Patch management is the process you follow to identify, acquire, verify and deploy patches to IT systems and devices. Software and firmware companies issue patches regularly to address newly discovered security vulnerabilities and keep your systems up to date.
Vulnerabilities arise because human errors inevitably creep into technology products and threat actors exploit them.
Patching is necessary because it’s at the heart of endpoint security. In an era of incessant cyberattacks and a fast-changing array of threats, it takes constant vigilance just to stay in business. That’s why the companies that sell software applications and operating systems notify you of security patches and urge you to deploy them immediately against new threats.
Patch management belongs near the top of every IT department’s list of priorities, if for no other reason than to avoid the clean-up costs and fines that follow a breach. Not only does patching have financial ramifications, but it can also affect industry reputation and brand perception among your customers and prospects. Regulatory frameworks often require prompt deployment of patches, with the downside of sanctions, fines and even closure for companies that get caught dragging their feet.
Because patching is important and does not happen on its own, it behooves your IT team to put in place a formal patching process. But every organization must overcome a certain inertia to initiate that process. Circumstances like lack of staff bandwidth and poor awareness can get in the way of applying even the most critical patches.
But for most enterprises the biggest obstacle to implementing patch management is the prevalence of remote users and work-from-home employees. Since enterprise computers, tablets and smartphones are rarely on corporate premises, it’s more difficult for IT staff to bring them up to date with the latest security patches. Endpoint management solutions designed for device and systems management play an important role in keeping IT assets patched wherever in the world they may be located.
With a well-implemented patch management process, you can assure executive management that your software is up to date, with all associated benefits:
Companies that implement patch management also enjoy broader, less evident benefits, including more system uptime. Unpatched software is always at risk should an outage or disaster arise. You preserve uptime when you keep your systems patched, enabling business continuity for your company and remaining an active player in your marketplace.
Furthermore, you ensure that your IT assets comply with your industry’s standards and regulations, which often extend to patching your systems diligently. Some extrinsic requirements call for you to deploy updates to, say, 80 percent of devices within the first two weeks of patch issuance, and to the remainder within 30 days. Your company may impose its own intrinsic requirement that is even more strict than that.
If your patching needs are greater than your IT staffing resources, then you’ll make decisions based on the priority (or severity) you assign to each update. Most vendors make that easy by ranking patches as important, recommended or optional, or with similar nomenclature.
More broadly, the types of patches depend on how you roll updates out to your systems and user devices.
As a process, patch management comprises some variation of the following steps:
Note that there is a difference between traditional and modern patching.
Traditional patching, like traditional endpoint management, runs in on-premises endpoints: computers, servers and IoT devices such as printers, projectors and SNMP-enabled devices. It is associated with deep, granular processes and benefits like discovery, scripting, software installation, software asset management and vulnerability scanning.
Modern patching runs in the cloud. It is based on modern device management: the practice of combining cloud-based enrollment, management and security features to accomplish systems management goals. The main benefit of modern patching is that it allows users to be secure and productive on any device, regardless of location.
Smart IT teams know that patching is an integral part of the IT landscape. Instead of thinking of it as an episodic endeavor, they approach patch management in the context of a lifecycle.
As soon as a patch is issued, the cycle of testing and deploying begins. Although established IT teams may prefer to roll out patches (at least low-priority patches) on a regular schedule, they should be flexible enough to accommodate high-priority patches anytime.
But the facts of business life can weigh on the patch management lifecycle. Besides unexpected, disruptive patches for high-profile vulnerabilities and exploits, another factor is the service-level agreement that IT has put in place with the business. Push comes to shove when an SLA comes into conflict with the deployment of a high-priority patch, and the lifecycle should be flexible enough to allow for that.
Patch management and vulnerability management overlap each other. The intent of both is to plug holes and gaps before attackers can find them and wreak havoc. But they differ in that it’s not possible to address every vulnerability with a patch.
