem?
Tried it, can't remember exactly what was shit about it... a lot though.
Bigfix looks like a learning curve, and a lot of work, but surprisingly good for something IBM used to own. Lot more responsive than SCCM.
That's disappointing sounded promising.
From memory it required manual intervention. I'm after something that can just deploy, reboot, retry until complete (for certain servers and workstations anyway) with a schedule that, for example, would let me do 1 DC in a site one night and the other the next.
Batchpatch is still the closest I've seen to that out of the box.
Daniel, not David Its decent, they also have integration with Crowdstrike now as well, with the aim of single management platform between CS and AL.
BigFix is a shit hole, patches (Fixlets) aren't even overly speedy being released, and IBM have also just sold it to TCL.
I ended up going with batchpatch and a Nessus pro subscription.
Few minor points around rebooting when required with batchpatch, hopefully they'll introduce some more options in their logic.
[QUOTE="IACSecurity]BigFix is a shit hole, patches (Fixlets) aren't even overly speedy being released, and IBM have also just sold it to TCL.[/QUOTE]
Pretty sure it's HCL, and the sale was about 3 months ago. For an IBM software product, it was surprisingly responsive, and for a complex environment I think it'd make a great patch deployment solution. For my 30-40 servers, wsus + batchpatch (+ nessus scans) was the shortest path to safety.
..I'd fix that quote text, but, close enough
You threw me there, looks like there is a Daniel & a David as co founders https://www.airlockdigital.com/leadership-team
Reviewing untrusted binaries in app whitelisting really gives some insights into the great attention to detail which goes into software development
I especially like the naming convention of the Win 8 PC... did they just post on rentacoder then add it to a production release of Exchange?