What is patch management? Benefits and best practices

Patching is necessary because it’s at the heart of endpoint security. In an era of incessant cyberattacks and a fast-changing array of threats, it takes constant vigilance just to stay in business. That’s why the companies that sell software applications and operating systems notify you of security patches and urge you to deploy them immediately against new threats.

Patch management belongs near the top of every IT department’s list of priorities, if for no other reason than to avoid the clean-up costs and fines that follow a breach. Not only does patching have financial ramifications, but it can also affect industry reputation and brand perception among your customers and prospects. Regulatory frameworks often require prompt deployment of patches, with the downside of sanctions, fines and even closure for companies that get caught dragging their feet.

Because patching is important and does not happen on its own, it behooves your IT team to put in place a formal patching process. But every organization must overcome a certain inertia to initiate that process. Circumstances like lack of staff bandwidth and poor awareness can get in the way of applying even the most critical patches.

But for most enterprises the biggest obstacle to implementing patch management is the prevalence of remote users and work-from-home employees. Since enterprise computers, tablets and smartphones are rarely on corporate premises, it’s more difficult for IT staff to bring them up to date with the latest security patches. Endpoint management solutions designed for device and systems management play an important role in keeping IT assets patched wherever in the world they may be located.

With a well-implemented patch management process, you can assure executive management that your software is up to date, with all associated benefits:

• Your co-workers have access to the latest functions and features in your network appliances, software applications and operating systems.
• You ensure that your devices run smoothly and efficiently, as the manufacturers intend.
• You boost your security profile by pre-emptively sealing off vulnerabilities and preventing attackers from exploiting them. By narrowing your attack surface, you reduce your exposure.

Companies that implement patch management also enjoy broader, less evident benefits, including more system uptime. Unpatched software is always at risk should an outage or disaster arise. You preserve uptime when you keep your systems patched, enabling business continuity for your company and remaining an active player in your marketplace.

Furthermore, you ensure that your IT assets comply with your industry’s standards and regulations, which often extend to patching your systems diligently. Some extrinsic requirements call for you to deploy updates to, say, 80 percent of devices within the first two weeks of patch issuance, and to the remainder within 30 days. Your company may impose its own intrinsic requirement that is even more strict than that.

If your patching needs are greater than your IT staffing resources, then you’ll make decisions based on the priority (or severity) you assign to each update. Most vendors make that easy by ranking patches as important, recommended or optional, or with similar nomenclature.

• Important patches address newly discovered security gaps, including the vulnerabilities that attackers seek and are quick to exploit. These are high-priority patches you should waste no time in deploying throughout your organization.
• Recommended patches are the vendor’s response to software errors and bugs that arise after launch. They usually come about as engineers improve and add functions to other areas of the product. They address problems like inconsistent operation and erratic behavior, which hamper productivity but do not pose security risks.
• Optional patches contain updates to features and low-priority bugs. They are not necessarily intended to plug vulnerabilities and gaps in security, but they include the kinds of subtle improvements you want your users to enjoy.

More broadly, the types of patches depend on how you roll updates out to your systems and user devices.

• Manual patching, as the term suggests, places on your IT team the burden of obtaining, scheduling and deploying patches. It’s true that nobody in the company is better suited to that task than IT; it’s also true that nobody in IT likes handling it manually. It involves the work of continually tracking incoming updates, queuing them up for deployment and ensuring that devices are successfully updated. It brings the risk of missing a patch, which can lead to software version drift and increased vulnerability. A small IT staff can easily become overwhelmed and fall behind, jeopardizing network security.
• Automated patching is the logical segue to manual patching. With automated patch management solutions, your IT team can deploy patches through software, either at the push of a button, or on a larger scale with no- touch scheduling. You can overcome geographic obstacles by enabling updates wherever your target systems may be located. Automated solutions take care of scanning devices manually to figure out which patches are missing. They find the update packages on the sites of hundreds of different software vendors. They eliminate doubt about whether a given patching operation was successful and maintain a full inventory of the software titles and versions installed on devices across the enterprise.

Note that there is a difference between traditional and modern patching.

Traditional patching, like traditional endpoint management, runs in on-premises endpoints: computers, servers and IoT devices such as printers, projectors and SNMP-enabled devices. It is associated with deep, granular processes and benefits like discovery, scripting, software installation, software asset management and vulnerability scanning.

Modern patching runs in the cloud. It is based on modern device management: the practice of combining cloud-based enrollment, management and security features to accomplish systems management goals. The main benefit of modern patching is that it allows users to be secure and productive on any device, regardless of location.

Smart IT teams know that patching is an integral part of the IT landscape. Instead of thinking of it as an episodic endeavor, they approach patch management in the context of a lifecycle.

