Why are My Endpoints Not Up-to-Date?

Posted on March 6, 2011 by Nevis Editor

This is the question that most IT administrators and organization security teams have been asking us since last couple of years. These organizations have a patch management system to automatically update OS patches on the endpoints and also have an AV/AS server to automatically update the Antivirus signature (.DAT) files on the endpoints. In spite of these measures, many endpoints are not updated.

Based on our experiences on the field and feedback received from our customers, the reasons for non-compliance generally vary based on size of the organization. So, broadly the reasons could be broken into the following categories.

  • Large organizations having headquarters (HQ) and branches distributed in geographically different locations connecting over WAN links
  • Small to medium size organizations located in the same building or premises

Large Size Organizations: These organizations have Patch Management System and AV/AS server placed at the HQ. The branches from various geographical locations connect to the HQ over leased lines or MPLS links. The number of endpoints in the organization can be over 3000.

Typical issues faced by the organization due to which the endpoints are not updated to the latest OS patches on Patch Management Server or to the latest .DAT files on AV/AS server are:

  • The last mile link speed is typically low. Example is 64 Kbps.
  • Large patches require long time to download. Before the download gets complete, the end user switches off the endpoint at the end of the day; as per the policy in many large organizations.
  • If there are multiple machines which are trying to download patches from the HQ, the patch download for each endpoint takes even longer time which, coupling with the above fact, aggravates the situation making all these endpoints unable to update.
  • Certain organizations have QoS parameters configured on intermediate routers or switches which gives higher priority to business critical application traffic. Hence the patch update traffic is given a lower priority resulting far slower download of patches.
  • Many endpoints requesting the patch management server for patch downloads can result in overloading requests to the server due to which the performance of the server itself goes down. This again results in lower speed.
  • Certain patches require a reboot of host machine. End users typically postpone rebooting their machines for a longer duration.

All the above factors together compound the problem further.

Another related point worth mentioning in this discussion is that as the number of endpoints goes beyond 5000, the IT administrators find it very difficult to locate or physically track down non-compliant endpoints to take manual corrective action. This problem is further compounded by the fact that the IT administrators have no easy way or user friendly mechanism to find out endpoints update status.

Small and Medium Size Organizations: These organizations have a Patch Management System and AV/AS server located at the local premises. The bulk of the endpoints are at the same location/premises or near to the server location connected with fibre cables. The users typically have admin rights on the endpoints. The number of endpoints varies from 500 to 3000.

Typical issues faced by these organizations due to which the endpoints do not get updated to the latest OS patches on Patch Management Server or to the latest .DAT files on AV/AS server are:

  • End user has admin rights on the endpoint. The user disables the AV update agent as AVs having Host IPS can make the endpoint applications slower.
  • Some patches require a reboot of end host machine. End users typically postpone rebooting their machines for a longer duration.

In summary, it is not enough to have a Patch Management and an AV/AS update server in place in an organization. What is important is to find out the reasons for the endpoint not being up-to-date. These reasons can be due to bandwidth constraints, network configuration issues, performance issues or end-user habits, which will vary in each organization.

To protect critical data servers against the vulnerabilities which the “not up-to-date” endpoints carry, it is essential for IT administrators to find out the status of every endpoint on his network with respect to the OS patch levels or AV/AS .DAT file versions. It would also be beneficial if the endpoints that are not up-to-date with respect to the organizational servers, are quarantined and then auto-remediated. Only after successful remediation, these machines should be allowed to access the network. This purpose is easily achieved using the Nevis solution comprising of LANenforcer and LANsight family of products. For details please check www.nevisnetworks.com.

Author: Girish Kale

This entry was posted in Endpoint Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>