United States | Patch Management – The Never-Ending Battle in the War Against Cyber Threats!

Insentra - 08.10.202120211008

United States | Patch Management – The Never-Ending Battle in the War Against Cyber Threats!

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

Patch Management – The Never-Ending Battle in the War Against Cyber Threats!

United States | Patch Management – The Never-Ending Battle in the War Against Cyber Threats!

PATCH MANAGEMENT – THE NEVER-ENDING BATTLE IN THE WAR AGAINST CYBER THREATS!

A recent study conducted by ServiceNow, found 60% of the data breaches in the last two years were a result of unapplied software vulnerability patches. The average time for critical updates was found to be more than 16 days, this is not surprising when 52% said they rely on manual processes.  With thousands of Code Execution Vulnerabilities (CVEs) released per year, it’s no coincidence over stretched IT departments and security professionals are struggling to keep on top of the task. Good intentions and robust procedures can soon fall apart in the face of BAU and priority projects.

Patch management is not just a Microsoft problem either, we are all aware of the constant Apple iOS updates, Adobe, Java, multi-vendor patches, the list is literally endless.  The monthly patching cycle comes around quickly and there is always the emergency out-of-band, critical updates as well.  In just the last twelve months there has been a host of firewall, Citrix ADC and Microsoft Exchange remote code execution vulnerabilities.  These can very quickly lead to a complete internal breach if not delt with immediately.  In the month of July 2021, thirteen critical and nine zero-day exploits were fixed – and that’s just Microsoft.

THE CHALLENGE

Beyond the obvious threat to an organization’s reputation, there is ever-increasing regulation to comply with, and some hefty financial repercussions should a breach occur. GDPR in Europe or HIPAA in the US, standards from PCI and Cyber Essentials require critical patches be applied in 14 days and ISO 27001 requires patching within a timely manner. With increasing demands on skilled IT resources and the 24/7 nature of many industries, it is a real headache for organizations globally, of any scale, to meet these goals.

It’s not uncommon for senior IT personnel to be working the ‘day job’ and patching by night on a ‘best endeavors’ basis. Even with automated tool sets this can become an onerous job to plan, test, deploy and remediate.  In some instances, estates become so far behind that a wholesale ‘catch up’ becomes either too big a job or too risky to attempt. 

THE TOOLS

There are many ways to apply patches, with manual patching only suitable for the smallest of environments.  Microsoft offer Windows Update Server, which is a useful tool and more recently Azure automation for those with cloud servers. Scripts, Microsoft SCCM and a whole array of tools are available – many of which will also deal with multi-vendor releases.  It is not wise to focus solely on Microsoft or OS, as the problem is industry wide and needs a comprehensive solution to be fully effective.  Those involved in security audits often find out it’s the lesser-known software vulnerabilities which can catch you out.

THE SOLUTION

We have the tools and the time and anyone who works in the IT industry will know patching is a double-edged sword.  How many times have you deployed a patch and suddenly find the server will not boot, a vital service has stopped or the way it interoperates in the environment, changed? This can have serious repercussions to the business and one of the key reasons IT pros tend to shy away from patching – if it is not broken, why fix it?

Of course, we cannot ignore the problem, so the best way to address the risk is a robust patch management policy and process.

THE GOVERNANCE

A good patch management policy starts with understanding where you are and what you have. Ask yourself, what is key?

  • Where do we have resilience?
  • Who is affected?
  • How do we test and manage risk?
  • How do we measure, record and benchmark compliance?
United States | Patch Management – The Never-Ending Battle in the War Against Cyber Threats!

The basis of a good strategy comes with effective understanding and preparation.  A comprehensive process can look something like this –

  • Discovery
    • Current patch status reporting
    • Inventory and dependency mapping
    • Estate audit
  •  Categorisation
    • Workload functions and priority matrix
    • Risk analysis
  • Policy Creation
    • Priority (Prod/Non-Prod/Dev)
    • Availability (HA)
    • Testing (UAT)
  • Timeline
    • SLA
    • Compliance
  • Reporting and audit
    • Measure and record

With the right tools and process in place the risks can be managed and the organization is better placed to counter cyberthreats and regulatory challenges.

WHAT ABOUT A MANAGED SERVICE?

Countless organizations large and small conclude patching is not something they feel comfortable with, even with the right tools and process in place – they simply do not have the personnel or time.  Many Managed Service Providers (MSPs) also struggle with this, even at scale, due to the complex demands of a multi-client environment.

An alternative solution is to outsource the process, utilising a fully managed patch management service – where all the tools, experience, governance and management are unlocked.  Why not free up valuable internal resources and provide regular reporting on SLA performance? Sounds good!

Via our Partners, Insentra offers a full range of Managed Services worldwide including Citrix ADC as a Service which provides patch management on vital internet facing infrastructure.

Alternatively, Insentra recently launched a partnership with Rimo3 to simplify migration, modernisation and management of applications at scale.

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United States | Patch Management – The Never-Ending Battle in the War Against Cyber Threats!

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.