What is Virtual Patching?

A malicious attacker will always be on the lookout for weak points or vulnerabilities in a network. They prowl around the Internet looking for weaknesses in software, hardware, or connectivity device configurations that they can exploit. Virtual patching is one way to make sure they don’t succeed.

Hackers are always a step ahead of software and hardware manufacturers as they continue to seek out these vulnerabilities. This makes virtual patching a critical part of a network or system administrator’s duties.

Here is our list of the best virtual patching tools:

1. SolarWinds Virtual Patching for Endpoint Security EDITOR’S CHOICE This patch management package updates both virtual and physical endpoints with procedures that include automated patch status scanning, patch gathering and scheduled rollout. Runs on Windows Server and is available for a 30-day free trial.
2. ManageEngine Patch Manager Plus This on-premises system for endpoint patching provides an automated service for devices running Windows, macOS, and Linux. Availalbe as a SaaS package or for installation on Windows Server.
3. Avast Business Patch Management Patching for Windows and third-party software packages as part of a platform of system security services. This is a cloud based system.

OK, but what is patching?

Patching is the process of upgrading software to their latest and most secure versions with the hopes of plugging any “holes” – known as “vulnerabilities” – in an application or operating system. The intention is to close them from being used as “exploits” whereby cybercriminals gain unauthorized access to them.

There is a window, between a vulnerability being discovered and the possibilities of an exploit being used, that is only closed when an administrator has “patched” the hole and made the network and applications safe again.

In larger networks, this can be a tedious affair as patching is done on an individual, host-by-host, or device-by-device basis. It is also a repetitive occurrence since vulnerabilities are too common an occurrence.

What is virtual patching?

When it comes to virtual patching, it is also the process of removing any vulnerabilities. But, in this case, it focuses on stopping vulnerabilities and exploits at the network level and not the end-point software solutions.

In this case, the actual task is a lot less tedious because the rollout is focused on a few networking devices. In other words, it is rolled out via a network – and addresses the vulnerabilities at the end-points from the network itself.

Looking at the process in more detail – it is rolling out a layer of security policies that, by analyzing data packets and traffic, prevent and intercept the exploitation of vulnerabilities.

For a virtual patching solution to be effective it must have the following capabilities:

• Deep packet inspection – to inspect and then stop malicious packets and malevolent activities from hiding in web and network traffic.
• Prevention – once the packets have been identified, they need to be destroyed before they reach their intended target hosts.
• Deployable anywhere – it should be able to be run in both cloud as well as on-premises network architectures.

Necessity for virtual patching

By now, we should have an idea of what virtual patching does. But, let’s have a look at why we need it:

• It prevents the risk of a successful breach or attack until a vendor-supplied patch is released or while the patch is being tested and applied.
• It reduces any conflicts from appearing in the software environment as there is a lesser chance of introducing conflicts because libraries and support code files are not changed.
• It prevents downtime of mission-critical systems that cannot be taken offline.
• It cuts the costs of time and money spent performing emergency patching.
• It allows businesses to maintain normal patching cycles.

It can be said that virtual patching is important for the security of digital assets, which require considerable planning as well as zero downtime before a permanent patch can be deployed to protect them.

Examples of such systems would be pipeline monitoring systems or machines running critical systems – which play a vital role in a nation’s infrastructures like hydroelectric dams and electrical grids, which can’t be taken down.

And then, there is the fact that in these days of cloud-based and remote-hosted architectures, businesses may not have direct, seamless access to their digital assets. The only way they can secure their hatches until their hosting or cloud service provider patches them is with the help of virtual patching.

Virtual patching – Pros

The advantages of virtual patching include:

• When it is done in time, it can protect a business and its clients before a breach or unauthorized access.
• It shows that a business is a professional entity that proactively undertakes steps to ensure its own security – especially if there is a wave of attacks and it remains unaffected by them.

Virtual patching – Cons

Looking at some drawbacks, we have:

• When done wrong or too late, it could spell disaster to businesses and customers alike – this means a professional is required to perform virtual patching. This is because a single misconfiguration could result in processing errors, bring the business to a halt or even crash the whole network completely.
• Unless it is done with the correct resource allocations, other critical processes might lag or even crash because of virtual patching eating up bandwidth due to misconfigurations or traffic being diverted to networks that can’t support the sudden influx, for example.

Therefore, it needs to be noted that an effective virtual patch makes sure that the vulnerabilities are addressed – i.e., patched – without modifying an application or system’s code or diverting traffic to infrastructures that can’t support surges.

The virtual patching process

Here are the six essential steps in a typical virtual patching campaign:

1. Awareness – virtual patching is initiated or necessary as soon as an administrator is aware of the vulnerability. This could be via alerts received from a WAF, SIEM, IDS, or IPS following attack attempts, post-breach, or in lieu of suspicious activity. It could also be thanks to proactive actions taken following critical alert advisories or patch update bulletins from software and hardware manufacturers or their governing bodies.
2. Analysis – once the threat has been detected, and positively identified, it is time to analyze the situation on the ground. Typically, administrators will take stock of all their assets and find out which ones need to be patched and what software version should be used. For this to work, of course, they will also need to know how the vulnerabilities are exploited and what needs to be done to stop it from happening.
3. Strategizing – at this point, when all the information is in, it is time to start creating IPS rules; reviewing and fortifying policies, searching for patching tools, and mapping out which device should be patched first or last, and preparing for crashes by implementing disaster recovery plans, etc., can also be part of this step.
4. Testing – this is the stage where all scenarios are played out, all holes are plugged, and everything is thrown at the system to see if it holds up. It would also be ideal to do this testing phase on a dummy network (or a test environment). This phase is repetitive and exhaustive until all lights are green and it is deemed safe to actually start applying the patch.

Some testing tools that can be used include:

• • • A web browser – to test if there is communication between systems or whether web applications are working as they are supposed to.
    • Linux command line commands to test connectivity and accessibility – like curl and Wget.
    • Web app scanners, security and events testing tools, as well as penetration testing tools like OWASP ZAP and ModSecurity AuditViewer.

5. Application aka Virtual Patching – here, the patches are pushed out and applied to each device or website in the production environment. There are tools that can help at this stage and that we will see later.
6. Monitoring – once this stage is reached, it is time to see how successful the previous steps had been.  All changes in performance, response times, service delivery, process completion, and such should be monitored. Any deviation should be looked into to detect anomalies and their causes. If it leads to the virtual patching, it means it is back to Step 4, the Testing Phase – and into a loop – until the expected right results are achieved.

What would influence a virtual patching campaign?

A successful virtual campaign needs careful planning. Here are some of the questions that need to be asked in order to make it so:

• Determine the scope of the campaign – is the data to be protected stored in a central location or is it dispersed to multiple network segments?
• Be aware of the architecture to cover all the vulnerable assets – what is the network configuration and how does the data flow through the network?
• Awareness of manufacturers and technologies involved – what type of hardware and applications are running on the network and are there systems from multiple vendors?
• Operating systems involved to avoid conflicts – is the network running Windows, UNIX, or Linux operating systems, or some combination?
• Access and permissions required to reach assets – is the network managed locally or outsourced to a third-party security provider?
• Virtual patching team’s capabilities – will the virtual patching system be run by employees or a managed security service provider?

Answering all of these questions will result in a well-defined plan and a team that knows what to do – resulting in successful virtual patching.

What would happen without virtual patching?

To answer this question, we would need to have a look at the worst-case scenarios:

• Network and system compromise – this is an obvious one. But then, one website can lead to the full compromise of a network, all the other devices connected to it, as well as the applications and software running on them.
• Compromised security measures – once unauthorized access is successful, the rogue user can pretty much see the “blueprint” of the security that has been put in place and use this knowledge to bypass it and stage further enhanced attacks like distributed attacks of both local and global networks.
• Critical data exposure – one script, injected into the right input feature (a URL, text box, query box, etc.) can allow unauthorized access to SQL data that should never be shared, for example.
• Financial loss – crashing websites keep customers away. This kills a business’ income and revenue streams that are based on such websites. And then, of course, there is the matter of exploits that use vulnerabilities to steal valuable personal and financial information and use it to cash in in real life. Fighting the ensuing lawsuits alone would break most companies.
• Reputational loss – no business can appear to be a professional entity if it keeps having regular system crashes, let alone breaches leading to data losses. The business world, and especially the paying customers, expects confidential data to be held, well, in confidence.

Bottom line: no one would want to deal with a business that had a website that is always down, owns a network that keeps crashing at every other transaction request, or runs servers that leak data as fast as they can capture them.

Are there any virtual patching tools?

As we reach the end of this post, it will come as welcome news that there are tools out there to help administrators with virtual patching.

But, before we jump into the tools themselves, let’s have a look at what makes a tool the best one for virtual patching.

The features that would make it so include:

• End-to-End visibility – it should cover the whole architecture, regardless of the operating system, processes, services, and hardware that is being used.
• Accuracy – a virtual patching tool should be able to identify the issue before it can recommend a solution or point towards alternative ways of handling it; it should, therefore, be able to rely on a large database allowing it to cover a wider, more recent variety of vulnerabilities.
• Auto-patching – the tool should be able to send out the correct type, and version, of patches and then install or apply them without any manual intervention required; in fact, it should know the sequence of the patches that are applied so as to avoid conflicts or, worse, crashes.
• Remote access – the administrator doesn’t need to be on-campus when rolling out a patching campaign; it doesn’t matter if it is an on-premises, cloud, or hybrid network – it should be remotely accessible whenever patching needs to be done.
• Testing – the tool should be able to run tests to see if the patching was successful before calling the campaign a success. In fact, it should be able to test the patching campaign both before and after the patching process.

