Patch management is a nightmare. Critical patches are announced at the whim of vendors. Security and operations teams must drop everything to close holes in software before attackers exploit the vulnerability. Even in the best of circumstances, patch management requires close cooperation across operational disciplines that include security, operations, applications, and business units. Patches must be tested to ensure that they don't affect essential business systems, tracked to ensure that they've been deployed, and reported on for executives and auditors who want bottom-line summaries of risk posture and compliance.
Patch management products can provide immediate relief, but a new trend is emerging that folds patch management into a larger security or configuration management system. Pure-play patch management vendors that don't respond to this trend will find themselves marginalized, whether by Microsoft and its automated patching systems, or by established software distribution and asset management vendors that are adding patch management to a larger portfolio of security and configuration management features.
Security and configuration management systems deliver patches, but they also assess and monitor the overall status of an asset, including applications running on the machine, allowed services, open ports, and so on. These systems track changes and remediation efforts and continually monitor the state of the assets to detect machines that fall out of compliance.
In general, what sets the two systems apart is the vendor doing the selling. Companies that tend to sell to security architects emphasize security, while those that sell to IT operations teams emphasize configuration. The thing that really counts, however, is the management.
That's because the key to a more secure environment depends as much on process as it does on products. In some cases, a product will enforce an ad hoc process on an organization, but the business is best served when all the units responsible for the health of the information systems establish explicit protocols for addressing the issues related to patch and configuration management.