Patch management is the process of installing and managing updates on devices, operating systems, and software. For sysadmins, patch management happens at scale across a network of computers.
Oftentimes, you can automate at least part of the patch management process. And that’s a beautiful thing because as often as we have to patch, anything other than an automated process would be unbearable. 😅
Why is patch management important?
Patch management is an important step in keeping your devices up to date and secure. And when things don’t go as planned, a patch management policy limits downtime.
These days, devices and software are complex. In fact, the Windows operating system contains more than 50 million lines of code. And that's nothing compared to all of Google's services, which consist of more than 2 billion lines of code.
With that in mind, it's easy to see how some mistakes, bugs, and vulnerabilities could sneak in. The sheer complexity of these systems is why we see Microsoft patching thousands of common vulnerabilities and exposures (CVEs) each month. As you can imagine, managing and deploying these patches to hundreds or thousands of devices can get complicated and require considerable planning and a good patch management approach.
Consider this example: You’re an IT professional who oversees the patching process for your organization. Some of the computers you manage are used during normal business hours while others are used during evening shifts. Some departments use specialized applications that aren’t found on other systems. Some systems, such as Windows servers, host applications critical to business operations that need to remain online as much as possible. Other systems host legacy applications that don’t support newer updates. You might also have a remote site several hours away with a handful of computers that need regular updates. How do you ensure all these devices receive their necessary updates on time?
An effective patch management policy takes these types of scenarios into account and develops a strategy to ensure devices are regularly updated while limiting downtime and managing special use cases. Without a patch management policy, devices could be one vulnerability away from a serious security compromise.
How does the patch management process work?
Just like your car requires regular tune-ups, computers and software require regular patching to protect against the latest threats, security risks, and vulnerabilities. Patch management is the recurring task of planning, testing, and deploying patches to the devices and software that need them.
Here’s what your typical patch management process might look like.
1. Planning for patch management
Before you can patch, you need to know what needs patching. And to know what needs patching, you need to know what devices, operating systems, and software exist in your environment. That’s where inventorying comes into play.
You can use certain tools, such as (shameless plug incoming) PDQ Inventory, to automate the otherwise tedious process of finding and documenting the details about the devices in your environment. From there, you can determine which patches are relevant and need to be included in your next batch of updates.
2. Testing patches
Have you ever had a Windows update that instantly unhinged your day? We could probably write an entire article on proper patch testing, and one day we just might. But in the meantime, here are a few suggestions to help you get started.
Identify a group of computers/users to designate as a testing group. This group should resemble the makeup of your network but on a much smaller scale. Include users and systems from various departments to ensure testing incorporates as many systems as possible. Also, choose your users wisely. Select the users who would provide the most accurate feedback.
Keep your test group small. If an update has a detrimental effect on your systems, it’s better to have a small mess to clean up than a big one.
Ensure patches are deployed to your test systems as quickly as possible. This gives your test group enough time with the new updates to properly test them before they are rolled out to the rest of your environment.
3. Deploying patches
If nothing breaks during the testing stage, you can deploy the patches to the devices in your environment. Again, there are tools that make this tedious process significantly easier, such as (another shameless plug incoming) PDQ Deploy. Once you confirm that no errors resulted upon deployment, your work here is done.
Many sysadmins who work with Windows have the second Tuesday of every month circled on their calendars. This marks Patch Tuesday — the day when Microsoft releases a monthly roundup of critical updates and patches. But there are exceptions to the rule: Microsoft often addresses critical vulnerabilities as soon as a patch is available.
Microsoft’s Patch Tuesday reports can be daunting. Get your TL;DR on the PDQ blog with our Patch Tuesday recaps. Each month, we walk through the highlights (or lowlights), pointing out critical vulnerabilities and how to patch them. And if video is more your style, check the PDQ YouTube channel on Patch Tuesday for a walkthrough.
What are the benefits of patch management?
Patch management keeps your machines safe, secure, and up to date. Software patches or updates offer these benefits in several ways. They add new features, patch security vulnerabilities, fix bugs, and improve operating system stability and overall performance.
When properly implemented, patch management ensures patches are tested and distributed frequently to keep your devices and systems updated and secure.
Are there any challenges to patch management?
Patch management comes with its own challenges. Three of the top challenges sysadmins face when it comes to the patching process are lack of time, lack of resources, and lack of visibility.
