Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Any cybersecurity professional will know that regularly patching vulnerabilities is essential to protecting a network. Keeping apps, devices, and infrastructure up to date closes ‘back doors’ into your environment.
But most cybersecurity professionals will also know there’s a big gap between patching theory and reality. While implementing a patch management program is undeniably good practice, most organizations struggle. This fact goes some way to explaining why 60% of breaches are related to known, but unpatched vulnerabilities.
What’s to be done? In one of our recent webinars, we spoke with cybersecurity expert Thomas Baasnes about what a ‘healthy’ patch management program might look like.
Read on to learn about:
- How Thomas assesses a company’s patching policy
- Why implementing a patching program is hard
- Whether it’s better to outsource patching or do it internally
- How patch management tech can help
Ingredients of a healthy patching program
Thomas is the Cybersecurity Director at Verdane, a leading private equity company headquartered in Oslo, Norway. Whenever Verdane invests in a business, Thomas carries out due diligence on their cybersecurity posture. Naturally, Verdane wouldn’t want to invest large sums in a business with poor security that could face a data breach and large fines.
During our webinar, we asked Thomas how to build up a ‘healthy’ patching program. He explained that, when he does due diligence on a company, he asks the following.
Have you mapped everything out?
If I’m doing due diligence on a company, I first ask if they have actually mapped out everything that needs to be patched
As the old adage goes, if you can’t measure it, you can’t manage it – and that certainly applies to patching. Without a comprehensive view of all the devices and apps that are connected to your network, it’s impossible to know what their status is, or if they’re vulnerable.
The simplest way to do this kind of inventory is to use network mapping software. This will scan your network to find all apps (cloud-based and on-premises) and devices (including servers, IoT, printers). Ideally, it should also scan those systems to help identify when they were last patched, and what version they are on.
Do you have patching procedures in place?
Do they have procedures for [patching] and have they automated everything that can be automated?
A healthy patch management program requires a clear, consistent and well-documented approach. Companies need a policy that says how long it will take to implement patches, and then have methods to ensure that policy is implemented.
As Thomas points out, automating patching – as far as possible – ensures this consistency. Using automated patch management software ensures you deploy patches across multiple platforms and third-party software in an effective manner.
There will be some areas that cannot be automatically patched, like production environments. So, it’s also important to remember to patch these manually.
However you approach patching, Thomas underscores the importance of being thorough. Patching procedures should cover:
- All endpoints
- Operating systems
- Network equipment
- Servers
- Third-party applications
- Your own in-house applications
Do you actively seek out vulnerabilities?
Do you actually proactively use tools to find vulnerabilities in your systems, and have a good way of evaluating how critical they are?
Rolling out regular updates is a good foundation for patching. But it’s also important to continually monitor your environment for potential risks. Proactively seeking out vulnerabilities, assessing how dangerous they are, and having procedures to fix them will help close loopholes faster.
Do you have a named, accountable person?
Is there someone to actually get information if there’s a new zero-day exploitable vulnerability made known… who will kick off the patching process?
Patch management procedures and automation can go a long way to keeping your environment secure. Yet, a healthy patching program will always rely on human expertise. It’s super helpful to have a named person who is ultimately responsible for patch management. They should operate the patching software, but also continually monitor relevant news feeds to identify new vulnerabilities.
Obstacles to enforcing proper patching
On paper, keeping an organization’s systems patched might seem straightforward. But, in the real world, implementing healthy patching practices can be very challenging. The following comments on Reddit cybersecurity threads highlight this.
Patching push back
A lot of times, if I say something needs to be patched, there’s pushback as to whether or not it needs to be done or not
Source – tosborne3
This is surely one of the most common challenges for IT professionals who want to patch apps and tools. Many end users don’t understand why their devices need to be updated, don’t want to spend time installing patches or fear losing data.
How can you deal with patching pushback?
- Educate colleagues about what patching protects them from
- Communicate the benefits of patching (including the improved look and feel of apps)
- Change organizational policies, allowing you to force patches through when necessary
Lack of time
The biggest thing is support teams saying they don’t have time to patch and/or fix configurations
Source – ageoffri
Many organizations continue to manually patch their apps and endpoints. To do this without disrupting everyone’s work, they typically have to do it over weekends or at night. Unsurprisingly, this causes bottlenecks in patching workflows.
How can you deal with the lack of time to patch?
As Thomas explained in our webinar, automation is the key here. By using patch and asset management tools, you can roll out patches automatically. Often you can set those patches to install at non-disruptive times (i.e. at night).
Lack of patching accountability
Having worked with a lot of organizations on this topic, the number one disconnect is responsibility vs. accountability. Asking, assigning, [or even] begging won’t move the needle unless those two items are addressed at an executive level
Source – pm_sweater_kittens
Without clear policies about who is responsible for patching and when must end users install patches, people will simply postpone or ignore patching notifications.
How can you deal with lack of patching accountability?
Having a proper, documented policy about patching is key here – and it needs executive buy-in. Employees need to know that failing to accept updates on their devices/apps is not acceptable.
It is also vital, as Thomas told us in the webinar, to have a named person who’s in charge of patching. They should be responsible for keeping your patch rollout consistent, and they should have the ability to make their colleagues comply with the policy.
Sheer complexity of technology
Oh man, where to start? Giant volumes of assets all with different OS’s and tech stacks. Getting full coverage across infrastructure… Coverage gaps. Building custom detections to fix vendor misses. Sky high false and benign positive rates from vendors… Prioritizing vulnerabilities for remediation
Source – mildlyincoherent
For small organizations or startups with just a handful of devices, patch management can be relatively straightforward. But for large or legacy businesses, updating thousands of devices and apps on different OSs can be incredibly complex and time-consuming. Also, endless alerts can result in patch paralysis too.
How can you deal with the complexity of technology?
As Thomas said, it starts with a comprehensive audit and mapping of all devices, apps and endpoints. It also helps to have the right tools. Patch management software that constantly scans your environment (including on-premises, cloud, BYOD and all OS’s) can make the process easier.
Should you outsource your patching program, or do it yourself?
As the Reddit discussions highlighted above show, running a patching program yourself can be extremely complex and time-consuming. The alternative is to outsource patching to a managed service provider. Is this better, or is the DIY approach more suitable?
For Thomas, the benefits of outsourcing are considerable:
there are a lot of advantages of outsourcing your detection and response capabilities – and you should understand what it actually means to do it internally. It’s not only a license cost [for patch management software] but it also comes with some work internally.
Ultimately, it depends on the specific situation of your organization. For some companies – particularly those with relatively few endpoints, lower risk, and fairly simple IT infrastructure – doing patching in-house may be affordable and effective. However, more complex companies with more complex tech and/or regulatory pressures often benefit from external expertise.
The tools you need for a healthy patching program
No one is claiming that running a patching program is easy. There are many complexities and practical challenges, not to mention costs and even obstacles around organizational culture.
However, with the right tools, rolling out updates and monitoring your network becomes easier. Heimdal’s patch management software gives you a single, powerful platform that:
- Helps map out all endpoints, apps, and devices in your network, which is visible in a central dashboard.
- Monitors for updates across all platforms, OS, cloud, and on-prem systems.
- Tests new patches in a secure, cloud-based sandbox, then automatically rolls them out per your schedule.
Learn more about our patch management solution, or contact us today for a demo.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
