As intrusion points continue to expand in scope, making malicious attacks ubiquitous and harder to prevent than ever, an effective patch management strategy might appear the first line of defense in building endpoint security. However, the complexity and scope of the task has often undermined its success.
Patch management can easily consume huge amounts of time and money, yet informal, ad hoc patching without a central strategy often fails to deliver what patching is supposed to deliver: a safe, secure and available IT infrastructure.
Here are nine simple tips that can make patch management simpler, more effective and less expensive.
1. Know your network
It’s important to understand that a network is only as strong as its weakest link, whether you’re considering security, stability or functionality. In other words, it takes only one unpatched computer to make the entire network vulnerable.
Therefore, patch management is about bringing the entire network – every computer and device, including unmanaged or rogue devices – up to an acceptable state.
To do so, you have to start by knowing exactly what’s on your network. The lack of visibility or lack of awareness of dangerous blind spots can leave poorly managed assets completely vulnerable to attack, undermining even the best attempts to ensure standard adherence to security policies.
Conducting an asset inventory isn’t something an IT team looks forward to. Manually inventorying assets is not only tedious, but can be incredibly error-prone.
It’s simply too easy to miss one or two applications. Miss them and you’re not managing their patches. Don’t manage their patches and they become your network’s weak links. So the first tip for simplifying patch management is to automate device discovery and asset assessment.
2. Scan and assess
Scanning computers and assessing their patch status isn’t a one-time activity that you do simply to find out what’s on your network – it’s an ongoing activity that forms an essential part of simplified patch management.
The idea here is straightforward: once you have an effective patch management process in place, it should be fairly automated. Periodic scans and patch assessments help you identify computers where automated patch management isn’t working, so that you can manually address those computers and correct the problem. The purpose of a regular process of scanning and assessment is to focus your attention where it’s needed, minimising wasted effort.
3. Rely on a single source for patches
One way to increase your patch management workload and overhead is to rely on multiple point solutions for patch deployment. That might include one solution for Microsoft updates, another for Adobe, a third for Mac OS patches, and yet another for other applications.
The result is a point product or products with a fragmented approach to vulnerability management, and an overall lack of visibility of the patching and risk posture. In addition, every time you bring a new solution or process into your environment, you have to learn its procedures and techniques, deal with its maintenance, and so on.
A far better approach is to have a single solution that can do it all, helping reduce the complexity of your IT infrastructure because you’re not maintaining multiple patching solutions. That results in simplified team training and end-user communications, and reduces overall operating cost due to consolidated management and effective use of staff.
4. Have an ‘undo button’ for patches
One of the most crucial capabilities you can add to your patching strategy is the ability to roll back, or ‘undo’, patches.
First, the ability to retract a patch obviously provides the entire organisation with more peace of mind. Whether a patch was rolled out unintentionally, or whether its vendor issued a recall or do-not-deploy instruction, rollback simply makes everyone’s lives easier.
Plus, the ability to roll back patches also helps simplify the process of actually rolling out patches in the first place. With the knowledge that patches can be easily rolled back, your organisation might feel more comfortable deploying patches that haven’t been through a rigorous, weeks-long test-and-pilot process. You’ll reduce the overhead involved in testing patches, get critical patches out faster, and still have the ability to keep the environment reliable and secure.
5. Use a phased approach to patch releases
Larger organisations simply might not have the infrastructure needed to push out a given set of patches to a large population at the same time. A phased release helps to avoid bottlenecks and keeps everything moving smoothly – and can be more easily and effectively communicated to users.
Not every patch needs to be treated the same. Critical patches may need to be pushed out immediately to computers that are more sensitive to whatever problem the patch addresses. Less-critical patches might be able to wait for a regular maintenance period. Some critical patches might apply only to certain servers, or to certain departments – others might need to be quickly pushed out to the entire organisation.
Phased approaches can also help mitigate the need for lab-based patch testing. Roll out patches first to trusted users, like members of the IT team or users who’ve volunteered. That way, technologically proficient users act as part of the patch testing phase, since they’re better equipped to deal with patch-related problems and to communicate those problems to IT for resolution. Later phases can target the major user populations in the organisation.
6. Support a good user experience
One reason that patch management can become tedious is its impact on the organisation’s users. Users who don’t realise a patch is coming might be very surprised when their computer abruptly restarts in the middle of the workday. Users with no control over or input into that process might become frustrated. All of that feeds back to the IT team, which has to placate, console and educate users – creating unneeded overhead.
Part of a good user experience is giving users some control over the patching process. Set deadlines that define when a patch must be installed, but give users the ability to postpone the install up to that deadline – or to opt to conduct the installation right away.
Communication is also part of a good user experience. Helping users understand that patches are available, when they must be installed, and when they may be installed, all helps reduce negative impact and user downtime – as well as user frustration.
7. Support a good administrator experience
One of the more difficult aspects of patch management has always been the administrator’s experience. With a proper patching solution, administrators should be able to coordinate patch updates across complex and distributed user bases, and have visibility into the patching phases on a per-machine basis.
In addition, administrators need to focus on what has failed, meaning they need reports and alerts that help them concentrate their attention on the systems that require attention. Reports that identify non-compliant computers, alerts that trigger administrator responses to failures and other tools can all help simplify patch management over time.
8. Stay organised
Proper organisation is critical to effective patch management. Every day, you may receive dozens or even hundreds of software updates. Simply reviewing them, categorising them, and selecting approved ones for deployment can quickly become a full-time job – something not every organisation can afford.
The first way to stay organised is to use a single patch management tool that can accommodate your entire environment. Seeing all of your patches in one place will enable far better organisation than having to review patch lists in a mish- mash of different tools.
Having only one solution also enables you more control over scheduling patches, and will allow you to set up patch windows with hard stops to ensure minimal interruption for users during business hours.
One reason many organisations fail to develop a mature patch management policy is the plethora of free tools, solutions and approaches that exist in the marketplace.
For example, a massive multinational enterprise with tens of thousands of users and a huge IT department can probably afford the overhead of a massive, large-scale patch management system.
But at the other end of the spectrum are organisations that can’t afford to have dedicated IT staff managing a patch management tool. Should they adopt the wrong tool or approach, they will find themselves frustrated, overwhelmed, unsuccessful, and, more importantly, at risk for security breaches.
It’s important to choose a patch management approach and associated tools that fit your organisation. Consider the overhead you’re willing to deal with, the size of your environment, and the amount of time you have to plan and deploy a solution.