As a senior consultant for endpoint management and security, I deal with many companies on a daily basis. Each has its own philosophy when it comes to patch management or closing security gaps. I have also been to various security events and have followed or taken part in countless discussions.
For me, there is a very simple starting point that EVERY company can implement:
Minimize attack surfaces through minimal software installations!
What do I mean by that?
In general, in most companies I know, EVERY software that could be needed in the company is pre-installed on newly issued or freshly installed systems.
To illustrate this:
Let’s take 500 clients with a simple Adobe Reader or 7zip. If I install this software on all systems, then I also have to keep it up to date on all systems to close security gaps. That is a broad attack surface.
Especially if you assume that this software is only used on a fraction of the systems! Assuming 100 systems. That leaves 400 potential security risks.
Solution and recommendation:
Only install what the user really needs on the systems that you issue. The easiest way to do this is via a self-service portal. Every user should install the software they really need from the self-service portal themselves!
Some systems even allow the software to be repaired or uninstalled from this self-service portal. This also saves resources in support, because a ticket is only opened if a software error has not been repaired.
Here is my recommendation:
Endpoint Central from ManageEngine contains a self-service portal that offers precisely these functions. It also contains a patch management system that handles Microsoft and 3rd party patches.
You can find more information about Endpoint Central here:
Vendor: www.manageengine.com/products/desktop-central/
Regional Partner: www.manageengine.com/me_partners.html/
German Partner MicroNova: www.manageengine.de