Reporting on Missing Patches
Hi,
I see that there are report enhancements being worked on. This is great. However, the most important information about patching is a listing of machines/patches that ARE NOT deployed. This appears to be the only information I can't get on a report wrt patching.
Does anyone know if this feature is coming? The rest of the information is largely irrelevant. Why would a client care about the most common patches, or the top 5 patches deployed, or the categories, etc?
To prove compliance, I need to produce a report of the status of patches. This could be potentially a % of machines fully patched, which machines are not fully patched, which patches are missing for those machines, and how old those patches are.
Patching is an amazing feature of EPP that we love, but it's very difficult to rely on it if I can't effectively report on it. At the moment, I have to pay for another piece of software just so I can have compliance-tier reporting.
Thanks!
Best Answer
-
Hi!
The features you ask for are indeed very important for an organisation. In Elements we have many different solutions, and one of them is Vulnerability Management which is a dedicated solution for identifying vulnerabilities and managing them. Naturally, with the dedicated solution the scope of vulnerabilities identified is broader, data is a lot more verbose and precise, and it's built around slightly different workflows.
In EPP the patch management functionality is different, and as you noticed it's maybe designed for a slightly different demographic of customers. The goal has been to provide a very easy way to patch critical vulnerabilities which also works for organizations that don't have advanced processes around this area. In many ways this is overlapping functionality and our long term goal is to tie them together, but in the short term this will mainly be visible so that if a customer has both EPP and Vulnerability Management products in use then they will be able to trigger the update from the Vulnerability Management side. On the longer term there are further plans for unification.
Based on your idea we went through the existing reports and agreed that it would be useful to provide data also for missing updates, and similarly for installed it would likely be more useful to have a graph showing updates based on software title rather then patch (though both could be useful). We'll be adding those, but for more detailed information I would recommend testing Vulnerability Management:
1
Answers
-
Hi @AbacusMatt
Thank you for reaching out to the WithSecure Community. I'll check your query with our backend team and update you here shortly.
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™0 -
Hi @AbacusMatt
According to our backend team, you can currently create graphs in "My Reports" that display device counts by software update status.
In the future, we plan to enable the option to receive these custom reports via email.
Additionally, you can already receive emails for devices with critical updates missing by using email reports. You can set up a custom view in the Devices section with the filter "software updates status = critical updates missing" and include this in the email report.
Would these options meet your needs, or do you require something more detailed?
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™0 -
Thank you, Sethu.
This could be helpful as part of a report, but think about it from an Information Security Officer's perspective. An ISO needs the detailed information. It is their job to validate that patching is done within whatever they consider to be their compliance tolerance.
A pie chart showing that an environment is mostly patched doesn't tell the whole story. What if you're 95% patched, but the 5% unpatched systems have security patches to be applied dating back 6 - 12 months? Moreover, the customized view only shows that there are missing patches on devices. It doesn't tell me which patches are missing or how old they are.
This is ok for small environments, or environments where there aren't strict cybersecurity controls and oversight. But for clients who have regulatory requirements, cybersecurity auditors, and/or ISOs, the reporting capabilities are inadequate.
I don't know how many other partners have clients in heavily regulated industries, but proving the effectiveness of our patch management is a big deal for us. Right now, without manually pulling the data and repackaging it in a custom report (which isn't available data to pull with your API) I don't have a scalable way to do this with your tool.
0 -
Hi @AbacusMatt
Thank you for your feedback. I understand that our current features may only partially meet your needs, and you require more detailed information on the missing patches than what is currently available in My Reports. I will reach out to our backend team for further clarification and will provide you with updates accordingly.
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™0 -
Thank you, Sethu.
2 -
Thank you, Mika.
Yes. We have several clients using Vulnerability Management. We attempted to use this as a work-around, but the results rarely match. However, that's for another conversation.
This has been helpful.
1 -
Yes, Vulnerability Management and Elements EPP are coming from separate solutions and don't integrate well together. Elements EPP is using a third party solution which scans installed applications for updates and then includes vulnerability information for them, while Vulnerability Management does a lot more extensive scanning. The first step of closer integration will be the possibility to trigger updates from Vulnerability Management side if they are available, but the longer term goal is to take things a lot further.
I'll try to avoid speculating too much here as I don't know timelines and my responsibilities fall under the EPP / EDR side while Vulnerability Management falls under a slightly different part of the organisation. There is a lot of background work ongoing on this theme, and similarly as we have been (starting) merging EPP and EDR closer together in the portal (single device view etc) the goal over time is to do the same for all offerings.
1
