Coding errors present a plethora of opportunities for threat actors to reach attack targets. For most organizations, the most significant number of coding mistakes come with software written by third parties. Patch management enables the identification and efficient application of fixes, or patches, for these errors.Â
With endpoints becoming the most critical attack vector in recent times, patch management has also come to the fore. A July 2021 report by KaseyaOpens a new window shows, 54% participants consider software patch management as a top endpoint priority.Â
This article provides ten best practices for achieving effective patch management.
What is Patch Management
Patch management is more than throwing patches at systems whenever they become available. Organizations should classify and prioritize patches to achieve the greatest negative impact on system and business functionality risk.
One of the most common risk models is shown in Figure 1. Coding vulnerabilities make up many holes in a system’s attack surface. Applying patches that eliminate these weaknesses significantly reduces risk.
Figure 1: Formulaic Risk Model
Learn more: How To Create Optimal Patch Management Experiences Through IT
Best Practices for Patch Management
Patch management is a process that consists of a set of best practices shown in Figure 2. Each practice is a sub-process requiring documented, repeated steps. These steps identify the highest risk vulnerabilities and allow tracking of patching. They also enable managing systems that cannot be patched.
Figure 2: Patch Management Best Practices
Create/Manage Patch Management Policy
Policy and supporting procedures drive patch management. The policy should include:
- Inventory requirements
- Responsibilities
- Patch testing
- Patching schedule
In addition to these, the policy should include vulnerability scanning expectations and approaches; and requirements for managing unpatched systems. The policy should address the other nine best practices.
Maintain a system/data/application inventory
It is impossible to know what vendor patches apply or are needed unless the organization understands what is installed on its internal and cloud networks. System inventories are required to understand the operating systems and critical business functions supported. This includes IoT and IIoT (industrial IoT) devices.
Effective patch management requires an accurate inventory. It also requires a manageable list of applications for which IT can manage risk. This is a good argument for creating application allowed lists. Placing an application on an allowed list requires IT and management approval. It also includes removing the users’ ability to install any application that does not appear on the list.
Identify Vendor Updates
Most mainstream vendors routinely announce security patches for their products. Organizations must regularly check (daily is best) for patches reported by vendors or by other sources. Organizations can often sign up with vendors for email patch or vulnerability notifications.
Another approach is to use the National Vulnerability DatabaseOpens a new window (NVD). A security team can search for each application allowed to run on their networks to identify reported vulnerabilities and whether a patch is available. Figure 3 shows a Microsoft Exchange search. Â
Figure 3: NVD Microsoft Exchange Search
Figure 3 is a partial list of 2021 Exchange vulnerabilities. Clicking on the top vulnerability shows the information in Figure 4.  If a patch is available, it is listed in the Hyperlink section.
Figure 4: Vulnerability Availability
Patches and vulnerabilities come out in different orders, depending on who finds the vulnerability and whether it was announced before an available patch. If the vulnerability came out first, this should already be known as part of vulnerability management.
Learn more: How Continuous Monitoring Can Help Businesses Manage Risks
Scan for Vulnerabilities
Vulnerability management includes regular system scanning for known vulnerabilities. Solutions like Nessus scan for over 64,000 NVD entries. Routine scanning of each system enables insight into the vulnerabilities to identify patches.
Not all applications have up-to-date vulnerability listings. This is another reason for application allowed lists and keeping an accurate inventory.
Prioritize Patches
As shown in Figure 3, each vulnerability has an associated criticality or risk level. This is a general rating that often does not apply to an organization’s unique operating environment. Consequently, a patch management team needs to assess each vulnerability in terms of its own organization’s risk. Â
This videoOpens a new window on Vulnerability Management and the CVSS, explains one way to do this. The CVSS calculator enables a team to enter qualitative information about the affected system. This results in a criticality level appropriate to the affected system and its operating environment.
Ensure Efficient Patch Implementation and Centralize Patch Management
The next two best practices are closely related. Efficient patch implementation requires a centralized management solution for medium and large businesses. Â
Whether automated with a centralized solution or manually managed, the objectives of efficient patch implementation are the same.
- Identify all systems requiring the patch.
- Test the patch in a test environment running affected critical business functions.
- Develop a backup process in case something is broken by the patch; record functionality that breaks if the patch is applied, and remove the underlying system from the patch implementation schedule.
- Roll out the patch while logging manually or automatically when a patch is applied and the system patched; automated systems can scan managed systems to determine which systems were or were not successfully patched.
- Post roll-out, identify failed patching and plan remediation.
- Identify and manage risks associated with systems that cannot be patched.
Integrate with Vulnerability Management
Integrating patch and vulnerability management results in a two-way movement of threat management information and tasks. Vulnerability management activities, including scanning as defined earlier, often identify weaknesses in firmware and applications for which there is no patch. Vulnerabilities are also discovered when announced online or at the time of system security testing. These opportunities for attack frequently require interim risk mitigation until the vendors release patches. Â
The broken code is logged and shared with the patch management team along with the associated risk. This helps the patch management team with patch prioritization once patches are released.
Integrate with Change Management
An organization should make no changes to a system that does not pass through a change management process. A change management process helps prevent breaking business functions when changes are made. Â
Change management includes documenting a change, creating a backout plan, testing the change and backout plans, and obtaining signoff from stakeholders. This videoOpens a new window on Change Management suggests the best practice change management approach.
Learn more: How To Pick the Best Security Framework for Your Organization
Segregate Patch Exempt Devices
Organizations can’t always patch a system. Some systems run legacy applications that are broken by one or more patches. In addition, IoT and IIoT are not always regularly patched by their vendors, but they might be needed for business operations. When devices and systems are not patchable, organizations must assume that their associated risk grows over time.
Systems and devices that cannot be patched should be segregated on logically isolated network segments. See VLAN network segmentation and securityOpens a new window .
Final Thoughts
I show these best practices as a continuous cycle. However, communication and integration between and across the cycle elements are needed to manage patching effectively. Figure 5 shows how some of this integration might work.
Figure 5: Integration Example
Implementation of these best practices require adaptation to each organization’s unique operating environment. The supporting procedures may cause the cycle in Figure 2 to look much different in reality. However, the objectives remain the same.
Do you think implementing the best patch management practices can improve a company’s security posture? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!