PATCH MANAGEMENT – THE NEVER-ENDING BATTLE IN THE WAR AGAINST CYBER THREATS!
A recent study conducted by ServiceNow, found 60% of the data breaches in the last two years were a result of unapplied software vulnerability patches. The average time for critical updates was found to be more than 16 days, this is not surprising when 52% said they rely on manual processes. With thousands of Code Execution Vulnerabilities (CVEs) released per year, it’s no coincidence over stretched IT departments and security professionals are struggling to keep on top of the task. Good intentions and robust procedures can soon fall apart in the face of BAU and priority projects.
Patch management is not just a Microsoft problem either, we are all aware of the constant Apple iOS updates, Adobe, Java, multi-vendor patches, the list is literally endless. The monthly patching cycle comes around quickly and there is always the emergency out-of-band, critical updates as well. In just the last twelve months there has been a host of firewall, Citrix ADC and Microsoft Exchange remote code execution vulnerabilities. These can very quickly lead to a complete internal breach if not delt with immediately. In the month of July 2021, thirteen critical and nine zero-day exploits were fixed – and that’s just Microsoft.
Beyond the obvious threat to an organisation’s reputation, there is ever-increasing regulation to comply with, and some hefty financial repercussions should a breach occur. GDPR in Europe or HIPAA in the US, standards from PCI and Cyber Essentials require critical patches be applied in 14 days and ISO 27001 requires patching within a timely manner. With increasing demands on skilled IT resources and the 24/7 nature of many industries, it is a real headache for organisations globally, of any scale, to meet these goals.
It’s not uncommon for senior IT personnel to be working the ‘day job’ and patching by night on a ‘best endeavors’ basis. Even with automated tool sets this can become an onerous job to plan, test, deploy and remediate. In some instances, estates become so far behind that a wholesale ‘catch up’ becomes either too big a job or too risky to attempt.
There are many ways to apply patches, with manual patching only suitable for the smallest of environments. Microsoft offer Windows Update Server, which is a useful tool and more recently Azure automation for those with cloud servers. Scripts, Microsoft SCCM and a whole array of tools are available – many of which will also deal with multi-vendor releases. It is not wise to focus solely on Microsoft or OS, as the problem is industry wide and needs a comprehensive solution to be fully effective. Those involved in security audits often find out it’s the lesser-known software vulnerabilities which can catch you out.
We have the tools and the time and anyone who works in the IT industry will know patching is a double-edged sword. How many times have you deployed a patch and suddenly find the server will not boot, a vital service has stopped or the way it interoperates in the environment, changed? This can have serious repercussions to the business and one of the key reasons IT pros tend to shy away from patching – if it is not broken, why fix it?
Of course, we cannot ignore the problem, so the best way to address the risk is a robust patch management policy and process.
A good patch management policy starts with understanding where you are and what you have. Ask yourself, what is key?
- Where do we have resilience?
- Who is affected?
- How do we test and manage risk?
- How do we measure, record and benchmark compliance?
The basis of a good strategy comes with effective understanding and preparation. A comprehensive process can look something like this –
- Current patch status reporting
- Inventory and dependency mapping
- Estate audit
- Workload functions and priority matrix
- Risk analysis
- Policy Creation
- Priority (Prod/Non-Prod/Dev)
- Availability (HA)
- Testing (UAT)
- Reporting and audit
- Measure and record
With the right tools and process in place the risks can be managed and the organisation is better placed to counter cyberthreats and regulatory challenges.
WHAT ABOUT A MANAGED SERVICE?
Countless organisations large and small conclude patching is not something they feel comfortable with, even with the right tools and process in place – they simply do not have the personnel or time. Many Managed Service Providers (MSPs) also struggle with this, even at scale, due to the complex demands of a multi-client environment.
An alternative solution is to outsource the process, utilising a fully managed patch management service – where all the tools, experience, governance and management are unlocked. Why not free up valuable internal resources and provide regular reporting on SLA performance? Sounds good!
Alternatively, Insentra recently launched a partnership with Rimo3 to simplify migration, modernisation and management of applications at scale.