Examples here could be testing the patches on isolated sample networks or even on individual subnets instead of finding out later (when the wrong patch has crashed the entire network) that they don’t work.

• Price and licensing – while “free” is always the best price, it doesn’t mean that paying a little more for premium, mission-critical features won’t be a better option; especially, if it can do a better The trick is finding that sweet spot between price, features, and the current requirements.

The Best Virtual Patching Tools

1. SolarWinds Virtual Patching for Endpoint Security (FREE TRIAL)

This is a virtual patching tool for corporate network administrators. It is a powerful tool from the leading maker of network and server management and monitoring tools.

Key Features:

• Continuous Patch Availability: Capable of patching machines even when they’re powered off, ensuring continuous protection.
• Unified Patch Management Dashboard: Offers a comprehensive view of patch statuses, including available, missing, and applied patches, across the entire network architecture.
• Third-party Software Updates: Automatically delivers updates for third-party software, such as VMware, streamlining the maintenance process.
• Comprehensive Management Tools: Provides tools for inventory management, reporting, research, and scheduling, facilitating efficient patch management.

Why do we recommend it?

SolarWinds Patch Manager provides regular patching for devices running Windows and also has a virtual patching unit. SolarWinds has a slightly different definition of virtual patching to ours because it classifies the task as patching virtualizations. However, the core process in this package of accumulating patches centrally on its cloud platform, pre-testing and verifying them, and then automatically applying them, fits our definition as well.

Who is it recommended for?

This system runs on Windows Server and it is only able to patch endpoints running Windows, so it wouldn’t be suitable for businesses that have a mix of operating systems on-site. This is a solution for large organizations. It provides a high degree of patching automation, freeing up administrators for other tasks.

You can check out the 30-day fully functional free trial of SolarWinds Virtual Patching for Endpoint Security.

2. ManageEngine Patch Manager Plus

Here we have another popular virtual patching tool that boasts a wide array of features. It is ideal for larger architectures that have a mix of operating systems and numerous third-party software solutions.

Key Features:

• Hybrid Deployment: Supports both cloud-based and on-premises deployment, offering flexibility in patch management strategies.
• Wide Application Coverage: Capable of patching a broad array of everyday applications, including Adobe and WinRAR, ensuring comprehensive protection.
• Customizable Policies: Features easily adjustable deployment policies to meet specific organizational needs and enhance security posture.
• Ready-to-Deploy Patches: Provides pre-built and tested patches for quick deployment, ensuring timely mitigation of vulnerabilities.

Why do we recommend it?

ManageEngine Patch Manager Plus offers a service on a SaaS platform with an option to get the software package and run it yourself on Windows Server. This system relies on a central store of tested patches that is held on ManageEngine servers. This system can patch devices on multiple locations, no matter which deployment option you choose.

Who is it recommended for?

This package will patch devices running Windows, macOS, and Linux. This gives the tool a wide appeal, as does its cloud and self-hosting options. The system can patch devices on multiple sites and it will also patch the home-based computers of remote workers. A Free edition will patch 20 workstations and five servers.

Try ManageEngine Patch Manager Plus FREE for 30 days.

3. Avast Business Patch Management

This virtual patching tool is for business architectures that rely on Windows products. It is another tool from a leading antivirus and security tools maker. With this tool, administrators have the ability to remotely secure their assets.

Key Features:

• Rapid Patch Deployment: Capable of patching thousands of machines quickly, optimizing administrative efforts and time.
• Extensive Application Coverage: Patches not only Windows but also a wide range of popular office productivity tools such as Oracle, iTunes, and Adobe.
• Remote Reachability: Ensures patching capabilities extend to assets regardless of their location, including those behind firewalls, on remote sites, or mobile.
• Integrated Management Dashboard: Provides a centralized platform for comprehensive oversight of patching processes, from discovery to distribution and reporting.

Why do we recommend it?

Like the SolarWinds package, Avast Business Patch Management will only patch endpoints running Windows. The service will patch applications as well as the operating system. This is a multi-level solution with a central manager that is based in the cloud and an on-device element. The central console will scan your endpoints and maintain a software inventory.

Who is it recommended for?

Avast aims this package at SMBs with a rate per endpoint. One sneaky detail that they don’t tell you until you buy is that the tool requires the presence of the Avast Business Antivirus on each device, which is a separate purchase. You can also get the patch manager as part of the Avast Ultimate Business Security package, which gives you the anti-virus as well, plus data loss prevention and email scanning for protection against phishing and spam.

Try Avast Business Patch Management FREE for 30 days.

Take virtual patching seriously

Virtual patching is a task that needs to be part of every conscientious administrator’s duty. It is a responsibility that is critical to the survival of a business.

We hope this post and the suggested tools will help administrators undertake this task with a little more ease. Let us know what you think. Leave us a comment below.

Virtual patching FAQs