Patch Management Best Practices
If you’ve made it to this page I suspect you already know a little about patching and its importance. But in an ever-changing world with increasing digital threats, patching is more important than ever. This was recently showcased by the colossal Equifax breach that could’ve easily been prevented. In this article I’ll be going through some of the best practices that technicians can implement in regards to patching.
Tracking and monitoring IT assets
There are countless challenges and difficulties one faces when it comes to patch management. Even the prerequisites for an efficient patch management framework can have you scratching your head. Having a thorough and up-to-date inventory of your IT assets is an essential first step.
Imagine how complicated this task is for a company like Equifax that has over 10.000 employees. Employees might have several devices connected to the network and some could be using their work laptops for personal use. This can lead to applications, unknown to the IT department existing on the network, never getting patched, leaving your network vulnerable. One vulnerable application means one vulnerable device and the recent iNSYNQ breach showed us that, one vulnerable device is all hackers needs.
That’s why it’s recommended by most experts to have an automated IT asset discovery system in place to ensure that nothing falls in between the gaps, and vScope offers just that! Not only will an automated discovery of your IT assets help you manage your patches, but you can also leverage the information you gather to gain insights about your IT environment.
For further improvements to your data security, consider restricting local administration privileges and application whitelisting. After you have gotten to know your IT environment, you also need to get familiar with your enemies and potential threats.
PUBLISHED 2 SEPTEMBER 2019
Helping you make the most out of vScope
Staying updated on patches & vulnerabilities
Software vendors usually have some security page that informs its users when vulnerabilities have been found or when patches have been released. For example, when it comes to staying on top of patches for Microsoft products you can turn to Microsoft Security Response Center’s Security Update Guide, that offers a lot of valuable information.
But as there are a lot of different applications from different vendors on any network, it’s not always feasible for one to subscribe to all security pages. But if you have a proper inventory of the applications on your network, you can easily identify the most common applications and stay on top of those. Alternatively, you can simply subscribe to a security advisory page by a security vendor, such as Trend Micro. Their security advisory page includes the latest vulnerabilities, patches, and security-related announcements from multiple software vendors.
For those that are interested in vulnerabilities and data security and want to learn more I can recommend the following pages:
- The National Vulnerability Database (NVD) – Offers many helpful resources in regards to Common Vulnerabilities and Exposures (CVEs).
- The DoD Cyber Exchange – Offers Security Technical Implementation Guides (STIGS) and other useful resources.
Scheduling & Conflicts
As I previously mentioned, patching affects the whole company. This can sometimes lead to conflicts between departments. The time wasted on conflicts should be spent on securing the network instead. This is why IT managers need to make sure that pre-established patch management strategies or policy is in place so that these downtimes are kept to a minimum.
When establishing such a policy one might face some resistance from upper management. In these circumstances it’s best to confront the resistance with facts. When faced with the potential cost of a breach most people usually change their minds. Scheduling and properly planning the patch roll out can also decrease tension. But make sure that you also account for emergencies that may appear, all patches can’t wait and hackers usually don’t care about schedules!
8 questions you should ask yourself when developing a strategy
Patch Management Best Practices – Deployment
Patches don’t always work as intended and can have unforeseeable consequences. It’s therefore recommended by industry experts to deploy patches in different stages to minimize the risk of unnecessary downtime.
Testing should, of course, be the first stage. Start by setting up test environments that model all critical and relevant production environments. Continue by establishing a test protocol (preferably this should be pre-established in a patch management policy). The protocol should basically lay out rules and procedures for testing patches. If the patch passes the test protocol one can move on to the following stage.
Don’t cut any corners in the testing stage! If something stops working in the production environment because of a poorly tested patch, you’ll end up spending more time trying to fix it!
When you have passed the predetermined criterias in the test stage, you can gradually start deploying the patch. But some issues might only surface in the actual production environment, it’s therefore best to not deploy the patch for everyone right away. Instead, start by deploying the patch to a few selected users that can provide you with feedback in case anything happens. This lowers the risk of unforeseen problems affecting a whole department or business unit. Hopefully the pilot stage is successful, and the patch can be mass deployed.
Finally it’s time for a full rollout. In this stage, you want to deploy the patch with minimal downtime. Business-critical applications, for example, should perhaps not be patched during peak hours. Furthermore, despite thorough testing issues may still arise so make sure to have a rollback plan in place in your patch management policy.
Analysis and Reporting Stage
After you have successfully deployed the patches, take some time to look for hidden issues and problems. Also make sure that there’s time afterwards for the patch management policy to be evaluated and improved. The IT landscape is constantly changing which means that strategies can’t stay static, they have to evolve as well. Go over the processes with your team and see if it can be improved.
Patch Management Best Practices – Further reading
If you are interested in learning more about patch management best practices, I recommend the articles below. Lastly for those of you interested in obtaining an automatically updated inventory of your IT assets to improve your patch management framework; head over to vScope Inventory & Reporting and find out how vScope can save you both time and keep track of patches for you.
vScope’s Windows Patch Pack
The Patch Pack automatically creates patch reports and continuously runs analysis on your servers and clients – so you don’t have to.
- Overview of the patch status of the entire network
- Ready-to-go reports for following up patching progress
- Analysis that helps you locate vulnerabilities immediately
- All information needed for patch management in one place