1. Lack of time
From identifying missing patches to testing the relevant ones to actually deploying patches, patching can take up a good chunk of time. Now, multiply this effort for each vulnerability — it adds up fast. Sysadmins are already concerned about their IT workloads, and patch management adds to their already overwhelming to-do lists.
2. Lack of resources
From lack of staff to lack of tools, many sysadmins don’t have the resources they need to make patch management easier. Without automated tools, patching becomes a manual, tedious process. And if a team is already understaffed, freeing up time to manually validate and deploy patches may seem like an uphill battle.
3. Lack of visibility
As we mentioned earlier, you need visibility into your environment to know which systems have which programs — and which versions of those programs are installed. Knowing what you’re working with is step one of patch management, but some teams lack a formal asset inventory, which complicates the process.
Patch management best practices
Every network environment is unique, so each patch management plan should be custom tailored to the needs of the network. However, there are a few universal patch management best practices to consider when developing a patch management plan. Here are a few of our tried-and-true best practices.
Perhaps the most important part of patching is knowing what threats and vulnerabilities exist — and if there are security patches that address them.
Most vendors host a security advisory page and allow you to sign up for alerts via email. Also, many popular blog sites, including PDQ's, report on critical vulnerabilities and breaking cybersecurity news to help users stay up to date.
On that note, be sure you have a policy in place for vulnerability management. Vulnerability management is knowing which vulnerabilities are relevant to your environment — and having a plan to remedy them.
Vulnerability management gives you a to-do list filled with vulnerabilities that need addressing. Patch management is the act of completing that to-do list and applying those security patches.
Be consistent with your update schedule
Deploy updates to test groups as soon as possible. Deploy updates to your general network within a week or two of release, and deploy updates to more sensitive systems once updates have thoroughly been verified.
I know I just said to be consistent, and now I’m saying to be flexible, but hear me out.
Effective patch management is not a perfect science, and no two network environments are alike. Plus, not all patches are created equal. For example, if a vendor releases a patch for a critical vulnerability that’s actively being exploited, you may want to limit the testing period before releasing it to the majority of your devices.
But the opposite could also be true. Perhaps a vendor releases a bug fix that causes more problems than it fixes. Maybe skip that patch until a better one is released.
Let your users know your patch management plan and patch deployment schedule. Being transparent is beneficial for both the users and the IT team.
Plan for exceptions and mitigate their risks
An exception is when a patch is available, but you decide it’s not in the best interest of your network to deploy it. For example, perhaps the patch conflicts with an existing system, which would cause it to crash.
Whatever the reason, consider these scenarios thoughtfully, especially when the patch is designed to secure a known vulnerability. If you need to decline a vulnerability patch, see if there’s another way to mitigate the risk of the vulnerability.
Keep these best practices in mind, and you’ll be well on your way to a solid patch management process.
How to choose patch management software
Here are a few things to look for when deciding on a patch management solution for your organization.
Automated patch management: You can configure these solutions to deploy missing patches automatically when new security patches are released.
Simple, out-of-the-box functionality: This is especially important if you’re on a smaller IT team. Some patch management software requires a lot of management and configuration. Other options offer prebuilt application and patch libraries, which can significantly reduce the time it takes to deploy.
Compatibility: Make sure the patch management solution supports the systems and applications you use on your network.
Information collection: Make sure the solution you choose can collect detailed information from your systems. Inventory management is an essential part of patch management. You need to know which devices are up to date and which need patches.
Product demos: The best way to know if a solution is right for your organization is to try it out.
Good support team and training materials: An abundance of resources, such as guides and tutorials, can make all the difference when implementing a new system.
A high-quality patch manager can simplify or even automate patch management, meaning fewer staff hours dedicated to patching and reporting. On the other hand, the wrong system may be overly complicated, resulting in IT staff dedicating too many resources to ensuring the system functions properly.
Finding the right patch management software for your organization can be tricky, but several great solutions are available.
Patch management is a pretty simple concept, but it can be pretty complex to set up and execute.
When developing a patch management policy, take your time and thoroughly plan out your organization's needs. And then, find a patch management tool that helps you get the job done.
We may be slightly biased, but PDQ Deploy & Inventory and PDQ Connect offer a simple but powerful approach to patch management. With automated patch management, patch deployment, and hundreds of prebuilt packages, we think you'll find everything you need for your patch management strategy. Why not sign up for a free trial?