What is Patch Management?
By Dave Farquhar,
In a very broad sense, patch management is exactly what it sounds like: a method of patching up problems in computer operating systems. The term gets its name from way back in the early days of computer programming, well before we had advanced operating systems like Windows and OSX.
Up until the mid-70s, programmers would manually punch cards containing data and operating directions and feed them into digital computers. As expected, these punch cards didn’t always function perfectly (they were punched by hand, after all), and issues sometimes arose. Luckily, the programmers figured out a quick fix; they would physically patch the holes that were causing the glitches, usually with something as simple as a piece of tape. Voilà, good as new.
Today, patch management takes a lot more than a strip of tape. The developers of modern operating systems, often working in collaboration with security researchers, are constantly searching for programming errors and resolving them as they find them, usually by way of a software update. In addition to making sure that computer systems are operating correctly, patch management systems are also a critical layer of cybersecurity — they monitor the health status of your devices and detect un-patched areas that might be vulnerable to security breaches.
Why is patch management important?
Patch management is important because it’s the safest and simplest way to shield yourself from a cyberattack. Without patch management, you risk leaving your company’s data, assets and networks vulnerable to attackers, which could cost you tremendously.
Here are a few reasons why staying on top of patch management is critical:
- Protects you from cyberattacks: Patch management systems often spot vulnerabilities before hackers do, applying a security patch before it’s too late.
- Safeguards your data: From personal login information to valuable customer data, there are treasure troves of information stored on your networks that are highly attractive to hackers.
- Shields everyone in your network: A worm can move its way through a network quickly, which can be a catastrophe if your company has numerous devices connected on the same network. Patch management is one of the few preventative measures that exist in cybersecurity for this and other problems.
Good patch management doesn’t guarantee perfect security. However, good patch management makes it much more difficult for an attacker to gain an initial foothold in a corporate network. It also limits the attacker’s options if they still manage to get in through other means, such as social engineering. When a system has good patch management, security incidents were rare, and relatively low severity. Good patch management deters hackers the same way good locks and good lighting deter would-be burglars. If you’re better than average at patch management, the hackers will probably find someone worse than average to attack instead.
How often should you perform patch management?
Individuals should perform patch management by updating their personal phones, tablets and computers when notified to do so. For companies, patch management is nearly impossible to stay on top of alone, since there are numerous devices, systems and networks to monitor. Effective patch management in corporate environments requires one or more centralized patch management tools to be successful, and ideally, those deployments should be scheduled and have change controls associated with them.
It is not uncommon for a company to have contractual requirements around patch management, requiring patches that meet certain thresholds to be deployed within an agreed-upon timeframe. These contractual requirements can be a good starting point for establishing a company-wide patch management policy, if one does not exist already.
Ideally, determining the timeframe would be a collaboration between IT operations and IT security. IT security weighs in on the risk and any contractual or regulatory requirements that may apply while IT operations weigh in on the level of effort required to meet any proposed objective. A policy only works if IT operations is able to carry it out. When requirements are too difficult to meet and/or the tools are inadequate, you run the risk of losing people, or not meeting the requirement.
As part of our Vulnerability Management services at Deepwatch, we work with you to identify your organization’s assets, threats and vulnerabilities and provide patch remediation and strategy tailored to your organization’s needs. Vulnerability management is the flip side to patch management, a second system that scans your network to ensure your patch management system’s deployments were successful and providing a thorough, vendor-neutral second opinion. These tools tend to scan more aggressively than your patch management system does. Deepwatch has expertise in resolving the conflict when the two systems disagree.
Tips for performing patch management:
1. Regularly deploy updates in compliance with your corporate policy on remediation. Don’t fall into the habit of dismissing software updates (i.e., repeatedly clicking “remind me tomorrow”), because every moment you spend on software that isn’t updated is a moment that you’re leaving yourself vulnerable to hackers.
2. Develop a risk scoring framework: The most common approach is using the industry standard Common Vulnerability Scoring System, or CVSS v3, to develop a remediation policy. Unfortunately, vulnerabilities are not distributed in anything resembling a bell curve, and tend to cluster at the high end of the scale. It is not uncommon to find yourself in a situation where hundreds of thousands of vulnerabilities meet your threshold, and you have inadequate resources to address them all, or even know where to begin.
A more sustainable approach is to factor threat intelligence into the policy, in conjunction with or even in place of CVSS, to prioritize vulnerabilities that security vendors are observing in active breaches. This is always a much smaller, more manageable number of patches to deal with. Several vendors have offerings in this space and Deepwatch has experience with deploying and developing policies around their capabilities.
3. Follow up on updates that failed to deploy (don’t YOLO it). An update is no good at protecting your digital assets if it doesn’t deploy properly. If an update fails to deploy, seek ways to troubleshoot it immediately. It’s not worth the risk to wait. Some Deepwatch customers have been very successful by breaking patching into two phases: a caveman phase, which is concerned with deploying updates to as many systems as quickly as possible with as little effort as possible, and a brain surgeon phase, which is concerned with fixing the critical updates that failed to deploy.
Junior-level system administrators can get a lot of work done very quickly with the caveman approach. Have a more senior system administrator give the critical patches the brain surgeon treatment when they fail to deploy. Like running a marathon, use the good-enough effort for as much of the work as possible, so you have some stamina remaining for the work that requires maximum effort.
4. Participate in the process to test updates prior to deployment. If you’re able to test updates ahead of time, that can be a great way to assess whether the update appropriately patches the vulnerable spots in your network. Ideally, deploy updates to a test environment first, then deploy to production once you are confident the patch had no ill effects.
5.Participate in the risk acceptance process when you cannot patch. No matter how secure your networks are, there will always be vulnerabilities that can’t be patched. At Deepwatch, we’ll help you prioritize your vulnerabilities and patch remediation efforts based on the specific risks your company faces. Sometimes vendor requirements prevent you from deploying a patch in a timely fashion.
A good risk acceptance identifies these dependencies and provides a timeline and a plan of action for deploying those patches once possible. If the system in question is critical enough to the business, it may justify standing up a project to address it.
6. Have a good coach. Patch management and vulnerability management work best when they have a collaborative player/coach relationship, rather than the much more common adversarial relationship. When it works well, vulnerability management helps patch management teams to identify holes in their game, and provides solutions to common problems, so each team doesn’t have to find every solution on their own every time.
Deepwatch vulnerability management engineers work with your patch management security teams to ensure all parties know what your security metrics mean and what actions you need to take to make your metrics better next month, and the month after that. A mature vulnerability management program can tell you what 5-10 missing patches have the greatest impact on your security posture and deserve your time and attention.
Feel secure with Deepwatch
Improving your armor with continuous patch management can improve that. At Deepwatch, our goal is to provide you with the people, processes and technologies to fit your unique cybersecurity needs and requirements. Our Vulnerability Management services allow us to discover the threats and vulnerabilities relevant to your organization and collaborate with you to protect your critical assets.
Learn more about who we are and how we’re changing the service of managed cybersecurity by getting in touch with us today.