Patch management is the process of updating software, firmware, drivers and other aspects of an organization’s devices to protect against vulnerabilities and possible attacks. While it doesn’t sound like the most glamorous thing to do, it’s clear that patch management is a critical part of keeping your organization’s technology safe from bad actors.
The only issue is, not all patches are the same. This was emphasized by Syxsense’s Chief Customer Success Officer Robert Brown. Some are strictly updates that introduce new features, drivers and or firmware. Other patches fix issues such as software glitches or security holes.
SEE: Brute Force and Dictionary Attacks: A Guide for IT Leaders (TechRepublic Premium)
With that in mind, there are a few key things your organization can do to get the most out of the patch management process. In this article, we dive into essential patch management practices your organization should adapt to ensure the utmost security and stability.
Featured Partners
What are some patch management best practices and techniques?
According to Brown, there are five key things organizations should adapt to when it comes to patch management. We’ll dive into each practice deeper, but here’s a quick rundown of the patch management best practices:
- Taking into account third-party patches and updates.
- Implementing automated patches or patch automation.
- Identifying and covering all devices to be patched.
- Testing and rolling out patches carefully.
- Following patch management “golden rules” such as patching on test machines and organizing rollout beforehand.
Following these five practices will ensure that your organization and its endpoints; is secure, productive and protected through the patch management process.
Let’s look into each one of Syxsense Officer Brown’s on patch management, as outlined below.
1. Don’t neglect third-party patches
Too many companies tend to turn on Windows and Apple updates and believe they are covered. However, they are missing a great many open-source and third-party patches that may represent severe exposure.
“Third-party updates account for 75% to 80% of all vulnerabilities,” Brown said.
Aside from OS-wide updates or firmware patches, it’s also prudent to check updates for your organization’s most used third-party applications. This is especially important for services that house sensitive company resources, such as password managers or storage services.
2. Implement patch automation
Once organizations begin to confront third-party vulnerabilities, the volume of patches can soon become overwhelming. Some try to manually deal with all the vendor patches that come their way, but this ties them up in knots as they must test each one, figure out the best sequence of deployment and time the patch delivery to avoid overwhelming the network.
SEE: What is Cloud Security? (TechRepublic)
Cloud-based patch automation is the answer. The vendor takes care of prioritization, testing, patch rollout and the verification of a successful patch.
Brown advised enterprises to first establish their exact needs and choose a patch management toolset that fits. By taking advantage of all available automation features, IT and security personnel will have time to get on with more strategic projects.
3. Identify all devices
One of the biggest issues in patching is making sure you cover all systems and devices. Cybercriminals only need one unpatched app or device to wreak havoc.
SEE: The Top 6 Enterprise VPN Solutions to Use (TechRepublic)
Moreover, not all patch and vulnerability scanners are the same. Some miss smartphones, others are operating in a system-specific fashion and more than a few are weak when it comes to backup and storage applications.
4. Test and roll out carefully
Brown also explained the best way to test and roll out patches: To start, a handful of systems should be used to create an initial baseline for patch deployment. These devices are used to verify that the patch is installed correctly, and no issues come up.
SEE: 8 Best Identity and Access Management Solutions in 2024 (TechRepublic)
From there, deploy across a larger set of devices, which should include machines from different departments. You want to have a device or two in IT, finance, marketing and other departments, for example, so you can verify there are no issues with any core business applications. If that all checks out, set up a schedule to deliver the patch everywhere.
5. Follow the golden rules
Finally, Brown ran through some additional golden rules of patching:
- Don’t test a patch on your own machine: If it crashes, you may be locked out of your device for hours and unable to stop a rogue patch from broader deployment.
- Look for patch management systems that allow you to uninstall patches and roll back systems.
- Organize the rollout so as not to overwhelm the network or impact user experience. Split it up based on logical groups or by department, region, location or device type.
- Ensure all new devices are added to the patching schedule.
- Document patching successes and failures. Know if any devices failed to patch, and be able to drill down to find out why.
Understanding patch management ‘rating systems’
Cybersecurity agencies and vendor rating systems grade patches based on their importance. The Common Vulnerability Scoring System, for example, gives a score from one to 10, with the highest ratings being the most serious. Some patch management systems use CVSS scores, while others incorporate other metrics and evaluate a vulnerability against how much risk it poses to a specific business or application.
Critical updates offer a significant benefit: improved security, better privacy or greater reliability. Updates that are graded as important but non-critical will still enhance the system; optional patches typically relate to drivers or new software.
“Different vendors rate things differently,” said Brown. “As one vendor may grade a patch as critical and another as non-critical, it is best to take multiple factors into account.”
Syxsense provides a “Syxscore,” which is based on an organization’s attack surface with vulnerabilities and endpoint posture. It leverages the National Institute of Standards and Technology and vendor severity assessments in relation to the health status of the endpoints in an environment.
“Syxscore is a personalized evaluation of what devices are vulnerable and the criticality of updates to the overall protection of your network, giving you the ability to target endpoints that pose the most serious levels of risk,” said Brown.