Gregg Lalle at ConnectWise explains the four key steps needed to implement cyber-secure patch management.
According to recent research analysing National Institute of Standards and Technology (NIST) data on common vulnerabilities and exposures (CVEs), security teams are currently having to battle hard to keep their heads above water. According to the report, over 18,000 flaws were discovered in 2020 – more than in any other year to date. Worryingly, the NIST data also show that these figures include a record breaking number of high and critical severity vulnerabilities. Plus there was a significant jump in the number of CVEs reported that required no user interaction or limited technical skills to exploit.
These findings all serve to reinforce the importance of patch management, which represents one of the biggest challenges and concerns for IT service providers and their clients. As more vulnerabilities are discovered, patch management begins to feel like a full time job, especially in larger environments.
The key to keeping on top of this mammoth task is to develop a robust patch management strategy, and there are four key areas that IT service providers and security teams will need to consider to ensure their approach is both comprehensive and effective.
1 Develop a policy
Good processes and policies are essential for success, so developing a documented patching policy that enables all relevant personnel to clearly understand the who, what, when, why and how of the patching strategy is essential. In other words, this policy will help ensure everyone responds appropriately and in concert whenever a critical vulnerability in a client’s software is identified.
By planning in advance and coming up with a policy around the entire patching practice, your organisation will be able to shift from reactive to proactive mode. Simply by anticipating problems in advance, and developing policies on how to handle these, you’ll ensure your organisation always remains in the driving seat.
2 Create a process for patch management
Having defined an overall patch management policy, the next task is to create a process for handling each patch as it is released. The creation of a formal and repeatable change control process for patch deployment is essential for minimising the risk of a potential service loss or reduction for clients.
Since the patch management policy represents an explicit element of your security policy, you should consider Microsoft’s six step process when tailoring your own approach.
Step 1: Notification – how alerts about new patches are received depends on which tools your organisation uses to keep systems patched and up-to-date.
Step 2: Assessment – decisions about how quickly vulnerabilities need to be patched to prevent an exploit will be dependent on both the patch rating and the configuration of systems.
Step 3: Obtainment – how patches are received again depends on which tools are being used to maintain systems. Patches will be deployed either manually or automatically, based on which policy has been selected.
Step 4: Testing – prior to deployment, patches will need to be assessed on a testbed network that simulates the production network. Since Microsoft cannot test for every potential environment, it is essential to first check to ensure that all your client networks will be able to properly run the patch.
Step 5: Deployment – following a thorough testing procedure, deployment should be undertaken in a phased process. Rather than applying the patch to all systems simultaneously, incrementally apply patches and check the production server to ensure that all applications still function properly.
Step 6: Validation – while often overlooked, validating the patch has been applied is a necessary final step that ensures you are able to report the status to each client and ensure that all agreed service levels are met.
3 Adhere to best practices
For patch management policies and processes to be effective, they must be applied consistently. With new vulnerabilities and patches appearing daily, you will need to be highly vigilant to ensure you keep up with all the changes.
Utilising repeatable and automated practices will help bolster the efficacy of the entire patch management strategy. These practices should include undertaking a regular rediscovery of systems that may potentially be affected, scanning these systems for vulnerabilities, downloading patches and patch definition databases, and deploying patches to the systems that need them.
Working in partnership with a Network Operations Centre (NOC) that can undertake the whole patch management process on your behalf represents a highly effective way of optimising productivity for your business, while ensuring clients always receive an efficient and comprehensive patching service.
4 Take advantage of patching resources
Since the release of Windows 10, updates to the operating system are now released on an ‘as needed’ basis. So teams will need to be alerted the moment an update is released to ensure the patch can be tested and deployed as soon as possible.
To augment your patch management process and keep abreast of updates that fall outside the scope of Microsoft updates, there are a number of resources that will help keep you ahead of the game. These include SearchSecurity Patch News, Oracle’s Critical Patch Updates and Security Alerts, and Patch My PC.
Patch management represents a fundamental service in most managed service provider (MSP) plans. Documenting the policies and processes involved and incorporating these into standard operating procedures will ensure that your entire patch management strategy is highly effective, that no functional or non-functional requirements are overlooked, and that clients never experience an outage resulting from an unpatched vulnerability – or a patch rollout gone wrong.
Gregg Lalle is SVP International Sales and Strategy at ConnectWise.
Main image courtesy of iStockPhoto.com