5 Steps to Better Patch Management and a Securer Business

The COVID-19 crisis has hit organizations, of all sizes and all around the world, hard. Many of the challenges and issues that it brings are very visible – from the need to change ways of working (in order to comply with stay-at-home mandates) to finding new ways to interact with customers who have also adapted to social distancing and isolation. However, there’s one COVID-19 challenge that’s less visible – that of increased cybersecurity threats as criminals attempt to take advantage of organizations under pressure from the impact of the crisis. As a result, IT security is more important than ever, with patch management having an important role to play in this.

Did you ever see the unfortunate TV weather lady who was interrupted by the Microsoft Windows 10 upgrade notification?

It was one of those situations that’s funny but also serious at the same time.

It’s a great reminder that, while many of us IT service management (ITSM) and IT support pros are way too busy fixing “broken” things, the existing IT infrastructure also needs to be maintained and improved. A set of potentially recurring tasks that are particularly relevant when you consider the risks associated with unpatched machines.

Patch Management is important than ever – with #COVID19 contributing to this fact – but where do you get started? #infosec Click To Tweet

Security now perches atop the patching tree

The need to patch software is nothing new, whether it be to apply bug fixes, security updates, or even to deliver new functionality. But these days there’s no escaping the growing focus on security and the threat of vulnerability-based breaches, raising the importance of patching from a “good to do” to a regular must-do task for all organizations.

Many successful attacks exploit well-known vulnerabilities, for which patches already exist. So, such breaches can be prevented through the effective patch management of your IT infrastructure. But it’s also vital to remember that the scope of patching now goes beyond the data center and employee desktop to include cloud services and mobile and IoT devices.

It's vital to remember that the scope of patching now goes beyond the data center and employee desktop to include cloud services and mobile and IoT devices. #patchmanagement #COVID19 #security Click To Tweet

So, patching is important but where do you start?

Done manually, patch management isn’t an easy task. Depending on the size and complexity of your IT infrastructure, there are potentially hundreds of applicable patches released every month. Hence an ad hoc approach to patching will most likely never work, or at least never work as well as you need it to.

Alternatively, it’s important to take a more educated approach to patching and to leverage automation, instead of relying on manual effort, wherever possible. Consider these five questions:

1. Which elements of your IT infrastructure require patches?
2. Which patches do you need to install, and which can you ignore?
3. In which order do patches need to be installed?
4. What is the best, and hopefully easiest, way to install them?
5. How well is your patch management process working?

These questions are the basis of taking a more formal, five-step approach to patch management.

This article offers up 5 questions as the basis of taking a more formal, five-step approach to patch management. #infosec Click To Tweet

1. Which elements of your IT infrastructure require patches?

This is knowing what’s in your IT infrastructure and on your network (as not all IoT devices will be considered IT assets) – whether through configuration management or asset management – and having access to a reliable source, or sources, of security issue and patch release information.

You can then see all of the available patches pertinent to your organization, but it doesn’t necessarily mean that all of them will need to be applied ASAP.

2. Which patches do you need to install, and which can you ignore?

Sadly, patch management often isn’t as easy as just installing every available patch as it becomes available. Most organizations will take a risk-based approach. First, not all patches are born equal, i.e. some are more important than others. Second, there might be dependencies between patches that a patch-management tool will need to understand and take care of through the order of its installations.

Then, finally, patch testing might be required – dependent on the criticality of the system affected (and its data) and the overall complexity of the IT environment. It’s no different to your organization’s standard approaches to change enablement and release and deployment management that are designed to protect ongoing business operations.

3. In which order do patches need to be installed?

This is the need for a formal approach to patch prioritization and scheduling (rather than having a first-come, first applied policy). Again, it’s similar to the standard approaches to change and release. You’ll need a patching policy and plan that has a minimum of two elements:

• A patch cycle for regular patches and updates
• A plan for dealing with critical, often security-related, patches

Industry alerts and vendor guidance should also be used in determining the criticality of patches and hence the required speed of application.

With SysAid, you can easily create automated policies for various groups of assets and various types of patches. For example, a policy to automatically patch all desktops with critical security patches, as opposed to servers where you may wish to follow an emergency change process for critical security patches.

4. What is the best, and hopefully easiest, way to install them?

Very few organizations can afford to rely on manual patch management processes and procedures, fulfilled by an army of people, these days. Budgets and people templates are tight, and hence an automated approach to patch management is in the best interest of the business. Not only from a cost perspective but also a governance point of view – as busy people don’t always get around to doing everything they need to do when they need to do it. Thankfully automation never sleeps.

5. How well is your patch management process working?

It’s all well and good ticking off the first four steps above, but your patch management process needs a feedback loop. So, ensure that there’s also the ability to check, or audit, how well things are working, i.e. that everything that should be patched has been patched. For example, you might want to automatically open an incident for the assets that have had one or multiple failed patches of certain types.

There’s also most likely to be a corporate compliance need to be able to track who did what when, the proverbial audit trail. Then, depending on your approach to ITSM, you might also want to take a continual service improvement (CSI) (or continual improvement if you have transitioned to ITIL 4) approach to patch management as you would any other ITSM process or practice.

So, patch management doesn’t need to be complicated. Take a logical and organized approach and let automation do as much of the heavy lifting as possible.

Please watch the video below to see how your organization can use SysAid Patch Management to simplify its need for ensuring that all workstations and servers stay up-to-date with the latest product patches.