Unpatched business systems roll out a welcome mat for hackers aiming to steal data or hold it hostage. But patching systems isn’t as simple as clicking an install button – and as the complexity and risk grow, implementing patch management best practices is vital to keeping your business safe from cyber threats.
Nearly 60% of cyber-attack victims said installing an available patch would have prevented their breach, a Ponemon Institute study reports. Even worse, 34% said they knew about the vulnerability before the attack but never fixed it.
Case in point: the 2017 Equifax data breach that exposed the data of 143 million Americans stemmed from an Apache Struts vulnerability that had remained unpatched for two months.
The record-setting number of zero-day attacks in 2021 drives the urgency of patch management best practices even more – with zero-day malware comprising more than two-thirds of cyber threats in the third quarter alone. Zero-day attacks stem from software vulnerabilities exploited so quickly by hackers that IT teams have zero days to fix the problem.
Such attacks carry hefty costs. The average price companies paid after a data breach set another grim record in 2021: a whopping $4.24 million.
Why is patching a problem?
Patch management is an organization’s process for applying software updates, often required to correct errors (aka bugs) or address security holes in the system. Patches are regularly released for operating systems, applications, and embedded systems like network equipment.
Since patches identify the vulnerability they’re meant to fix, installing them quickly is essential. Hackers can exploit a given weakness within hours of a patch’s release.
However, while software patches are mostly available within a reasonable timeframe, busy IT teams often suffer “patch fatigue” - lacking the time or expertise to keep up with complex patching schedules, post-patching QA procedures, and zero-day vulnerabilities that must be immediately addressed. They also struggle to work around business hours to minimize impact.
Organizations spend an average of 18,000 hours and $1 million+ on patching activities annually – and the time it takes for hackers to create new exploits for patched vulnerabilities is dwindling.
Some IT teams are also wary of patches, which can involve complex coding vendors are pressured to write and distribute quickly. With a wealth of equipment to manage and testing delays, it often takes organizations 100+ days to apply patches – leaving them vulnerable to cyber-attacks.
Implementing patch management best practices improves more than security. It can optimize business-critical functions as well, leading to performance improvements like fewer application crashes and downtime. It helps organizations keep pace with the latest software features and capabilities that improve end-user experience.
And as cyber threats explode, it helps enterprises avoid legal and financial ramifications for failing to stay compliant with stringent patch management standards required by regulatory bodies.
Patch management best practices every organization should know
Define and document a patch management policy.
Too many organizations choose patching tools and procedures without taking the time to understand their requirements or the functionalities and controls of their environment. Unfortunately, that often leaves them stuck with a solution that doesn’t fully fit their needs.
Developing a patch management policy with stakeholders across the organization helps you clearly identify your organization’s vulnerabilities, zeroing in on what needs to be patched, when, and in what conditions. It also establishes testing and recovering routines, procedures, and timeframes for effective patching that minimizes business disruption.
A strong patching policy should define:
- Scope. What technologies and teams are involved
- Cadence. How often does each technology require patching?
- Maintenance. What maintenance windows can be predefined?
- Priorities. For instance, security, updates, feature, and critical patches.
- Pre-and post-patching activities. That may include pre-patching communication and approval procedures, as well as post-patching testing, communication and QA controls.
- Zero-day timelines. What are high-priority vulnerabilities?
Know your infrastructure.
Once you have a clear view of your requirements, you can start translating them into procedures. Doing so requires an in-depth understanding of your infrastructure, considering:
- What infrastructure components are most critical to the organization? Every environment is unique – and a bad patch can trigger problems or even “break” machines with certain configurations. To avoid disruptions, longer timelines with extensive testing can be wise for patching critical devices.
- What components are most vulnerable? While all systems should be patched, assigning risk levels makes sense. For instance, an intranet server that isn’t accessible from the internet isn’t as high a priority as a highly critical perimetral network device. The more exposed to attack a device is, the faster it requires patching.
- Are there devices that can no longer be supported or will be out of support soon? No antivirus or firewall can protect you from a core-level vulnerability in an operating system (OS) that can no longer be patched. If devices have unsupported OS or application servers that can be accessed from the internet, they should be replaced as soon as possible with newer technology. Prioritization is based on business impact and vulnerability to attack.
- Will some devices be excluded from patching? For instance, devices running legacy or homegrown applications. Best practices should include isolating unsupported devices from internet access, when possible.