As soon as a patch is issued, the cycle of testing and deploying begins. Although established IT teams may prefer to roll out patches (at least low-priority patches) on a regular schedule, they should be flexible enough to accommodate high-priority patches anytime.

But the facts of business life can weigh on the patch management lifecycle. Besides unexpected, disruptive patches for high-profile vulnerabilities and exploits, another factor is the service-level agreement that IT has put in place with the business. Push comes to shove when an SLA comes into conflict with the deployment of a high-priority patch, and the lifecycle should be flexible enough to allow for that.

Patch management and vulnerability management overlap each other. The intent of both is to plug holes and gaps before attackers can find them and wreak havoc. But they differ in that it’s not possible to address every vulnerability with a patch.

For example, careless users who write down passwords and affix them to their monitor are a huge vulnerability, but no patch is a remedy for that. Similarly, think of a service like a printer driver or communication protocol that is always enabled by design. But then, word gets out that the service is vulnerable, and threat actors pounce on it as an avenue of attack. If the vendor decides not to issue a patch, then you’ll have to decide whether to keep the service running on your systems or disable it. That is vulnerability management, but it is not patch management.

Other examples include the lists such as those published by the National Institute of Standards and Technology (NIST) that recommend settings for secure devices.

So, where it is possible to address the vulnerability with a patch, vulnerability management and patch management are in sync. The rest of vulnerability management is having a deep, reliable, continually updated picture of your device landscape and using it to reduce your attack surface.

By approaching patch management methodically, you can put in place everything needed to reach all devices and keep them updated.

1. Find and make an inventory of your systems and devices

With the goal of leaving no system unpatched, start by discovering all devices on your network. Naturally, the more you can automate that process, the better, because automation reduces the risk of an unpatched computer becoming a point of vulnerability. The resulting inventory, an integral part of systems management, is a map of your entire IT landscape.

2. Scan continually for vulnerable, unpatched devices

How many of your devices are and are not patched? By regularly scanning your network, you can figure out where to focus your attention and find any patterns that point to poor coverage. Scanning is an ongoing part of patching, and automating the task is the key to reducing wasted effort. Most systems management appliances use an on-device agent that watches out for known exploits and hazards.

3. Set priorities and apply patches in phases

Some patches are more urgent than others. Software and operating system vendors know that and categorize their patches by severity when they issue them. That helps reduce the pressure on your system administrators when they face a sudden salvo of updates from multiple vendors and channels. They can turn to sources like the Common Vulnerabilities and Exposure (CVE) data generated when a vulnerability is reported; such ranking systems help admins decide which patches are urgent and which ones can wait.

4. Roll out patches in phases

Some patches break things. To avoid the unexpected consequences of diving headlong into rollout, first take a close look at the vendor’s release notes for known issues. Then, use high-level policies to stay in control of which groups of users will receive the patches first; that makes it easier to communicate with them and accommodate their schedules. In a phased approach, you can deploy by numbers – for example, x percent of all devices. You can also fine-tune your phased approach by deploying first to certain user profiles or system configurations, then watching for any unintended changes in system behavior.

5. Perform testing on patches

Whenever time and resources permit, it’s advisable to first patch the systems of a small population of trusted users, whether on the IT team or among volunteers. When a well-prepared set of users gets the patch first, they are equipped to communicate any bugs or anomalies to IT. That reduces the support burden on the help desk. Naturally, there may not be sufficient time to test all high-priority patches, such as those for a zero-day vulnerability. In that case, IT teams will accept the risk of installing an untested patch as the price of constant vigilance.

6. Automate your patching

It’s not easy to dive straight into automated patch management until you’ve figured out what and how to automate. Once that becomes clear, most IT teams face a few common issues, such as connecting to all their systems reliably, gathering information from them and reducing reliance on human intervention. That has led to an evolution from traditional to modern, policy-driven automation, as shown below.

Detection, as performed by modern systems management appliances, is ongoing and automatic. The appliances continually monitor patch releases. They determine whether a given device needs a patch, then they install it, verify that it was successful and update the inventory. The result is a more agile and flexible model of patch management that relies less on human intervention and does not depend on keeping to a schedule.

7. Observe the user dimension of patching

One of the main obstacles IT faces in patch management is negotiating the user factor. Some patches cause the device to restart or cause system performance to lag during installation. Users are justified in being annoyed by such interruptions and sometimes postpone or ignore reminders to update. By scheduling patch management outside of normal business hours, you can reduce friction from users and make the process transparent to them.

8. Collect and analyze data on patching

Patch management has the potential to be a data-driven IT function. By collecting, analyzing and documenting your effort, you can see how many devices you have touched and find patterns in any failed patch attempts. At a higher level, you can demonstrate metrics like overall effectiveness of patching, improvements attributable to automation and progress of IT initiatives.