Credit Union Fights Patch-Management Nightmare

Software patches can be a double-edged sword when it comes to protecting a company's network. If security administrators delay installation so they can first test them properly, the company is exposed to attacks designed to take advantage of the flaw the patch is suppose to fix. But installing a patch without testing it first can cause its own set of problems.

That's a problem that Chris Hoff, chief information security officer at Western Corporate Federal Credit Union, frequently faces. For a corporate credit union that provides services to other credit unions and moves around a trillion dollars a year, protecting a customer's confidentiality usually is the highest priority. So he'd often install patches before he could completely test them just to reduce the chance of network attacks.

"Nine times out of ten, we had to make decisions on the fly," says Hoff. "We needed help with this complete patch-management nightmare." Once he installed patches, he often had problems trying to uninstall them. Meanwhile, the time available to tests was shrinking as hackers moved quickly to take advantage of software vulnerabilities. And sometimes a patch was worse than the vulnerability itself, he says.

Hoff has been testing an early version of Blue Lane Technologies Inc.'s PatchPoint system, which was rolled out this week. PatchPoint appliance sits on the network in front of a server and consists of a gateway, an Enterprise Manager, and an Active Update Service. The system captures software patches before they're installed on a server, holds the patch and applies it to network IP traffic to see if it causes conflicts with other applications or patches. It also uses the patch to identify and analyze the vulnerability the patch is designed to fix. The system is designed to provide immediate protection while giving a customer time to test the patch before installing it.

A PatchPoint G/250 system supporting up to 30 servers costs $30,500, and there's version that can support up to 200 servers.

"Now Blue Lane authenticates and tells us what patches we need to install," says Hoff. "Blue Lane buys me time for regression tests and the old patch problems don't happen anymore."

Blue Lane takes a unique approach to managing patches and protecting a network, says Rick Ptak, founder of research firm Ptak, Noel & Assoc. "Blue Lane emulates the activity of a patch and keeps any related intrusions from reaching the network," he says, "and protects customers for whatever time it takes them to install a patch."