Answering these questions helps you define patching groups based on technologies, criticality, vulnerability, and business needs. For instance, if test environments aren’t available to test patches on critical servers, you can build resiliency by scheduling patches for less-critical servers first or patching servers with similar functionality on separate schedules.
Plan patch schedules and maintenance windows.
Patches require time, effort, and testing – but waiting too long to apply them puts your business at risk. The more you narrow the gap between the time a patch is published and the time you apply it, the more secure and reliable your environment will be.
Predefining maintenance windows is key to ensuring patches are applied promptly. While the frequency that patches become available varies among products and technologies, you should at least plan for monthly updates.
It is also good practice to predefine daily or weekly patching windows that can accommodate emergency fixes, such as deployments to correct zero-day vulnerabilities.
Every software vendor favors a particular channel for communicating patch information. Be sure to create a process for monitoring their announcements so nothing falls through the cracks.
Here are patch management best practices for some key technology:
- Windows: A list of available updates is published on the second Tuesday of each month.
- Linux: While there is not a set schedule for releases, it is good practice to patch these products monthly.
- Network infrastructure: Most devices do not regulate patch releases, but it’s good practice to patch them quarterly.
Every minute of IT downtime costs enterprises about $5,600, Gartner reports. So, while patching is vital to maintaining a healthy environment, risk management is essential to high system availability.
Here are key steps you can take to reduce patching risk:
- Create a test environment. A lab environment that replicates your real-world production environment allows you to safely test patches, avoiding surprise problems.
- If you can’t, split your infrastructure. While test environments offer the best solution for minimizing risk, they are also pricey. If you don’t have the budget, you can minimize complications by patching servers or devices with the same roles on different dates. For instance, if you have multiple domain controllers, scheduling updates a week apart prevents a problematic patch from shutting down your entire operation.
- Establish post-patching controls. Effective patch management rests on processes that ensure all services are running smoothly before patches are rolled out to your production environment or critical servers. Always exclude patches that cause issues from the next patching group and report problems to the vendor.
- Build a strong contingency plan. Even with proper steps to reduce patching risk, unexpected scenarios can still occur that cause systems to go down. Preparing for these outcomes ensures the quickest response and minimizes business impact. That includes:
- Notifying teams about services and/or devices affected by the update.
- Assessing business impact and urgency to determine prioritization.
- Identifying the problematic patch.
- Engaging the vendor or support groups to determine if a solution already exists.
Automation improves the speed, accuracy, and effectiveness of your patching process - eliminating the trouble of manually analyzing, preparing, testing, and deploying software patches individually.
Automation tools help you get ahead of potential vulnerabilities by automatically scanning for missing patches and delivering appropriate fixes to relevant devices. They can also automate the creation of in-depth reports that provide visibility into the status of your infrastructure and demonstrate patch compliance to auditors and internal stakeholders.
Clearly defined patch management policies and procedures can help you determine the best automation tool for your needs.
Scan systems regularly for vulnerabilities.
With cyber-attacks coming from any direction, vulnerability scanning has become basic security hygiene. But 37% of breach victims said they never scan their networks and systems to see what they need to patch, the Ponemon study reports.
Recurrent scanning identifies points of weakness in your infrastructure, ensuring nothing is missed. It helps you reduce the attack surface hackers can exploit and focus security efforts on areas with the highest risk.
Avoid gaps that put your business at risk by outsourcing patch management
Implementing patch management best practices delivers peace of mind that patches will be applied quickly and efficiently to business software. But 74% of companies said they lack the resources to patch fast enough to adequately mitigate security risk, the Ponemon study reports.
Not surprisingly, 83% of IT leaders were considering outsourcing security activities like patch management to a managed service provider (MSP) in 2021, according to Security magazine. With patch management as their core competency, exceptional providers have the time, tools, resources, and best practices already in place to keep organizations updated and secure.
They stay on top of zero-day vulnerabilities and other critical threats, deliver insight into your IT infrastructure with detailed reporting, and automatically apply patches to avoid gaps that could be risky to your business. They also remove a significant workload from IT’s shoulders, enabling teams to focus on critical business initiatives or more pressing needs.
The importance of patch management can’t be overstated. Outsourcing the process to a reputable third-party provider helps deliver the mature security framework you need to slam the door on hackers.
Auxis Managed Services provides the strong methodology, tools, and teams to plan and execute patch management for clients’ systems as an individual offering or part of its infrastructure managed services. To learn more, visit Modern IT Operations at www.auxis.com.