Everyone knows they should be patching, and they’d like to patch faster. According to research from Ponemon Institute, it takes around 43 days to patch vulnerabilities on average. This delay affects how organizations secure their operations. More than 20,000 software vulnerabilities were discovered in the last year, adding to thousands more issues found in previous years -– in total, there are more than 160,000 issues recorded. According to the Department of Homeland Security (DHS) Binding Operational Directive 22-01, only four percent of these issues have been targeted by attackers. Yet of that small group, exploits can be developed extremely quickly – 50 percent of these vulnerabilities were targeted within two days of being announced, and 75 percent within 28 days. After phishing, missing software updates is considered the most significant vulnerability footprint.
It takes around 43 days to patch vulnerabilities on average. This delay affects how organizations secure their operations. So how can you improve this? This blog via @JumpCloud explores. #infosec #security Click To TweetThe best ITSM defense against this problem is the prompt deployment of patches. Fixing these holes makes it harder for attackers to get into employee devices or attack applications. The guidance from the DHS is to patch critical issues within 15 days, while the UK’s Cyber Essentials asks that companies patch issues rated as critical and high severity within 14 days. In patch management, therefore, timeliness is essential.
What goes into the patch management process
The typical patch management process consists of much more than simply implementing the update. Alongside the physical deployment, each organization will have its own change management process. This work can be tedious, thankless, and time-consuming.
For example, the patch management process will normally be made up of multiple decisions, each of which can delay a patch from being completed quickly. The very first decision is around whether to trust each patch that you receive and deploy it at the start to all your users. This can be a difficult decision to make, particularly if the application or operating system concerned is critical to the business. In early 2022, many systems administrators have found problems deploying patches from Microsoft during Patch Tuesday, leading to frustrating rollbacks and redeployments of existing – and potentially insecure – services.
If you decide not to release straight away, it’s time-consuming to carry out testing on those updates. This involves implementing those patches on test machines to see the results and checking for incompatibility issues with other applications. This can include a soak test to run the patches for hours or days, just in case those updates have problems that only appear over time.
Corporate patch management consists of more than simply implementing the update. To help, this article via @JumpCloud offers advice on making patching easier. #patchmanagement Click To TweetAlongside this, you have to manage the updates getting deployed. This involves preparing those patches for distribution, and then releasing them for deployment to users. This can involve a huge amount of internal communication using messaging channels and email to engage users and get them to take action. Following this, any stragglers might need targeted messaging to encourage them to put the update in place. If after a set time, the update has not been applied, then it may need to be implemented for them.
One potential problem is how involved users are in the rollout process. For example, with Apple devices running macOS, users are typically in the driving seat when it comes to determining when updates are accepted via Apple notifications and thus deployed. This is a different process compared to Windows or Linux machines, so you’ll have to carry out some communication with all your users.
For issues that need immediate rollout, teams will need to carry out their patching process and communications plans immediately to reduce risk. This is when you’ll need to engage in additional cajoling, hand-holding, and follow-up in order to get all systems into compliance.
How to speed up the process
Patching does take time. It’ll always require some decisions to be made, change management processes to be followed, and approvals to be granted. However, many organizations can improve how quickly they get patches out with some simple changes to how they approach patch management.
The first change is how to manage updates that get rolled out immediately versus those that require testing. Do all the patches currently going through testing processes need to be there, or can you change how you prioritize them? Similarly, do you have a testing process that is more progressive, rolling out updates to more users over time versus one big rollout?
Today, companies are more likely to have multiple operating systems and devices to support. Microsoft Windows is still the dominant operating system for endpoints, representing around 74% of all devices worldwide; at the same time, 55% of companies now allow users to work with Apple MacOS devices too, according to research from Parallels. This means that more IT teams have to manage updates and patches across multiple platforms.
To handle this, sysadmins and IT teams can consolidate their patch management processes using one product, rather than maintaining multiple tools for each OS or platform they have in place. This should make it easier for teams to manage patching, as well as improving the reporting and patch notification process.
'Teams should automate the patch deployment process where possible.' – @JumpCloud #infosec #security Click To TweetTeams should automate the patch deployment process where possible. This should complement the decision process around ranking patches for severity and impact, and help teams roll out patches faster where the risk of any impact on productivity is low. Rather than needing manual preparation for patch deployment or communication, using automation can help speed things up.
You can group users based on how quickly you deliver patches to them for adoption. For instance, you can create a group that is happy to take part in testing patches for problems and that gets updates earlier, then have a second group for mass deployment once the first group is happy. Typically, you may also need to create different groups that take other factors into account, from grouping together those that are more risk-averse or that may need more support to get through the patching process.
Similarly, teams can look at how to manage users around patches and specifically how many times users can defer updates. Users don’t want to be interrupted in their work, and they hate auto-update situations that might risk their productivity. However, some users may continually reject updates leading to more risk over time. Setting patch deferral limits can help. By allowing a set number of deferrals – say, five or six times – users can plan ahead and carry on with their work until they reach a natural break. Updates can then be deployed to protect against any risks. For critical issues, users can be warned once and then have the updates implemented. This will need proper communication planning and user acceptance, but it can make the job of patching much easier over time.
' By automating rollouts, improving the test process, and understanding user activity around patch compliance, teams can reduce the time taken to deploy patches as part of their process.' – @JumpCloud #security #infosec Click To TweetThe last improvement is patch reporting. Getting a single overview of patch compliance across all platforms and operating systems should help teams spot potential problems due to missed updates, as well as providing more information on where issues can build up or where more user training is needed. By using data like this, patching teams can get support from their superiors to enforce patching and overcome any problems. Over time, this can reduce the time needed to deploy patches and get them in place.
No one doubts the need for patching. It is an essential part of keeping IT operations running smoothly and systems secure. By automating rollouts, improving the test process, and understanding user activity around patch compliance, teams can reduce the time taken to deploy patches as part of their process.
Greg Armanini
Greg Armanini is Senior Director Product Management at cloud directory platform company JumpCloud, where he is responsible for product development around identity management, device management and security. He has more than twenty years’ experience of product management and development at companies including VMware, Yahoo and Zimbra.
