Review: Action1 – Simple and powerful patch management

Although endpoint anti-malware and other security controls are now standard at the operating system level, keeping all endpoint software up-to-date and secure remains an open issue for many organizations. Patch management is not yet a commodity, and substantial improvements can be made with the right solution.

Effective patching involves automating the entire process without slowing down endpoints or interfering with business operations. This is true whether you are a one-man-show IT administrator or a managed security service provider (MSSP) who caters to multiple customer organizations.

Effective patch management – a growing priority

As I write this, Microsoft’s June 2024 Patch Tuesday rollout features a typical total of 50+ vulnerabilities, many deemed important and at least one rated critical and having the potential to become „wormable“. Simultaneously Adobe, whose applications are found on many corporate laptops, released patches addressing 165 vulnerabilities, many critical-rated bugs.

In the same month, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) added 9 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which lists zero-days leveraged by ransomware operators and other threat actors. These actively seek vulnerabilities in network equipment (for ex. VPN gateways), servers and of course endpoints, Windows understandably being the most popular target.

With this flurry of activity both at the vendor and attacker side, it’s no wonder 30,000 new vulnerabilities were published during 2023 (a record), with the window from vulnerability disclosure to exploitation steadily decreasing – now at 19 days or less.

In this context, organizations need effective operational awareness of what’s happening across a distributed endpoint ecosystem in terms of patch implementation and vulnerability exposure. They need to continuously discover, prioritize, and remediate vulnerabilities in an automated way, as well as easily intervene with scripts and even remote desktop for particular tasks.

Action1 – SaaS-delivered simplicity and security

A relative newcomer to the patch management market (the company was founded in 2018), Action1 brings the heft and product development experience of its founders, industry veterans who previously co-founded and led US-based company Netwrix, a data security provider.

Action1 is a SaaS-delivered cloud-native platform. This means no infrastructure, hardware, or software resources are needed to deploy and maintain the solution, and most importantly, no VPNs connecting endpoints and the management console – a welcome approach for any overstretched IT team. It also means you can register as a user, onboard, and get started in under five minutes.

You immediately notice that Action1 is keenly aware of the importance of trust and security inherent in any SaaS proposition, especially if it involves software being installed on each of your endpoints.

Action1 follows security best practices, starting with enforced multifactor authentication (MFA) for its customers logging into the management console. Although the default is email-based MFA (or 2-step verification), customers can configure app-based MFA (e.g., Google Authenticator). Furthermore, enterprises can integrate into external identity providers such as Microsoft Entra ID, Google, Okta or Duo – all supporting multiple forms of MFA. This proves very important as threat actors are now routinely breaching password-protected accounts, especially in SaaS applications not enforcing some kind of MFA (as an example, see the recent Snowflake incident).

Figure 1: Secure by design, MFA by default

Any software deployed on endpoints has important supply chain security implications. Think of the SolarWinds Orion attack or more recent examples such as Anydesk and LastPass.

With that in mind, Action1 is heavily investing in security operations and compliance: the platform is certified with ISO 27001 and SOC 2 Type II, while the operations team implements various cybersecurity controls and follows security practices compliant with NIST SP 800-171 and CMMC. Conscious of EU privacy regulations such as GDPR, the company has recently expanded its operations with a dedicated data center in the European Union. A separate facility is also planned for Australia.

Enforcing cybersecurity controls is key for a SaaS provider to build trust, and the company seems aware of this. To prevent malicious misuse of the platform, customers wishing to deploy custom scripts must pass an additional account verification process. At the same time, a robust audit trail tracks all actions within the management console and API calls.

Figure 2: A robust built-in audit trail

Get 100 endpoints for free, and be up and running in minutes

Having worked with many enterprise security software, I noticed that established market players tend to accumulate substantial technical debt, which translates into bloated endpoints that spawn several processes and services bolted together as new functionalities get added, ultimately noticeably hitting endpoint performance and hampering employee productivity.

That is not the case with Action1: the endpoint install experience is so quick that you might mistakenly think the MSI installer did not run. After a few seconds, a quick check with Windows’ task manager reveals a single lightweight process using around 10MB of RAM memory – a rarity these days.

Of course, for massive deployments in Active Directory environments, this process can be orchestrated via Group Policy or, more preferably, with the Action1 Deployer, a service that continuously discovers workstations and servers that reside in an Active Directory domain or an organizational unit (OU).

