Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Patch management: A Guide

Patch management is the process of applying vendor & support issued updates to close gaps and maintain the performance of software and devices, which must be balanced against the organization’s ability to apply updates without disrupting operations.

What is a patch?
Essentially - patches are another word for ‘updates’. As long as a piece of software is “in life”, then it remains supported by developers who will regularly issue updates - patches - that improve functionality, add new features, or add a layer of defense against a newly discovered threats and exploits. If a product or service ever ceases to be supported with regular patches this is called “end of life”, and this makes the software a high-risk for an organization using it.

What is patch management?
You can’t go to the gym a couple of times and expect to run a marathon. In the same way, your network and devices need regular and consistent updates to remain healthy and ready to defend against viruses and exploits. It is important that patches are applied swiftly, as you are mostly likely to be attacked in the period immediately after a vulnerability is discovered. According to Google, exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch.

Supporting risk management
Regular and consistent patching is not just a good habit to get into for your organization’s security. Effective patch management is also an essential component in remaining compliant with regulatory standards and best practice frameworks. Regulations like GDPR, HIPAA, PCI-DSS and FERPA mandate patch management considerations. You need to check that you are up to date on your patch management requirements and review internally what impact this may have on your organization.

Minimizing downtime
One of the issues with updates to products, services and devices is that it causes downtime in one of two ways. Either the process of applying the patch requires a reboot, or a patch with a clash causes an error that needs to be reverted. Having users constantly interrupted to download every patch as it becomes available isn’t practical in most organizations. Having a well-documented and practiced patch management process can help prioritize the most urgent patches, and limit interruptions to user workflows.

Patch management software
To help with the patch management lifecycle, there are patch management solutions that try to streamline the steps required for applying patches. They not only can automate the process, but can log the latest applied patches, and identify missing patches. You can combine this with other MDM tools (mobile device management) or EDR with patching capabilities to gain a better understanding of how up to date your devices are, and how proactive users have been in applying patches.

What is "end of life" (EOL) software?
End of Life (EOL) software is no longer supported by the vendor who developed it. If a piece of software becomes EOL, the developers don’t create and send out new patches and the software becomes vulnerable to old errors and new attacks. Threat actors take advantage of this by identifying potentially end of life solutions running on your network and trying exploits that were discovered after the EOL date, hoping to find an unpatched weakness that will allow them greater access to your network.

How should I manage EOL?
You should have a documented and practiced process for decommissioning EOL. This should include removing it from the primary network and isolating it until you have identified a suitable alternative. This means that should a threat actor be able to exploit your EOL software, it will not grant them access to the main network. You should also specify a time limit on locating a suitable alternative, as EOL should not be allowed to hang around.

Checklist
When planning your patch management, check the following:

  1. What software is mission critical and therefore the highest priority for urgent patches?
  2. Can patch deployment be automated to reduce the chance of patches being missed?
  3. Can out of date patches across all organization devices be identified by any of my current software solutions?
  4. How can I minimize downtime for users and limit interruptions to workflows?
  5. Do I have a strategy for decommissioning and replacing EOL software ?