**Editor’s Note: Click here for our recently compiled list of new products and services.**

Security-as-a-service provider EiQ Networks will announce Tuesday a new patch-management capability within its SOCVue Security Operations and Analytics Platform.

Vijay Basani, EiQ’s co-founder, president and CEO, told Channel Partners that the offering will address the 71 percent of attacks that exploit vulnerabilities for which patches have been available for more than a year prior to the breach. That stat, from the 2016 Verizon Data Breach Investigations Report, reflects the difficulty many customer IT teams have keeping patches up to date for the dozens or hundreds of OSes and applications in use in their organizations.

“People are clearly finding it challenging to patch their environments,” says Basani.

One problem is that every infrastructure and application mix is different. While vendors attempt to validate the stability of releases, a patch that works fine in 99 customer sites could break a critical system at that one outlier. Smaller customers may also lack an automated way to regularly gather new patches for all the systems under their control, prioritize them by severity of the flaw, test to determine if a patch will affect other systems, and determine which servers or endpoints need to be updated.

Currently most companies use on-premises patch management tools such as IBM BigFix, Kaseya, Lumension or Shavlik. However, EiQ is looking to displace these with an as-a-service, subscription-based offering delivered from AWS. SOCVue Patch Management as a Service provides patch scanning, analysis, reporting and remediation with no requirement for in-house management or expertise.{ad}

“Now, customers need to purchase the product, install a patch-management server,” said Basani. “It’s a tedious, laborious process, and that’s one of the reasons we see large numbers of systems going unpatched. So we asked, ‘How can we improve this?’”

There are also management challenges, with a change-control aspect and process questions around who should authorize updates after testing, how to audit a patch trail for regulatory compliance and what happens in case an emergency rollback is needed. Virtualized systems and more use of containers adds complexity.

The result is that, according to NTT Group, nearly 21 percent of vulnerabilities with a Common Vulnerability Scoring System score of 4.0 or higher detected in client networks were more than three years old. More than 12 percent were over five years old, and more than 5 percent were more than 10 years old. A hit list of the Top 10 security flaws accounted for more than 78 percent of all internal vulnerabilities during 2015 — and all 10 are directly related to outdated patch levels on the target systems.

We spoke with Basani in September about the company’s channel strategy, funding and security services on offer. He says EiQ added 35 new partners in 2016, and he’s looking to increase the percentage …

{vpipagebreak}

… of sales coming through the channel. EiQ also doubled its customer base in 2016.

“Last year was a good year for us,” said Basani.

For the fully managed Patch Management service, EiQ works with HEAT Software (which just merged with LANDesk to form Ivanti) to consolidate patches for OSes (Windows and Linux are supported now), Microsoft SCCM and third-party applications including Adobe and Java. EiQ hosts patches in its AWS cloud, and for customers that might be several versions behind, the SOC team will help partners prioritize by severity of the vulnerabilities.

“We are validating the patches before we make them available,” Basani said. “When we say a patch is available for a particular application, you know it’s going to work. Our goal is to help manage risk.”{ad}

For patch scanning, it doesn’t matter if customer systems are on premises or in the cloud, and Basani says the service is suitable for highly regulated industries with stringent compliance requirements, including meeting PCI DSS, HIPAA and FFIEC patching policies.

Like the company’s other services, partners can deliver patch management in a white-label model and supply a higher level of customer care, or it can be sold in a resale model with EiQ handling billing and being the primary support contact. Typical margins are 20 percent for authorized partners; there’s a higher tier for higher-touch engagements.

The SOCVue Patch Management as a service will be available Tuesday as a standalone service or bundled with EiQ’s security monitoring and vulnerability management services. Pricing starts at $9,899 for 100 nodes.

Follow editor in chief @LornaGarey on Twitter.