Patch management is the process of distributing and applying updates to applicable devices, systems, and software. Managing patches is a crucial part of an organization's cybersecurity strategy. By implementing a patch management policy and incorporating best practices, you ensure critical vulnerabilities are managed, mitigating the risk of cyber threats.
In its most basic form, patch management is the process of installing and managing updates. This process should be pretty familiar to anyone with a computer, laptop, tablet, or smartphone since all of these devices regularly receive operating system updates. In fact, most electronic devices these days are capable of being updated. However, the term patch management more accurately refers to the process of managing updates in large quantities, for example, managing updates for a network of computers.
Another key aspect of patch management is monitoring and inventorying systems. Detailed monitoring ensures systems aren't missing patches, which could leave operating systems and third-party applications vulnerable, especially if they are missing a security patch. This type of monitoring often requires a comprehensive patch management tool.
These days, devices and software are very complex. In fact, the Windows operating system contains over 50 million lines of code. And that's nothing compared to all of Google's services which consist of over 2 billion lines of code. With that in mind, it's easy to see how some mistakes, bugs, and vulnerabilities could work their way into such enormous amounts of code. The sheer complexity of these systems is why we see Microsoft patching thousands of CVEs (common vulnerabilities and exposures) each month. As you can imagine, managing these patches and deploying them to hundreds or thousands of devices can get very complicated and requires a considerable amount of planning and a good patch management tool. Consider this example.
You’re an IT professional that is in charge of the patching process for your organization. Some of the computers you manage are in use during normal business hours while others are in use during evening shifts. Some departments use specialized applications that aren’t found on other systems. Some systems, such as Windows servers, host applications that are critical to business operations and need to remain online as much as possible. Other systems host legacy applications that don’t support newer updates. You might also have a remote site several hours away with a handful of computers that need to be updated regularly. How do you ensure all of these devices receive their necessary updates on time and aren't missing patches?
A patch management plan takes these types of scenarios into account and develops a strategy to ensure devices are regularly updated while limiting downtime and managing special use cases. Without a patch management strategy in place, devices could be left vulnerable to exploits, compromising an organization's digital security.
Software patches, or updates, are generally designed to do a few different things. They add new features, patch security vulnerabilities, fix bugs, and improve system stability and overall performance. Patch management, when properly implemented, ensures patches get tested and distributed frequently to keep your devices and systems up-to-date and secure.
Incorporating a patch management process can seem daunting at first, but most of the work happens during the planning phase. Some of the items that should be considered during the planning phase are:
The overall cybersecurity and patching needs of the organization.
Unique network components and configurations
Any special departmental and user needs.
How to determine acceptable risks.
How to organize and categorize your assets.
How to test updates before distributing them throughout the network.
A patch deployment time frame. (How quickly should patches be deployed once they've been released and tested?)
How to handle uncommon situations, such as distributing out-of-band patches. (Out-of-band patches are updates that are distributed out of the normal patch cycle, often to fix a critical vulnerability. For example, Microsoft releases most of their patches during Patch Tuesday, which is the second Tuesday of each month. However, if there is a critical vulnerability that needs to be patched immediately, Microsoft will often release an out-of-band patch to address the vulnerability instead of waiting until the next Patch Tuesday to distribute it.)
Once a plan has been developed, the actual implementation should be broken down into manageable steps. This could be accomplished by making changes one department at a time or perhaps broken up by physical locations. Just remember, there is no rule that says a plan must be adopted network-wide all at once.
Every network environment is unique, meaning each patch management plan will need to be custom-tailored to the needs of the network. However, there are several best practices to consider when developing a patch management plan.
Perhaps the most important part of patch management is knowing what threats and vulnerabilities exist and what patches have been distributed by the vendors you use. Most vendors host a security advisor page and allow you to sign up for alerts via email notification. Here's Dell's security advisory page and HP's security bulletin. Also, there are many popular blog sites, including our own blog, that report on critical vulnerabilities and breaking cybersecurity news to help users stay up-to-date.
We could probably write an entire article on this topic alone, and one day we just might. But in the meantime, let me offer a few suggestions to help get you started.
Identify a group of computers/users to designate as a testing group. This group should resemble the makeup of your network but on a much smaller scale. Include users and systems from various departments to ensure testing incorporates as many systems as possible. Also, choose your users wisely. Selecting the users who would provide the most accurate feedback possible is something to keep in mind.
Keep your test group small. If an update comes out that has a detrimental effect on your systems, it's better to have a small mess to clean up than a big one.
Ensure patches are deployed to your test systems as quickly as possible. This will give your test group enough time with the new updates to properly test them before the updates need to be rolled out to the rest of your environment.
Deploy updates to test groups as soon as possible. Deploy updates to your general network within a week or two of release and deploy updates to more sensitive systems once updates have thoroughly been verified.
I know I just said to be consistent, and now I'm saying to be flexible, but hear me out. The patch management process is not a perfect science, and no two network environments are alike. If a patch is released for a critical vulnerability that is actively being exploited, you may want to limit the testing period to only a day, or maybe even just a few hours before releasing it to the majority of your devices. The opposite could also be true. Perhaps a bug fix is released that is causing more problems than it is fixing. Maybe skip that patch until a better one is released.
Let your users know your patch management plan and when they can expect to receive updates. Being transparent is beneficial for both the users and for the IT team.
An exception is when a patch is available, but you decide it's not in the best interest of your network to deploy it. Perhaps the patch conflicts with an existing system which would cause it to crash. Whatever the reason, ensure these scenarios a thoughtfully considered, especially when the patch is designed to secure a vulnerability. If a vulnerability patch needs to be declined, see if there is another way to mitigate the risk of the vulnerability.
Choosing the right patch management software for your organization is an incredibly important choice. The right systems can simplify or even automate patch management, meaning fewer staff hours dedicated to patching and reporting. On the other hand, the wrong system may be overly complicated, resulting in IT staff dedicating too many resources to ensure the system functions properly.
Here are a few things to look for when deciding on a patch management solution for your organization.
If your IT department has limited resources, look for a solution that offers automated patch management. An automated solution can be configured to deploy patches automatically when new updates are released.
Another tip for smaller IT teams is to look for a simplistic solution that offers a lot of functionality right out of the box. Some patch management software can require a lot of management and configuration.
Make sure the patch management solution supports the systems and applications you use on your network.
Some patch management solutions offer a pre-built application and patch library, which can significantly reduce the time it takes to get things deployed.
As we mentioned earlier, inventory management is an essential part of patch management. Make sure the solution you choose offers the ability to collect detailed information from your systems so you know which devices are up to date and which devices need patches.
Demo the product before you buy it. The best way to know if a solution is right for your organization is to try it out.
Lastly, make sure the product has a good support team and an abundance of resources such as guides and tutorials. Training materials can make all the difference when implementing a new system.
Finding the right patch management software for your organization can be tricky, but several great solutions are available. We may be slightly biased, but PDQ Deploy and PDQ Inventory offer a simplistic but powerful approach to patch management. With automation, inventory management, hundreds of pre-built packages, customizability, world-class support, and an enormous amount of available resources on the PDQ blog, support site, and YouTube channel, we think you'll find everything you need for your patch management strategy.
Patch management is a pretty simple concept to understand, with a lot of underlying complexity. When developing a patch management strategy, take your time and thoroughly plan out what the needs of your organization are. Once your strategy is in place, find a patch management tool that will help you get the job done. Lastly, keep yourself informed of the latest vulnerabilities impacting your systems. As cyberattacks increase in frequency and severity, it's never been more important to keep your devices up to date.