March 15, 2019 • Resolve Staffer

Yes, Virginia, You Can Automate Patch Management!

Patch management cycles are never ending. For some systems, it can take months to install critical patches… and some never get installed.

Most of us in IT Ops are in a catch-22 situation. If you patch, things can break (or an exec complains about the maintenance window). If you don’t, you could leave yourself vulnerable to a security breach (or the SecOps team won’t stop pestering you). Either way, the process is risky and way too time-consuming.

At the very least, there are always too many decisions to make. Leading to too many delays. Too many dependencies, too many approvals, and too many questions to answer. Especially if things go sideways.

Admittedly, these questions are tough to answer:

  • How do we know this patch isn’t going to break something or slow down performance to a crawl?
  • Which third party apps or custom apps are going to suffer after we apply it?
  • How do we keep pace with a constant onslaught of vulnerabilities?
  • Who needs to sign off on these updates?
  • Which team has the “single source of truth” on which patches are missing or have been fixed already– SecOps or IT Ops?
  • How do we validate that the vulnerability is truly remediated?
  • What can I do about the fact that patching on critical servers is really important to do well, but SMEs are already too busy doing more valued and visible work?

That’s why it’s difficult to believe that you can automate any aspect of the patch management process, not to mention all of the steps -- from vulnerability discovery to full remediation and post-patching health checks.

The Pain of Patching is Real

Does this totally unscalable process seem familiar to you?

It’s painful and agonizing mostly because of all of the questions you have to answer and decisions you have to make. They aren’t easy (not to mention the number of departments and executive approvals that are involved).

No wonder most IT folks would rather just burn it all down and start over.

Unfortunately, we can’t do that with everything. Not every app or server can be rebuilt, especially since the most important ones are usually custom code, and very sensitive to downtime risks.

Automation Alleviates the Pain

Point solution tools can alleviate and accelerate some parts of the patching process (e.g. checking for updates, downloading patches, etc.). Unfortunately, the most painful aspects of patching are decision-dependent, and SME-reliant to get right. After all, your SMEs know how to handle the trickiest aspects of patch deployment and verification and they usually have access permissions to the critical systems.

That’s where we come in. We fill in the automation gaps in your patching cycle – even when decisions are required or SME access is essential.

Here’s an example of what your patching cycle can look like with Resolve:


Resolve eases the pain associated with patch management so that you can deploy patches faster and shrink vulnerability windows for reduced risk and easier compliance.

For example, let’s revisit those questions again, and how Resolve makes them so much easier to answer.

How do we know this patch isn’t going to break something or slow performance to a crawl?

  • With Resolve, patch testing is a breeze. Your SMEs can package up approved automations to evaluate patches that anyone can safely execute. Or, you may want to use us to automate and orchestrate the build out of a patch testing infrastructure.

Which third party apps or custom apps are going to break after we apply it?

  • With Resolve, you can automate system and app testing and health checks immediately after the patch is deployed to verify that all is running as expected.

How do we keep pace with the constant onslaught of vulnerabilities?

  • Resolve’s interactive automation makes it possible to scale your patch management cycle to meet the blazing pace of vulnerability disclosures and exploits. By automating the most time-consuming aspects of the patch cycle, and optimizing human decision-making when human involvement is required, Resolve strikes the best balance.

Who needs to sign off on these updates?

  • With Resolve, you can automate the entire approval process, triggering approval requests at key milestones (e.g. upon patch testing outcome), as well as document each approval step along the way.

Which team has the “single source of truth” on which patches are missing or have been fixed already – SecOps or IT Ops?

  • Resolve can’t negotiate a peace treaty among departments, but we can automatically assess system configurations, trigger updates to the CMDB, and audit all actions executed – whether automated or human-executed. All of which promotes transparency and trust among teams.

How do we validate that the vulnerability is truly remediated?

  • Once a patch has been installed, Resolve will automatically validate system health, trigger additional remediation if required, and update the CMDB accordingly.

What can I do about the fact that patching on critical servers is really important to do well, but SMEs are already too busy doing more valued and visible work?

  • Resolve’s platform enables teams to package up SME-approved automations that anyone can safely execute – without requiring access permission changes or hand-offs to other teams.

Where's my audit trail for compliance?

  • Resolve automatically captures a complete record of each step in the patching process for compliance and governance... without you lifting a finger.

Ready to check it out? Request a demo of Resolve today ›

Resolve Staffer

About the Author, Resolve Staffer:

This post was written by one of the awesome contributors on the Resolve team.