Softcat, Ivanti’s EMEA Security Partner of the Year 2019 (see right), has been using the company’s Windows patching solution to save time and cut overheads
It stands to reason that to remain a leading Managed Services Provider of technology solutions and services, you must defend against software vulnerabilities in your own infrastructure. Rapid growth, which had created a sprawling estate of 200 Windows servers and no consistent, automated patching solution, meant that this was becoming more and more difficult for Softcat’s Managed Services Team.
In response, Softcat created an Information Security team to compile best practices that would help it gain control over this critical process – practices that it planned to share with customers experiencing similar problems.
“Our situation was typical of a fastgrowing Windows organisation,” explained Softcat security analyst Tim Lovegrove. “We deployed WSUS to assist with Windows patching, but it was hard to administer and track, even on updates to the Windows OS, and harder still across our critical third-party applications. We wanted to know that every machine on the network would receive essential updates automatically.”
A key stumbling block was that only 25% of Softcat’s servers had been assigned owners with responsibility for patching the server. Like most WSUS deployments, Softcat had used Group Policy settings to assign machines but not to determine ownership.
Another was that the WSUS patching cycle took 90 days to complete, which was too long in today’s fast-moving world and opened the door to risk. Each quarter, it took Softcat’s Microsoft system admins a month to identify and schedule the appropriate WSUS patches to roll out, and then another two months to complete the deployments. At the end of each 90-day window, the patching cycle began again.
The 2017 ransomware outbreaks were the final catalyst for change. Although Softcat had patched the vulnerabilities months before, the events escalated the ‘What If’ debate to senior management.
“Our Managed Services teams were heavily involved in helping customers recover from ransomware attacks, often working 24×7 shifts. Although Softcat itself was unaffected, we witnessed first-hand the effects of neglecting updates. That led us to examine our own internal procedures for patching, escalating the issue to the forefront of our network and security efforts,” explained Lovegrove.
The solution needed to achieve three goals: 1) significantly reduce patching overhead; 2) decrease the patching cycle from 90 to no more than 30 days; and 3) automate as much of the process as possible and provide proof that patching had occurred.
Softcat ships thousands of Ivanti Patch for Windows licences to its customer base and, given the positive customer feedback, chose to deploy it internally within 30 days of testing it in the lab. Upon deployment, Patch for Windows scanned the Softcat estate. This provided a complete software inventory and immediately determined that 25 servers were redundant and no longer in use.
The next stage for the remaining 175 servers was to assign server ownership within the 10 teams that run them. Armed with the asset inventory, Lovegrove offered owners six options for scheduling patches and asked them to choose the one most appropriate to the role the server and its apps played in the organisation. Their responses determined the machine groups for Ivanti’s automated patching treatment.
Lovegrove also established reporting levels that provided a central view and reports on deployed patches, missing patches and vulnerable machines.
Softcat estimates that Ivanti Patch has reduced patching overhead by 70%, while increasing patching coverage. This includes third-party apps, such as Java and Adobe Flash and Reader, and browsers, such as Firefox, which are so often missed in a server estate. For the company’s most critical servers, Patch for Windows reduced the patching window from 90 days to under 18.
Lovegrove is unequivocal in his praise for the solution. “Ivanti Patch for Windows isn’t just a more comprehensive patching solution. It’s an intelligent, granular solution that offers the ﬂexibility to specify patch groups and categories and provides the visibility needed to help ensure patches get deployed.”
He added: “It’s definitely a timesaver. Knowing this is in my back pocket, I can focus on wider or more esoteric security issues, instead of spending time fiddling around with what should be a simple process.”
Partners of the Year
Softcat was named EMEA Security Partner of the Year at last month’s Ivanti 2019 Partner of the Year Awards in Madrid. Commenting on the award, Matt Ward, Softcat Software Asset Manager, said: “The whole team here at Softcat is over the moon at winning Ivanti EMEA Security Partner of the Year. It just reinforces to us that we are making huge strides in our strong security portfolio and leading the way in our market, which is a great feeling.” Other UK winners were e92plus (shown in photo), for EMEA Distributor of the Year, and Bytes, which won EMEA Partner Campaign of the Year for its NHS Windows migration campaign. UK recipients of EMEA Ivanti Champions of the Year awards were Robin Cook, Ivanti Product Manager at e92plus, and Andy Nabbs, Head of End User Computing at SCC UK. Ivanti unifes IT and Security Operations to better manage and secure the digital workplace. Ivanti discovers IT assets on-premises and in the cloud, improves IT service delivery and reduces risk with insights and automation.