What should you consider in building a good patch management strategy?

The recent recall of 1.4 million Fiat Chrysler cars over a remote hack vulnerability is just another patch management headache waiting to happen—only on a larger scale and more frequently. But that’s the future. Let’s talk about the current problems with patch management in organizations, big and small. In a recent SolarWinds security survey, 62% of the respondents admitted to still using time-consuming, manual patch management processes.

Does this mean IT managers are not giving due attention to keeping their servers and workstations up-to-date? NO. Of course, security managers and system administrators know how much of a pain it is to have a 'situation' on their hands due to a bunch of unpatched, vulnerable machines in their environment. It’s never fun to be in a fire fight!

However, having a manual or incomplete patch management process in place is equivalent to having nothing at all when deploying patches as vulnerabilities arise from:

• Potentially unwanted programs
• Malware
• Unsupported software
• Newer threats (check US-CERT or ENISA)

As a security manager or system administrator, what do you think are the common challenges that come in the way of realizing an effective patch management process? Here are a few common issues:

• Inconsistent 3rd-party patching using the existing Microsoft WSUS and SCCM solutions
• Complexity in addressing compliance and audit requirements
• Complexity in customizing patches and packages for user and computer groups
• Administrative overhead due to an increase in BYOD usage in the environment

Given the frequency and scale of cyber-attacks and data compromises, having a thorough patch management process is a must-have—not a nice-to-have. But how fast can you put one together?

If you’re already managing patch deployments in your organization with WSUS, you’re covered for Microsoft applications. You just have to implement a process for automating the patching of non-Microsoft (or 3rd-party) applications like Adobe, Java, etc.

WSUS also has its own limitations, like limited hardware inventory visibility and an inability to provide software inventory information. Having inventory information is crucial when you’re formulating a comprehensive patch management strategy.

The strategy should accommodate flexible and fully-customizable patch operations so the regular business activities don’t feel the impact. Or, you can count on having an ‘oh-dear’ moment, complete with a blank stare as you wonder “Why is this server rebooting at the wrong time and hurting my business?”

There are just too many pieces that must fall in place for an effective patch management strategy. If you don’t have one, you might begin by asking yourself…

1. How am I planning to look out for newer security threats, and regular hot-fixes/patches?
2. How will I assess the impact to my systems/business if I manage to identify the threats?
3. How will I prioritize the patches that may affect my systems right away?
4. What’s the back-up/restore plan?
5. How will I test the patches before rolling them out to production systems?

The notion should be to not let patch management become a fire-fighting exercise. Even if it does become a fire-fighting exercise, the process should be clearly defined to minimize the impact of the security threat.

Effective patch management should become a good security practice to protect the IT systems from security threats, stay compliant, and eliminate business downtime and data compromises.