The recent spate of Java vulnerabilities has required a number of large vendors to react almost instantly to optimize security levels. But as good as these reactions are, organisations urgently need to apply insightful strategic thinking to ensure that security updates are reaching the entire organisation's IT estate.
CentraStage analyzed anonymous hardware and software data (including thousands of PCs and servers in 6,000 organisations across public sector establishments currently running our solution) and found that 40 percent of servers and workstations are missing security patches. In addition, six vendors — Microsoft, Adobe, Mozilla, Apple, Oracle, and Google — together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities, demonstrating the extent of the issue as well as the numbers of bulletins we annually face.
With more and more organizations supporting remote working, the challenge isn't just to implement patches as they are released, but to be fully confident that devices have been updated and are thus continuously safeguarded. So what areas should IT experts tick off the list for a successful patch management implementation?
1: Ensure transparency
At the heart, asset discovery is essential. If you don't know what you've got, you don't know the extent of the problem you may have. If you do nothing else, make sure you know where your IT assets are; this is a quick gain that will put your house in order.
Once the estate is established, you need to have real-time visibility of the assets you support. With the urgency in which we need to manage patches, the first secret is to not only have full awareness of the estate but instantly know the health of it too.
2: Don't just look at the security
Knowing the whereabouts and health of the IT estate is paramount, as it provides the intelligence for ensuring its security. A study of public sector CIOs in December 2012 found that 87% of respondents were either concerned or very concerned about the risks associated with IT security breaches. In addition to security, keep an eye on securing IP, as it can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host.
3: Define your patch nirvana
While the audit and assessment element of patch management will help identify systems that are out of compliance with your guidelines, you should also work to reduce noncompliance. Start by creating a baseline — a standard you want the entire estate to comply with. Once complete, it's easier to bring controls in line to ensure that newly deployed and rebuilt systems are up to spec with regard to patch levels.
4: Face the facts
You must know which security issues and software updates are relevant to your environment. Further analysis of our data showed that 50 percent of PCs and laptops are still running Windows XP, and 32 percent of devices are more than four years old.
Beyond patch management and the protection against vulnerabilities and exploits that by now must have caught the attention of IT leaders globally is the preparation and planning for end-of-life Windows XP support. If you do not replace, there is no way to safeguard. If you do replace, this has implications on expenditure. Make sure that you have a realistic view of patch management and its limitations, but also ask whether the discipline of patch management indirectly ensures the infrastructure and IT estate is viable from support and budget perspectives.
5: Do it your way with software policies
You can customise policies targeted at filters or groups at the account or profile level. The filter targets can be either the default filters provided within your account or any custom filters you have previously defined. The secret here is to define custom filters or groups to identify devices with specific criteria. One or more of these filters can be associated with a policy to target those devices.
This goes back to your baseline creation. Set the policies from the outset and customisation will be a simple step forward.
6: Get the timing right
Why wouldn't you implement a patch management update as soon as you can? With baseline mechanisms in place, there's no need to delay. However, you should consider the time of day for updates by policy — what time will have the least impact on day-to-day business? The ideal timing for updating patches should follow any rollout best practice. Consider the day of the week, the impact on the business if something doesn't go smoothly, and whether there is sufficient time and resources to rectify if necessary. If your IT management solution is on-premise rather than cloud- based, you might have to take responsibility of scale and load of the update.
7: Audit first — is it too broken to be fixed?
Gaining visibility of devices that are vulnerable is crucial, but so is analysing the overall health of each device. Ensure that all devices are audited prior to rolling out patches or patch policies. There could be a more urgent matter requiring attention before the device can be brought in line.
8: Keep it simple
We are led to believe that the bigger the enterprise estate, the more complex the management. But in most cases, solutions are easily scalable. The issue comes with usability. As complexity increases (and in some cases, the number of solutions and providers also grows), the technology team is used more and more to ensure the estate is kept up to date. Keep usability as simple as possible. There are solutions that do not even require a technically skilled person to ensure the estate is kept up to date quickly and easily.
9: Consider automated solutions
Often, patch management is a distress purchase because vulnerabilities such the ones we've seen recently place patch management in a crisis management budget and not an ongoing IT budget. Of course, this has financial implications. Some enterprise IT management solutions may save you money by providing tools that automatically audit and monitor. If automation is behind the scenes, it doesn't interrupt the business and will keep all software solutions running smoothly, without input.
10: Visualise your patch management
Make sure you can see a graphic representation of your patch management, tailored by severity and whether the patch requires a reboot or user interaction. This also fundamentally supports measurement and service level agreements by reporting SLAs in a way that's visual. Not only will this help with compliance, but it will demonstrate that IT is making a difference to the business. This makes for better relationships throughout an organisation, whether internal or external.
Ian van Reenen is CTO for CentraStage.