Leverage your people and resources most efficiently by streamlining remediation, a traditionally tedious and time-consuming task. Automate the steps of aggregating key information, retrieving fixes for identified vulnerabilities, and ultimately—when appropriate and/or approved by a sysadmin—applying the patches. Upon completion, you can have InsightVM automatically re-assess impacted assets to verify successful patching. This way, you can stop worrying about the mundane and repetitive aspects of your job, and refocus your efforts toward a larger vulnerability management strategy.
Patch management has been a song of constant sorrows for the system administrator. There have been improvements. But still, 80 percent of enterprise systems feature unpatched CVE vulnerabilities.
The good news is, software patching has gotten better over time. The bad news is, the complexity of the enterprise has grown twice as much over the same time period. Today, the biggest challenge facing an enterprise administrator isn’t just patching, it’s what to patch and where to patch inside their multi-location network.
But there is hope. A host of patch management best practices and tools guarantee to help with the process and protect your data, applications and network.
Why is patch management important? Patching not only keeps systems and applications running smoothly, but it’s also one of the core activities involved in keeping today’s organizations secure. Leaving machines unpatched makes them vulnerable to cyber-attacks, and the risk is anything but theoretical. In fact, according to the Ponemon Institute, the majority of data breaches (57%) can be directly attributed to attackers exploiting a known vulnerability that hadn’t been patched.
What does an effective patch management process look like? Below is a 10-step template that highlights the fundamental considerations that need to go into any patch management plan. Before diving into this workflow you’ll want to make sure you’ve worked with your client to establish clear roles and responsibilities for each step, and that all key stakeholders are fully on board.
Step 1: Discovery First, you need to ensure you have a comprehensive network inventory. At the most basic level, this includes understanding the types of devices, operating systems, OS versions, and third-party applications. Many breaches originate because there are neglected or forgotten systems that IT has lost track of. MSPs should be utilizing tools that enable them to scan their clients’ environments and get comprehensive snapshots of everything on the network.
Step 2: Categorization Segment managed systems and/or users according to risk and priority. Examples could be by machine type (server, laptop, etc.), OS, OS version, user role, etc. This will allow you to create more granular patching policies instead of taking a one-policy-fits-all approach.
Step 3: Patch management policy creation Create patching criteria by establishing what will be patched and when under what conditions. For example, you may want to ensure some systems/users are patched more frequently and automatically than others (the patching schedule for laptop end users may be weekly while patching for servers may be less frequent and more manual). You may also want to treat different types of patches differently, with some having a quicker or more extensive rollout process (think browser updates vs. OS updates; critical vs. non-critical updates, for example). Finally, you’ll want to identify maintenance windows to avoid disruption (take into account time zones for “follow the sun” patching, etc.) and create exceptions.
Step 4: Monitor for new patches and vulnerabilities Understand vendor patch release schedules and models, and identify reliable sources for timely vulnerability disclosures. Create a process for evaluating emergency patches.
Step 5: Patch testing Create a testing environment or at the very least a testing segment to avoid being caught off guard by unintended issues. That should include creating backups for easy rollback if necessary. Validate successful deployment and monitor for incompatibility or performance issues.
Step 6: Configuration management Document any changes about to be made via patching. This will come in handy should you run into any issues with patch deployment beyond the initial test segment or environment.
Step 7: Patch roll out Follow your established patch management policies you created in step 3.
Step 8: Patch auditing Conduct a patch management audit to identify any failed or pending patches, and be sure to continue monitoring for any unexpected incompatibility or performance issues. It’s also a good idea to tap specific end users who can help by being additional eyes and ears.
Step 9: Reporting Produce a patch compliance report you can share with your clients to gain visibility into your work.
Step 10: Review, improve, and repeat Establish a cadence for repeating and optimizing steps 1-9. This should include phasing out or isolating any outdated or unsupported machines, reviewing your policies, and revisiting exceptions to verify whether they still apply or are necessary.
What are patch management best practices for MSPs heading into 2019? As the demand for effective patch management continues to become more integral, MSPs need to improve on their own process and offerings or risk falling behind. Here are three keys to MSPs providing smarter, more efficient, and more effective patch management services in 2019.
Automate as much as possible Patching is a game that’s extremely easy to fall behind in, especially if you’re still relying on identifying, evaluating, and deploying patches manually. Cloud-based, automated patch management software allows MSPs to schedule regular update scans, and ensure patches are applied under specific conditions or automatically.
Mitigate the need to constantly validate patch deployment Despite patching automation becoming increasingly popular, MSPs, unfortunately, can’t always assume automated patching solutions are working as promised. That means time-consuming, manual validation. Developing scripts or processes to ease that burden (or, better yet, utilizing solutions that don’t require double-checking) is a worthwhile investment.
Streamline reporting Everything you do as an MSP should be communicated as an added value to your clients. Patch management should be no exception, but delivering patch management audit reports should be as automatic as possible. After all, the more time reporting takes, the less time you have for providing additional services and growing your business.
We at Scorpiones will be able to guide you through patching automation for your enterprise, developing scripts or processes to utilizing solutions that don’t require double-checking is a worthwhile investment.
Contact us now for more information.