Patching the Holes: Developing a Management Strategy

It is critical to keep all of your technology up-to-date to mitigate cyber threats that could take down your business. But we often get the question: how do I take a systematic approach to these updates on an organizational level? Software vulnerabilities are constantly re-appearing: it can often feel like you patch one issue today and a new one arises the next day. That said, it can be a challenge to stay on top of the ongoing process of addressing them.

Patch management refers to a comprehensive strategy that addresses these vulnerabilities of software applications and technologies. Having a plan in place will empower your organization to handle these changes efficiently and effectively.

A thorough patch management strategy includes each of the following:

    Know what you have (time to inventory!)
    The first step of a comprehensive patch management strategy is developing an up-to-date inventory of all your operating systems, IP addresses, etc. If you don’t know what you have, how do you know what you might need to patch?
    Make a list of all the security controls you have in place for these – routers, firewalls, etc. – and their configurations. This list will help you decide how to respond appropriately to any vulnerability alerts that arise.

    Detect the threat

    Leverage tools that will scan your systems to assess the possible missing security patches and upgrades in each of these. The best detection is automated and will trigger the patch management process before you face an active security threat. One example of this kind of tool is Microsoft’s Security Configuration and Analysis (SCA) tool, which is offered for free as part of Windows 2000 and above.
    Assess & prioritize
    Once you know what you have and the vulnerabilities apparent with each, you need to assess the risk associated with each identified vulnerability. How severe is the threat? What would be the cost of recovering from the threat if you don’t apply a patch? Answering these questions will help you differentiate which patches are critical to your business and prioritize the order in which you need to implement them.
    Develop your strategy
    Who is responsible for the patch management process? What should be patched? When should it be patched? How should it be patched? Develop a policy that addresses each of these questions. You’ll want this to be a formal, structured, and written process that IT staff can follow dependably. You will also want it to provide flexibility for any ad-hoc patch needs that arise.
    Test, test, test
    Before you apply your patch management policy, test it in environment that mirrors your operating system. Does everyone understand the who, what, when, and how of the policy? Do any issues arise during the test? This is an opportunity to iron out any wrinkles in your plan before you go live, thus avoiding any outages that could result from a rollout gone wrong.
    Get patching!
    Now it’s time for your IT team to implement your patch management policy. Consider documenting lessons learned along the way so you can constantly iterate and improve the policy regularly.

While patch management is a never-ending cycle, these steps will put you way ahead of the curve when the next worm comes knocking on your network’s door! Still unsure of where to start? We are happy to help – contact us for a consultation.