Deploying software updates is a necessary part of the sysadmin lifestyle. While most of us probably don't necessarily enjoy the process, we'll take updating systems over recovering from a cyberattack any day of the week. Thus, we carry on, vigilantly patching our devices.
But deploying software updates doesn't need to be a tedious task. In fact, chances are you can automate a majority of the process with the right tools and a little know-how. To help elevate your patch management game, here are ten best practices you should consider when deploying software updates across your company.
10 software update deployment best practices
As we dive into this list, it's important to remember that no best practice works for every organization. These are general guidelines and recommendations that you can use to customize and develop your own patch management plan. Take what works for you, and customize what doesn't. As long as you get updates distributed to your devices on time, you're doing things right.
1. Know your network
While this list is in no particular order of importance, there is a reason I've listed knowing your network as #1. Knowing your network, systems, devices, software, and users is first on this list because you can't adequately plan out software update deployments without this information.
Here's some of the essential information you should know about your IT environment:
The makes and models of the hardware devices on your network
Utilized operating systems
Network structure and resources
Hours of operation
While this may seem like a lot of information to gather, many available systems can manage the task for you. For example, PDQ Inventory is a device management platform that automatically scans your network for Windows devices, gathering, organizing, and centrally storing detailed system configuration information for you. It can take care of getting to know your devices and systems while you get to know your users and their needs.
2. Stay informed
This concept may seem simple, but it's probably more challenging than you think. Consider all of the devices and systems you support. This list could quickly grow into the hundreds. Staying on top of updates for each system is no easy feat.
While some systems release updates on a pretty regular basis, for example, Microsoft and Adobe release updates on Patch Tuesday (the second Tuesday of every month), other systems don't have a steady release schedule. Even Microsoft and Adobe frequently release out-of-band security patches to address vulnerabilities.
To help stay informed about the latest software updates, consider subscribing to RSS feeds, following developer social media accounts, and signing up for mailing lists for systems you utilize. Additionally, the PDQ Blog covers all the latest patching and vulnerabilities news you need with a side of sarcasm and enough tech jokes to keep things mildly entertaining.
3. Compliance standard requirements
Many organizations must adhere to specific standards to meet regulatory requirements, such as PCI DSS and SOC 2. Some regulatory standards require deploying software updates within a particular time frame of release. Identifying which compliance standards your organization is required to meet will help you plan your patch deployment schedule.
4. Develop a schedule that works for your organization
Once you've gotten to know your IT environment and your regulatory requirements, it's time to develop a software patch deployment strategy that works for your organization. This step is often the most difficult because of the substantial number of factors to consider.
Since each organization is unique, there is no one-size-fits-all approach to developing a deployment schedule, but here are a few tips to help out:
Don't deploy updates that require restarts during the middle of the day. This practice is considered full contact IT, and it is generally frowned upon — by users at least.
Establish a maintenance window that doesn't conflict with peak operation hours and heavy network traffic periods.
Some updates, like Microsoft Windows feature updates, can lock down a system for a considerable amount of time. Consider deploying these types of updates after regular business hours.
Divide your systems into preview, broad, and critical software update groups. The preview software update group is your tester group, which should receive updates shortly after release. The broad group should consist of the majority of your systems. These systems should receive patches after testing is complete. Essential systems belong in the critical software update group and should receive patches once they've been thoroughly tested and potentially delayed indefinitely if there are compatibility issues.
5. Be transparent
Once you've nailed down the perfect patch deployment schedule, inform your users of when to expect updates and their potential impact on their system. The workforce is a pretty tech-savvy bunch these days. Most users have a basic understanding of software updates and what it means for their systems. Keeping them informed builds trust.
If you ever get users complaining about updates, remind them of the risks associated with vulnerabilities and the consequences of a security breach. This info usually helps them understand why we do what we do.
6. Be ready to adapt
Certain patches, such as Microsoft's updates, you can count on. Every Patch Tuesday, they'll become available to the masses. Other updates, however, aren't as routine.
IT teams need to be able to adapt and respond to patching needs, especially when a zero-day vulnerability is disclosed. Vendors take critical vulnerabilities very seriously and release patches ASAP. Ensuring your IT team can properly respond to out-of-band and last-minute critical software updates is an essential part of securing your organization's digital assets.
7. Servers require special care
Servers are often a crucial part of an organization's IT infrastructure. As such, always take extra caution when updating servers. Windows Server receives cumulative updates every Patch Tuesday, just like its desktop OS counterpart. Consider delaying server patches for several days. This gives the tech community time to report any unintended behaviors or compatibility issues introduced by the updates. However, if a server is exposed because of a critical vulnerability, immediate patching is always recommended, though I'd still suggest doing it after hours — just in case.
8. Proper testing saves you time and energy
One of the most important aspects of deploying software updates is properly testing them before distributing them to the masses. Properly testing patches will save you a ton of time and aggravation if a problematic update needs to be uninstalled. Here are a few things to consider when establishing your testing process:
Send out patch deployments to your test machines and users as quickly as possible. This gives your testers adequate time to thoroughly test updates before they need to be deployed to your broad group.
Your test group should include a subset of machines that reflects the diversity of your organization's assets as a whole.
Enlist test users that are more likely to provide relevant and informational feedback.
Keep your test group small enough that if a problem patch is distributed, it’s easy to remove.
9. Automate to stay up to date
Sysadmins have a lot of responsibilities on their plates. Often, the only way for them to reliably distribute patches across thousands of devices and systems is to use patch management software to automate the process. A patch manager solution can utilize automatic deployment rules to distribute updates across an organization. While various solutions provide this functionality, few products make it as easy as PDQ Deploy. Sysadmins struggling to keep up with their patch management needs can download a free 14-day trial to see for themselves how easy deploying patches can be.
10. Audit your deployments
I can't say I've ever met a person who enjoys audits. I'm not even sure auditors like audits. Regardless, auditing is a necessary part of the job, especially as we rely more heavily on tools to automate tasks like deploying software updates. Auditing ensures updates are being deployed successfully and you don't have systems on your network that are missing patches. One system left with an unpatched vulnerability is all it takes for a bad actor to access your organization's network and assets.
To help your audits run smoothly, look for tools that provide intelligent reporting features, such as PDQ Deploy and Inventory. PDQ allows you to configure auto reports, ensuring you have all the information you need whenever you need it.
No two networks are alike
As I mentioned before, this best practice list should be used as a guideline, not as a definitive set of instructions for you to follow. Each organization's network environment is unique, and a patch deployment plan should be custom-tailored to fit your needs. Just remember: The key objective of deploying software updates is ensuring your organization stays up to date and vulnerability free.