Immediately after install, the endpoint is manageable and reports to the management console: this is a cloud-native SaaS platform designed for scalability, and opening an account is just as quick as installing the endpoint.

Figure 3: Operational awareness

Action1 is completely free for up to 100 endpoints. If you have more, you still get the first 100 free. The simplicity extends to the commercial tier: there are no bundles or premium features, and all the functionalities are included in a per-endpoint fee.

Action1 provides free vulnerability assessments, offering enterprise-wide one-time evaluations of software vulnerabilities. To use this service, create an Action1 account and install the agents on your endpoints. Vulnerability analysis starts immediately upon installation, with each endpoint assessed once. The results are available indefinitely in an aggregated view on the Action1 console.

Enterprise features

Behind the simplicity, Action1 offers a full set of enterprise-grade features designed to quickly operationalize a risk-based patch and vulnerability management process.

Figure 4: Effective endpoint overview with the ability to quickly run scripts, deploy software or patches, and connect to an unattended remote desktop.

The focus is on automated deployments and granular policies. Every automation is applied to a set of endpoints, either manually selected or a group, which can dynamically include or exclude items based on various endpoint criteria (e.g., manufacturer, OU member, IP address, etc.).

Automation can refer to patch or application deployment, software uninstallation, or running scripts designed to perform specific actions on endpoints: for example, remotely disabling USB, turning on or off the Windows Firewall, creating restore points, and so on. A curated library of Action1-provided scripts is available, but customers can also define custom ones, depending on specific business processes.

Automations can be combined to affect various subsets of endpoints. For example, you might define an automation for a test group that rolls out patches immediately upon release and have a separate policy for the rest that delays new patch installation for, let’s say, seven days. That way, you’re able to control the process and resolve any potential issues while the patch is still on the test endpoints before global rollout.

Figure 5: Deploying patches depending on granular criteria – from vendor names and application names (wildcard included), over severities, to update sources (Microsoft and Action1 curated repositories).

It is worth noting that software deployments are aware of LAN environments and bandwidth constraints. If multiple agents are located on the same LAN, they will use a private P2P file-sharing mechanism to download files.

As for application and patch repositories, Action1 is purpose-built for third-party app patching and relies on a privately maintained secure software repository with 99% coverage for typical enterprise environments (Adobe, Zoom, Chrome, etc.), avoiding public repositories like WinGet or Chocolatey.

If you are a managed service provider (MSP) or an enterprise with several entities, Action1 allows you to create multiple organizations to separate their data from each other. Users with different roles and scopes can then be assigned to these organizations.

Figure 6: Granular user roles across separate tenants.

Automation teams and MSSPs will appreciate the built-in REST API and a simplified PowerShell module (PSAction1), allowing orchestration of actions within the platform and integration with external services. For example, you can programmatically create endpoint groups or automations, read endpoint information and reports, automatically export them to a business analytics solution or Excel, etc.

The platform can also be used to dynamically query various information from the endpoint population via PowerShell data-gathering snippets. The data can then be consumed in reports or elsewhere. For example, you might query the Windows Defender status, disk statistics, Windows event logs, running processes or any other data obtainable via a PowerShell script – and integrate this into reports, and perhaps automate retrieval via the REST API. The ideas for IT helpdesk and operations productivity are limitless here.

Key takeaways

Action1 is a very simple but powerful proposition to operationalize patch and vulnerability management across your endpoint estate. It is a modern SaaS platform with security as a top concern, where customers can get up and running in no time due to a frictionless onboarding and easy setup.

Despite its ease of use, Action1 is quite powerful and offers granular configuration suitable for distributed IT infrastructures in enterprise environments.

Although MSSPs love to use remote monitoring and management (RMM) solutions for their operations and Action1 makes no claim to compete in the RMM market, I find Action1 is quite a match, with features such as remote desktop control, vulnerability management, software deployment, remote scripting and data gathering.

Action1 is currently Windows-centric, with no support for macOS or Linux. However, the company is announcing the availability of a macOS client in the next major release, and Linux support is also planned.

Action1 targets mid-size and large customers and this is reflected in the fact that it’s completely free for up to 100 endpoints. This is an excellent move, capturing fast-growing customers who might eventually convert into paying ones.

The commercials are very simple, with no bundles or premium features at extra cost. All the functionalities described in this review (and more) are included by default, whereas other vendors will typically charge for extra features such as vulnerability management, SSO, or API access.