CASE STUDY
I
f you wish to remain a leading
Managed Services Provider of
technology solutions and services, you
must defend against software vulnerabilities
in your infrastructure. However, with the
company growing at unprecedented rates,
the Managed Services Team at Softcat
faced managing a sprawling estate of 200
Windows servers that lacked a consistent,
automated patching solution.
In response, Softcat created an Information
Security team to compile best practices
that would help it maintain control over this
critical process-practices it planned to share
with equally overwhelmed customers.
“Our situation was typical of a fast-growing
Windows organisation,” said Softcat’s
Security Analyst, Tim Lovegrove. “We
deployed WSUS to assist with Windows
64
INTELLIGENTCIO
patching, but it was hard to administer and
track, even on updates to the Windows OS,
and harder still across our critical third-party
applications. We wanted to know that every
machine on the network would receive
essential updates automatically.” system admins a month to identify and
schedule the appropriate WSUS patches
to rollout and then another two months to
complete the deployments. At the end of
each 90-day window, the patching cycle
began again.
A key issue, only 25% of Softcat’s servers
had been assigned owners with responsibility
for patching the server. Like most WSUS
deployments, Softcat had used Group Policy
settings to assign machines but not to
determine ownership. The 2017 ransomware outbreaks were the
final catalyst for change. Although Softcat
had patched the vulnerabilities months
before, the events escalated the ‘what if’
debate to senior management.
Moving from an all-consuming
patching cycle
The WSUS patching cycle also took 90 days
to complete, which was too long in today’s
fast-moving world and opened the door to
risk. Each quarter, it took Softcat’s Microsoft
Lovegrove commented: “Our Managed
Services teams were heavily involved in
helping customers recover from ransomware
attacks last year, often working 24/7 shifts.
Although Softcat itself was unaffected, we
witnessed first-hand the effects of neglecting
updates. That led us to examine our own
internal procedures for patching, escalating
www.intelligentcio.com