Did you ever see the unfortunate TV weather lady who was interrupted by the Microsoft Windows 10 upgrade notification?
It was one of those situations that’s funny but also serious at the same time.
It’s a great reminder that, while many of us IT service management (ITSM) and IT support pros are way too busy fixing “broken” things, the existing IT infrastructure also needs to be maintained and improved. A set of potentially recurring tasks that are particularly relevant when you consider the risks associated with unpatched machines.
The need to patch software is nothing new, whether it be to apply bug fixes, security updates, or even to deliver new functionality. But these days there’s no escaping the growing focus on security and the threat of vulnerability-based breaches, raising the importance of patching from a “good to do” to a regular must-do task for all organizations.
Many successful attacks exploit well-known vulnerabilities, for which patches already exist. So such breaches can be prevented through the effective patch management of your IT infrastructure. But it’s also vital to remember that the scope of patching now goes beyond the data center and employee desktop to include cloud services and mobile and IoT devices.
Done manually, patch management isn’t an easy task. Depending on the size and complexity of your IT infrastructure, there are potentially hundreds of applicable patches released every month. Thus an ad hoc approach to patching will most likely never work, or at least never work as well as you need it to.
Alternatively, it’s important to take a more educated approach to patching and to leverage automation, instead of relying on manual effort, wherever possible. Consider these five questions:
They are the basis of taking a more formal, five-step approach to patch management.
This is knowing what’s in your IT infrastructure and on your network (as not all IoT devices will be considered IT assets) – whether through configuration management or asset management – and having access to a reliable source, or sources, of security issue and patch release information.
You can then see all of the available patches pertinent to your organization but it doesn’t necessarily mean that all of them will need to be applied ASAP.
Sadly, patch management often isn’t as easy as just installing every available patch as it becomes available. Most organizations will take a risk-based approach. Firstly, not all patches are born equal, i.e. some are more important than others. Secondly, there might be dependences between patches that a patch-management tool will need to understand and take care of through the order of its installations. Then, thirdly, patch testing might be required dependent on the criticality of the system affected (and its data) and the overall complexity of the IT environment. It’s no different to the standard approaches to change and release that are designed to protect ongoing business operations.
This is having a formal approach to patch prioritization and scheduling (rather than having a first come, first applied policy). Again it’s similar to the standard approaches to change and release. You’ll need a patching policy and plan that has a minimum of two elements:
Industry alerts and vendor guidance should also be used in determining the criticality of patches and thus the required speed of application.
With SysAid, you can easily create automated policies for various groups of assets and for various types of patches. For example, a policy to automatically patch all desktops with critical security patches, as opposed to servers where you may wish to follow an emergency change process for critical security patches.
Very few organizations can afford to rely on manual processes and procedures, fulfilled by hordes of people, these days. Budgets and people templates are tight, and thus an automated approach to patch management is in the best interest of the business. Not only from a cost perspective but also from a governance point of view – as busy people don’t always get around to doing everything they need to do when they need to do it. Thankfully automation never sleeps.
It’s all well and good ticking off the first four steps above, but your patching process needs a feedback loop. So ensure that there is also the ability to check, or audit, how well things are working, i.e. that everything that should be patched has been patched. For example, you might want to automatically open an incident for the assets that have had one or multiple failed patches of certain types.
There’s also most likely to be a corporate compliance need to be able to track who did what when, the proverbial audit trail. Then, depending on your approach to ITSM, you might also want to take a continual service improvement (CSI) approach to patch management as you would any other ITSM process.
So patch management doesn’t have to be complicated. Take a logical and organized approach, and let automation do as much of the heavy lifting as possible.
Watch this video below to see how you can use SysAid Patch Management to simplify your task of ensuring that all workstations and servers stay up-to-date with the latest product patches.