For example, careless users who write down passwords and affix them to their monitor are a huge vulnerability, but no patch is a remedy for that. Similarly, think of a service like a printer driver or communication protocol that is always enabled by design. But then, word gets out that the service is vulnerable, and threat actors pounce on it as an avenue of attack. If the vendor decides not to issue a patch, then you’ll have to decide whether to keep the service running on your systems or disable it. That is vulnerability management, but it is not patch management.
Other examples include the lists such as those published by the National Institute of Standards and Technology (NIST) that recommend settings for secure devices.
So, where it is possible to address the vulnerability with a patch, vulnerability management and patch management are in sync. The rest of vulnerability management is having a deep, reliable, continually updated picture of your device landscape and using it to reduce your attack surface.
By approaching patch management methodically, you can put in place everything needed to reach all devices and keep them updated.
1. Find and make an inventory of your systems and devices
With the goal of leaving no system unpatched, start by discovering all devices on your network. Naturally, the more you can automate that process, the better, because automation reduces the risk of an unpatched computer becoming a point of vulnerability. The resulting inventory, an integral part of systems management, is a map of your entire IT landscape.
2. Scan continually for vulnerable, unpatched devices
How many of your devices are and are not patched? By regularly scanning your network, you can figure out where to focus your attention and find any patterns that point to poor coverage. Scanning is an ongoing part of patching, and automating the task is the key to reducing wasted effort. Most systems management appliances use an on-device agent that watches out for known exploits and hazards.
3. Set priorities and apply patches in phases
Some patches are more urgent than others. Software and operating system vendors know that and categorize their patches by severity when they issue them. That helps reduce the pressure on your system administrators when they face a sudden salvo of updates from multiple vendors and channels. They can turn to sources like the Common Vulnerabilities and Exposure (CVE) data generated when a vulnerability is reported; such ranking systems help admins decide which patches are urgent and which ones can wait.
4. Roll out patches in phases
Some patches break things. To avoid the unexpected consequences of diving headlong into rollout, first take a close look at the vendor’s release notes for known issues. Then, use high-level policies to stay in control of which groups of users will receive the patches first; that makes it easier to communicate with them and accommodate their schedules. In a phased approach, you can deploy by numbers – for example, x percent of all devices. You can also fine-tune your phased approach by deploying first to certain user profiles or system configurations, then watching for any unintended changes in system behavior.
5. Perform testing on patches
Whenever time and resources permit, it’s advisable to first patch the systems of a small population of trusted users, whether on the IT team or among volunteers. When a well-prepared set of users gets the patch first, they are equipped to communicate any bugs or anomalies to IT. That reduces the support burden on the help desk. Naturally, there may not be sufficient time to test all high-priority patches, such as those for a zero-day vulnerability. In that case, IT teams will accept the risk of installing an untested patch as the price of constant vigilance.
6. Automate your patching
It’s not easy to dive straight into automated patch management until you’ve figured out what and how to automate. Once that becomes clear, most IT teams face a few common issues, such as connecting to all their systems reliably, gathering information from them and reducing reliance on human intervention. That has led to an evolution from traditional to modern, policy-driven automation, as shown below.
Detection, as performed by modern systems management appliances, is ongoing and automatic. The appliances continually monitor patch releases. They determine whether a given device needs a patch, then they install it, verify that it was successful and update the inventory. The result is a more agile and flexible model of patch management that relies less on human intervention and does not depend on keeping to a schedule.
7. Observe the user dimension of patching
One of the main obstacles IT faces in patch management is negotiating the user factor. Some patches cause the device to restart or cause system performance to lag during installation. Users are justified in being annoyed by such interruptions and sometimes postpone or ignore reminders to update. By scheduling patch management outside of normal business hours, you can reduce friction from users and make the process transparent to them.
8. Collect and analyze data on patching
Patch management has the potential to be a data-driven IT function. By collecting, analyzing and documenting your effort, you can see how many devices you have touched and find patterns in any failed patch attempts. At a higher level, you can demonstrate metrics like overall effectiveness of patching, improvements attributable to automation and progress of IT initiatives.