Vulnerability management and patch management are not products. They are processes – and the products are tools used to enable the process.
You cannot buy a hammer, nails and wood and expect them to just become a house, but you can go through the process of building the house or hire someone to do it for you as a service.
Vulnerability management and patch management products are often lumped together and assumed to be part of the same product. While they have a compatible relationship, they are not the same. Vulnerability and patch management products are distinct products with different purposes and goals that are used to support these processes.
Patch management is a process used to update the software, operating systems and applications on an asset in a logical manner. The purpose of a patch management system is to highlight, classify and prioritize any missing patches on an asset.
For the purpose of specificity, patches are updates from the vendor; they can contain anything from security fixes to new features. The vendor sets their policy for what can be in a patch, and they should document all changes and additions in a readme file. Not all patches contain security fixes, and not all patches will fix the security issues listed. This is why just having a patch management tool will not make you secure.
Vulnerability management is a process that discovers assets on the network, categorizes the OS and applications on the assets and reports on security vulnerabilities on target systems. The vulnerability management product will scan the asset and report the known vulnerabilities found along with remediation advice.
The remediation of a security vulnerability usually involves patching the vulnerable system, but it could also consist of implementing configuration changes, turning off vulnerably services or even blocking exploitation attempts with an IPS device.
After a system is patched, the scan is repeated to verify that the vulnerability is no longer present. This is a crucial step because sometime the patches may not overwrite or remove the vulnerable components, the remediation may also require some manual steps, or you may need to apply multiple patches to completely remove the vulnerability.
Trying to use a single dedicated vulnerability/patch management product to play both roles is like trying to strap pontoons to your car. It’s not very practical. More than that, you end up with an abomination like the Amphicar built in the 1960s. It seemed really cool, but it wasn’t a good car or a good boat.
A vulnerability management tool is designed to detect vulnerabilities, and it is not designed to provide insight into what patches you have installed. Many times, administrators misinterpret even good patch guidance, or the organization fails as a whole to use the tool to implement patches for all vulnerable components.
This leads to false positive reports that are almost always incorrect. A good understanding by the organization of how the tools work and how they are different will help avoid confusion and wasted time.
Tripwire’s IP360 is an excellent vulnerability management tool. Tripwire VERT writes all of the security content and tests it against vulnerable and non-vulnerable systems to ensure the accuracy. This delivers a low false positive rate (0.02% in 2018) that saves time tracking down potential or nonexistent vulnerabilities.
IP360 looks at the various system components like files, registry keys, firmware, etc. to determine the vulnerability state of an asset. When false positives do arise, they usually reflect the fact that the patch was not applied correctly or that not all vulnerable components were remediated.
Tripwire Dynamic Software Reconciliation (DSR) is a reconciliation tool for Tripwire Enterprise (TE) that helps the Change Manager or TE Admin better understand the origin of a given change as they relate to authorized OS or software patches or upgrades.
With this system, admins can easily track patches and automatically promote them via change management.