For a long time, patch management hasn't taken a strategic approach. Patch management need not just take an operational routine, mainly because adding security aspect to it would give you the perspective of what patches to apply and when. But even with that progress being made, we always come across a whole range of systems that too mission critical ones that tend to run unpatched versions.
One of the major reasons might be that hundreds of patches are released every month, of which many apply to the OS and applications that reside on your network. Let us take Java as an example: There are several mission critical applications that are tied to the Java versions that runs on the systems in a given organization. So if it were to be patched every now and then, you run a risk of failure of application that are dependent on that version of Java. This means that you have committed resources that can test and assess the possibilities of failure, which adds to overheads on IT resources and also prolongs the timely deployment of patches.
Suggested Approach to Patch Management
Patch management as a process can be a little complex if you do not have a regularized process in place. Let us consider two key scenarios:
- Many organizations go ahead and deploy every critical patch that comes their way, without assessing or testing their impact once deployed.
- There are several applications outside the core operating system realm, and these applications often can be potential threat vectors compared to Windows or IE.
Effective patch management is all about prioritizing and yet maintaining the balance. You can break your patch management process into three areas:
- Patch prioritization
- Patch deployment
- Patch testing
To start with, you need to develop an up-to-date asset inventory of all the applications, operating systems on your endpoints. It is highly recommended that you use an efficient patch management tool that would alert you on the applications that need to be updated, so that you can classify them into the ones that affect your systems and the ones that don’t. Patching every application in your IT environment as every patch updates comes up is not a viable solution either. Hence, it is important to classify the application needing patch updates, based on their severity and then assign them criticality levels in a way that the most critical ones are addressed immediately.
Now that you are all set to apply the patches, it is important that you are able to do it without a disruptive uptime. Automated patch management tools can be really handy especially if your IT environments is spread across multiple locations, as they can help you with:
- Patch deployment packages for your target systems with the latest security updates and bug fixes
- Testing the patch before actual deployment and analyze post-implementation results
- Scheduling automated patching of all target systems with the prepared patch package
Of course, managing patch updates is not an easy task but taking the above approach, can help you stay ahead of the curve!!