The Realities of Patch Management Best Practices
The rise of malware and specifically ransomware attacks are reminding businesses around the world that patching vulnerabilities remains a necessity.
However, the culture of patching is bleak when administrators are tasked with performing a multitude of duties in addition to deploying hundreds of patches every month. It becomes increasingly difficult to implement patch management best practices.
Developing a Lab Environment
A critical step to making patch management best practices effective for your business is to build a lab environment that mirrors your production environment. It is here the administrator will test new security patches before deploying them on mission-critical applications within a production environment. During lab testing, you will want to validate that the lab equipment mirrors production equipment, will reboot successfully and that the system has the same functionality and availability requirements as before.
It’s popular to use virtual machines such as via VMware for testing patch management so that you can rollback changes quickly if needed. Ideally, the environment will have all the same configurations that exist within the network. After the lab testing is conducted, the patches are deployed in initial phases or rollouts. Each phase is monitored for performance and any critical issues before the final patch deployment is completed.
Locking Down End User Privileges
Organizations often allow end-users to have open and unnecessary access with their company devices. The results can have damaging effects on a business when patches are dismissed, or software is installed containing major vulnerabilities, opening the organization to a whole host of attack vectors.
A commonly overlooked patch management best practice is to not grant full administrator rights to end users and their equipment. It is ultimately the IT department’s responsibility to create and implement a “least privilege” policy that limits users access. End users should be restricted with privileges that only allow them the extent to fulfill their role within the organization on their device.
Research indicates that poor change management practices will have a negative impact on your uptime and business costs. Organizations that lack proper change management within their patch management process will:
- Spend more time “putting out fires” versus being a strategic arm of the business
- Spend more money on new critical IT initiatives to achieve business goals
- Experience significant downtime due to poor patch management control
- Waste more money on unplanned work
Change management is essential for every stage of the patch management process, from testing, configuration management, and installation. Your staff or tools should track and document changes to your infrastructure during the entire patch management lifecycle.
Lastly, an endpoint protection tool or EPP like Carbon Black is an overlooked patch management best practice as it helps mitigate the unpatched vulnerabilities that may expose an end user when opening phishing emails, clicking links or downloading unverified software.
An endpoint protection service will first block ransomware by detecting malicious activity and disable the malware before damage is done. EPP will prevent ransomware or malware from executing on systems by using both behavioral and intelligence-based indicators, locking down systems to stop all malware, ransomware, zero-day, and other non-malware attacks quickly and effectively. This helps you achieve regulatory, and compliance controls with PCI-DSS, HIPAA, FISMA, SOX, and others relatively quickly with an easy to use framework.
One problem that surfaces when patching is breaking infrastructure. Any change to infrastructure can be accompanied by significant risk, and so a change management process is very likely to be included. A risk assessment is required to assess the criticality of patches to the business. The assessment may add yet another constraint to the IT administrators already full workload.
Microsoft can automate patch deployments, but many administrators will not use this because it can break unknown legacy software not included in lab environments. However, an administrator can start to handle the patch management process with greater ease with a robust patch management process and the right tools.
We recently talked to a Senior Information Security Manager at a mid-size Software Manufacturer, and this is what he had to say about the criticality of patch management:
Overall, patching is the highest reward effort that every organization must take to maintain resilience against compromise. This should be as common as locking your doors when you leave the house. Although various organizations may have different uptime requirements, a standardized patching should be incorporated in every one of them. Failure to address this basic house-keeping task will open the organization to data and system compromise. To combat the human resource constraint many organizations face, utilizing automatic installation of patches is highly effective. For systems that cannot handle unexpected interruption, establishing a routine patching window that is publicized to affected business units is key. Service partners can be engaged to perform the patching task for you, which greatly reduces staffing requirements.
Implementing patch management best practices requires a comprehensive approach not only through the orderly and efficient deployment of patches but also at other layers of complexity throughout the lifecycle.
How do you make sure that hundreds of patches are deployed per month and protect your organization against new malware and ransomware? Tell us your thoughts in the comments below!