Not all patches are the same, explained Syxsense’s chief customer success officer Robert Brown. Some are strictly updates that introduce new features, drivers and or firmware. Other patches fix issues such as software glitches or security holes.
Cybersecurity agencies and vendor rating systems grade patches based on their importance. The Common Vulnerability Scoring System (CVSS), for example, gives a score from one to 10, with the highest ratings being the most serious. Some patch management systems use CVSS scores, while others incorporate other metrics and evaluate a vulnerability against how much risk it poses to a specific business or application.
Critical updates offer a significant benefit: improved security, better privacy or greater reliability. Updates that are graded as important but non-critical will still enhance the system; optional patches typically relate to drivers or new software.
“Different vendors rate things differently,” said Brown. “As one vendor may grade a patch as critical and another as non-critical, it is best to take multiple factors into account.”
Syxsense provides a “Syxscore,” which is based on an organization’s attack surface with vulnerabilities and endpoint posture. It leverages the National Institute of Standards and Technology and vendor severity assessments in relation to the health status of the endpoints in an environment.
“Syxscore is a personalized evaluation of what devices are vulnerable and the criticality of updates to the overall protection of your network, giving you the ability to target endpoints that pose the most serious levels of risk,” said Brown.
Brown offered some tips on patch management, outlined below.
- Don’t neglect 3rd-party patches
- Implement patch automation
- Identify all devices
- Test and roll out carefully
- Follow the golden rules
1. Don’t neglect 3rd-party patches
Too many companies tend to turn on Windows and Apple updates and believe they are covered. However, they are missing a great many open-source and third-party patches that may represent severe exposure.
“Third-party updates account for 75% to 80% of all vulnerabilities,” Brown said.
SEE: Learn how to create a solid patch management strategy here.
2. Implement patch automation
Once organizations begin to confront third-party vulnerabilities, the volume of patches can soon become overwhelming. Some try to manually deal with all the vendor patches that come their way, but this ties them up in knots as they must test each one, figure out the best sequence of deployment and time the patch delivery to avoid overwhelming the network.
Cloud-based patch automation is the answer. The vendor takes care of prioritization, testing, patch rollout and the verification of a successful patch.
Brown advised enterprises to first establish their exact needs and choose a patch management toolset that fits. By taking advantage of all available automation features, IT and security personnel will have time to get on with more strategic projects.
3. Identify all devices
One of the biggest issues in patching is making sure you cover all systems and devices. Cybercriminals only need one unpatched app or device to wreak havoc.
Moreover, not all patch and vulnerability scanners are the same. Some miss smartphones, others are operating in a system-specific fashion and more than a few are weak when it comes to backup and storage applications.
4. Test and roll out carefully
Brown also explained the best way to test and roll out patches: To start, a handful of systems should be used to create an initial baseline for patch deployment. These devices are used to verify that the patch is installed correctly and no issues come up.
From there, deploy across a larger set of devices, which should include machines from different departments. You want to have a device or two in IT, finance, marketing and other departments, for example, so you can verify there are no issues with any core business applications. If that all checks out, set up a schedule to deliver the patch everywhere.
5. Follow the golden rules
Finally, Brown ran through some additional golden rules of patching:
- Don’t test a patch on your own machine: If it crashes, you may be locked out of your device for hours and unable to stop a rogue patch from broader deployment.
- Look for patch management systems that allow you to uninstall patches and roll back systems.
- Organize the rollout so as not to overwhelm the network or impact user experience. Split it up based on logical groups or by department, region, location or device type.
- Ensure all new devices are added to the patching schedule.
- Document patching successes and failures. Know if any devices failed to patch and be able to drill down to find out why.