Although it ought to be a basic task, patch management has nearly gotten out of control. Many vendors, to their credit, are quick to release patches when they discover issues. But there are more devices and applications on today’s networks, and an ever-growing list of threats to worry about. These factors combined have made it exponentially harder to keep up with patch management. So, dear reader, by the end of this blog I want you to come away with some strategies to make your life easier.
Patch Management Objectives
While patches often improve the performance of their respective products, one big goal (and the focus of this blog) is security. New exploitable vulnerabilities are discovered every day, and vendors will—hopefully—release patches to fix these issues. Furthermore, effective patch management is a requirement of many compliance regulations. So, patch management is a critical part of any organization’s cybersecurity strategy.
Patch Management Best Practices
First, it’s good to understand and implement some standard best practices.
Figure out every last thing on your network: Take inventory of all physical and virtual systems that connect to your network. Don’t skip the off-premise systems. Note the different OS types—you may rely on supporting just Windows because 99% of your network uses it, but then that one MacOS device will become a liability.
Streamline the OS types: You’re likely to have a bunch of different OS versions, but try to minimize the number. For example, if half your office is still running Windows 8 on their workstations, get them on Windows 10 with everyone else. You’ll save time later because you won’t need to apply patches for both versions. This is one way of standardizing your network, which is especially helpful if you work in an enterprise environment.
Establish a regular cadence: Some vendors release patches on a regular schedule (e.g. Microsoft’s Patch Tuesday). Others are more sporadic. You’ll find it more effective to batch your patch management. Determine a schedule that works for you and install all the patches that have been released since the last batch. Many SMBs do this weekly; larger organizations may need more time in between batches to minimize business disruption.
Automate and report: Automated patch management saves a lot of legwork and is typically recommended. But it’s important to get reports from whichever tool you choose to do this. You’ll need to know, for example, about any patch failures. Good patch management solutions will offer these capabilities.
Assess vulnerability severity: There will be times when a vulnerability is so dire that you’ll decide to break your schedule and apply the patch immediately. To do this, you’ll need a way to receive automated vulnerability alerts and analyze them—more on this later.
Patch Management Challenges
Here are some common pitfalls you may run into.
Lackluster or no reporting: Again, reporting is important. If you can’t see that an expected patch failed to install, your organization is at risk. Good reports will also tell you how many devices need updates (as well as which updates they need), whether any patches are missing, and exactly when patches were installed.
BYOD and remote systems: You may have users who don’t frequently connect to the internal network. Many patch management tools are designed to only monitor internal servers, so these external devices can be overlooked. The problem is when those devices, unpatched, do end up connecting to your network, creating a possible security issue.
Manual patching: If an automated tool isn’t within budget, patch management becomes more labor-intensive and susceptible to human error. In this case, it’s especially important to be able to immediately detect and investigate suspicious behavior on your network.
Old systems: Sometimes, old devices or applications can’t be patched. This may be because the vendor no longer supports them, or because the patch may even break something that’s business-critical.
How to Mitigate Patch Management Risks
Now that we’ve discussed the challenges of patch management, there are two broad categories that an inability to patch can fall under:
- You can’t patch the system at all (e.g. old or remote system)
- You must delay installing a patch (e.g. dedicated patch window or lack of time)
In both cases, network traffic analytics—including baselining normal traffic patterns and detecting anomalies—is invaluable.
For example, say you know a device is not patched, and you know what security issue the patch would fix. You can monitor that device for the behavior indicative of that particular security issue. With network traffic analytics, you can also better assess which vulnerabilities are severe enough to break your patching schedule.
This means that you should be exporting traffic data from your network devices to one central location and have a solution in place to analyze that traffic.
We recommend a combination of NetFlow/IPFIX and metadata. This gives you thorough, detailed information that’s also lightweight. (Our own solution, Scrutinizer, ingests a wide variety of this information and performs network traffic analysis, so you can quickly get to the actionable data you need.)
Patch management is a big job—so big that some organizations dedicate staff to it. But by establishing the right processes and knowing what to watch out for, you’ll save yourself a lot of time.
For more reading on network administration, you may enjoy these articles: