Ten secrets to successful patch management
Ten secrets to successful patch management
The recent spate of Java vulnerabilities has required a number of large vendors to react almost instantly to ensure security levels are kept to an optimum.
As good as these reactions are; organisations urgently need to apply greater insightful strategic thinking to ensure that security updates are reaching the entire organisation's IT estate.
From our analysis of anonymous hardware and software data (including thousands of PCs and servers in 6,000 organisations across public sector establishments currently running our solution), we've found that 40 per cent of servers and workstations are missing security patches.
In addition, six vendors: Microsoft, Adobe, Mozilla, Apple, Oracle and Google, together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities, demonstrating the extent of the issue, as well as the numbers of bulletins we annually face.
With more and more bodies utilising remote working, the challenge isn't just to implement patches as they are released, but also to be fully confident that devices have been updated and are thus continuously safeguarded. So what are the ten key areas IT experts should tick off the list for a successful patch management implementation?
Transparency is key
At the heart, asset discovery is essential. If you don't know what you've got, you don't know the extent of the problem you may have. If you do nothing else, make sure you know where your IT assets are; this is a quick gain that will put your house in order.
Once the estate is established, it's key to have real-time visibility of the assets you support. With the urgency in which we need to manage patches, the first secret is to not only have full awareness of the estate but instantly know the health of it too.
Don't just look at the security
Knowing the whereabouts and health of the IT estate is paramount, as it provides the intelligence for ensuring it is secure. A study of public sector chief information officers in December 2012 found that 87 per cent of respondents were either concerned or very concerned about the risks associated with IT security breaches.
This is a clear indication of the priority this is for many technology experts. In addition to security, also keep an eye on securing IP, as it can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host.
Define your patch nirvana
While the audit and assessment element of patch management will help identify systems that are out of compliance with your guidelines, there needs to be additional work to reduce non-compliance.
Start by creating a baseline, a standard to which you want the entire estate to comply to. Once complete, it's easier to bring controls in line to ensure that newly deployed and rebuilt systems are up to spec with regard to patch levels.
Face the facts
You must know which security issues and software updates are relevant to your environment. Further analysis of our data showed that 50 per cent of PCs and laptops are still running Windows XP, and 32 per cent of devices are over four years old.
Beyond patch management and the protection against vulnerabilities and exploits, which by now must have caught the attention of heads of IT globally, is the preparation and planning ahead of end of life Windows XP support. If you do not replace, there is no way to safeguard.
If you do replace, this has implications on expenditure. So ensure you not only have a realistic view of patch management and its limitations, but also ask whether the discipline of patch management indirectly ensures the infrastructure and IT estate is a viable one from support and budget perspectives.
Do it your way with software policies
You can customise policies targeted at filters or groups at the account or profile level. The filter targets can be either the default filters provided within your account or any custom filters than you have previously defined.
The secret here is to define custom filters or groups to identify devices with specific criteria, and one or more of these filters can be associated with a policy so as to target those devices. Of course, this goes back to your baseline creation: set the policies from the outset and customisation will be a simple step forward.
Is the time right?
Why wouldn't you implement a patch management update as soon as you can? With baseline mechanisms in place, there's no need to delay. If you have a solution that automates the process, then you would have given some consideration as to your ideal timing.
Consider the time of day for updates by policy – what time will have the least impact on day-to-day business? The ideal timing for updating patches should follow any rollout best practice.
Consider the day of the week, the impact on the business if something doesn't go smoothly, and consider whether there is sufficient resource and time to rectify if necessary. Furthermore, if your IT management solution is on-premise rather than cloud-based, you might even have to take responsibility of scale and load of the update.
Audit first – is it too broken to be fixed?
Gaining visibility of devices that are vulnerable is crucial, but so is analysing the overall health of each device. Ensure all devices are audited prior to rolling out patches or patch policies. There could be a more urgent matter requiring attention before the device can be brought in line.
Big estates, big patches, big problems?
We are led to believe that the bigger the enterprise estate, the more complex the management, but in most cases, solutions are easily scalable. The issue comes with usability, as complexity increases (and in some cases, the number of solutions and providers also grows), the technology team is used more and more to ensure the estate is kept up to date.
Keep usability as simple as possible, as there are solutions that do not require a technically skilled person to ensure the estate is kept up to date quickly and easily. In fact, it's much easier than you think.
Tiny budgets, smart people
So often patch management is a distress purchase because vulnerabilities such the ones we've seen recently place patch management in a crisis management budget and not an ongoing IT budget. This has financial implications of course.
Visualise your patch management
Make sure you can see a graphic representation of your patch management, tailored by severity and whether the patch requires a reboot or user interaction.
This also fundamentally supports measurement and service level agreements to report service level agreements in a way that's visual. Not only will this help with compliance, but it will demonstrate that you, as the technology expert, is making a difference to the business. This makes for better relationships throughout an organisation, whether internal or external.
Ian van Reenen is CTO of CentraStage