Patch management plays a critical role in minimizing cybersecurity risk. However, implementing a patch management strategy is not as easy as it might seem.
For many years, the job chiefly involved manually installing whatever updates Microsoft issued on its monthly “Patch Tuesday.” However, that approach is falling short as computer systems have become more complex and security threats more sophisticated.
Thousands of software patches are published every year, the majority of them to mitigate security vulnerabilities. Companies that rely on a technician to manually install patches on an ad hoc basis are setting themselves up for oversights that can lead to a security breach.
The U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, estimates that about 85 percent of all successful network intrusions result from unpatched systems. According to various studies, most breaches involve patches that were available but uninstalled for more than a year.
Furthermore, experts note that the relationship between patches and vulnerabilities is far more complex than most people think. Sometimes patches address a single vulnerability. Other times, they may fix multiple vulnerabilities — but only on some platforms and not on others. Sometimes there are overlapping vulnerabilities that may require multiple patches, or updates that must be applied before the patch can be installed.
Vendors don’t make it easy to understand these issues, either. Patches are frequently released with little documentation about the problems they’re fixing, why they’re fixing them, or how the patch might affect other systems and applications.
Because patches don’t always work in every environment, there are times when installation does more harm than good. It is not uncommon for a patch to fix one issue only to break another. Patches often require testing to work out the bugs and potential incompatibilities. Patches that are rolled out across the network without proper testing can create compatibility issues that cause significant downtime.
Organization Is Key
Prioritization is another important but often ignored element of good patch management. When patches are released, hackers will often try to reverse engineer them to identify the vulnerability they are designed to fix. This highlights the need to deal with critical patches in an organized fashion, ensuring they are tested for compatibility and implemented quickly to deflect a possible uptick in attacks.
However, a recent Ponemon Institute survey found that it takes organizations an average of 12 days to coordinate the application of just one patch across all devices. Just 44 percent of respondents said they use automated tools to facilitate patching.
Automated patch management does ensure timely patch installation and reduce the chance of manual errors. It’s not a silver bullet, however. Automation doesn’t perform important testing and prioritization functions or provide much insight into your overall risk exposure.
Leave It to the Experts
Given the complexity and consequences involved, you may be better off engaging a managed services provider (MSP) with the manpower, tools and experience to handle patch management. IronLogix, for example, has a team of professionals who take responsibility for managing patches and installing them on a timely basis.
We fully test new patches before deployment, and utilize specialized queries to identify all networked machines that require updates. We then prioritize and schedule patch deployments according to your specific business requirements.
Many organizations have become overwhelmed by the variety and volume of patches being issued. However, studies show that lapses in patch deployment open the door to network attacks and costly downtime. IronLogix’s managed services approach can help you minimize the risk of a security breach without compromising network performance or employee productivity.