The job of cybersecurity defenders is never completed and all security measures, even if taken together, never guarantee of failing in front of consistent onslaught of attacks. Attackers always find some new point of entry to exploit your systems or network.
That keeps defenders in a forever hunt of vulnerabilities, so that they can find and fix the vulnerabilities. But it always requires TIME, and there lies one of their greatest challenge. What is that?
It is -- Finding and deploying sound fixes, within a very tight time window.
This is what we call as 'Patch Management.'
It is something like seeing the cut or wound, and quickly deciding whether to band-aid it or managing the 'stiches' to fix it, all within a short time window.
It does not matter whether your patch fixes a small problem or serves as a temporary security measure, while you can find or develop a strong patch. Essentially it is Patch Management...and it can help your organisation stay more secure.
But it does not mean that you keep saying, "Update your system regularly." Because saying does not change anything, it is doing that does make a difference. And doing it right way is not that simple...
-
What is Patch Management?Patching basically is the insertion of code to “patch” a vulnerability or functionality issue in a system. Patch implementation usually takes place via a system update, e.g., removing old features, updating drivers, etc.
But Patch Management refers to how a company identifies, develops, and implements those patches. Rather than starting from scratch, patches serve as a relatively expedient or immediate fix. If necessary, a more lasting solution/fix to the bug may come later in the form of a new product release/update.
For example, operating system updates become available as soon as companies identify vulnerabilities (like Microsoft’s Patch Tuesdays), but a completely new version of an OS offers new functionality aspects, for example, you can upgrade Windows 8 to Windows 10. Right?
There are various approaches for Patch Management:
1. Internal Methods
It is internal development of fixes and usually the domain of vendors companies like Microsoft, Cisco, VMWare, Apple, Google and so on, because they are responsible for developing & launching patches for their products, e.g., Window OS. They will provide you the patches.
2. External Patch Management Products/Platforms
These are products or services offered by third parties like MSSPs. Their solutions will do the job of identifying, testing, validating, managing the patches for you. Sometimes, they can even fix the bugs in the code for you. These types of products/services may offer you fully scalable patch-management tools. They may offer you fully autonomous (Automated) systems for this also.
-
Why Is Patch Management Damn Important?Not patching your system properly may result in some exceptional blunders in your cybersecurity.
If you remember the Equifax breach of 2017, then you would know that approx. 145-million customers' personally identifiable information (PII) was stolen. All it happened, because they failed to patch a known vulnerability. It is said that attackers were in the network for full 76-days, before the remediation was executed. But the damages were already incurred...
Lesson is quite simple, that whenever a vulnerability is identifies it requires you to take a swift action. Ignoring or postponing a patch can result in loss of revenue and seriously damage your company’s reputation. The ultimate goal of patching is to SHORTEN the window of attack once a vulnerability is identified.
The perpetually best advice would sound like this:“Patch often, patch everything, patch everywhere. Patch as if your life depend on it.”
While it may sound like a simple issue of time to you, But it is not.
Patching requires a great coordination and resources. Since implementing patches on a set schedule is no longer enough.
Today you require a different approach to patch management. The greatest hurdle today remains the factor of time:
-
Time to identify the fix to vulnerability
-
Time to develop a fix
-
Time to deploy the patch through the network/Cloud
Today you need to be proactive with your patch management strategy...
That is the prime reason the most government agencies, standards and regulations such as NIST Cyber Security Framework, PCI DSS, HIPAA, etc all clearly mention Patch management in their requirements.
Part of the problem is that each enterprise and industry-sector requires a different approach. A software company will need to approach security patch management from a different angle than a financial institution.
-
4- BEST RECOMMENDATIONSThese recommendations will serve you well in your company:
1.
Organizations should deploy enterprise patch management Tools using a phased approach.
You need to focus on 2-points here. First I'm talking at the scale of an 'Enterprise'. Two, I am talking of a 'Phased' approach.
Since you are dealing with an enterprise here, you need to establish a small group of people, before you deploy the patch application universally.
Best is if you deploy your tool, FIRST to standardized desktop systems, and single-platform server-farms of similarly configured servers. Because the similarity among all these, will make achieving implementation success easier.
Once this has been accomplished, your group/team should address the more difficult issue of integrating the followings:
-
Multiplatform environments
-
Non-standard desktop systems
-
Legacy computers
-
Other computers with unusual configurations
-
Other unusual devices
Manual methods may need to be used for operating systems and applications not supported by automated patching tools, as well as some computers with unusual configurations.
Last, you should focus entirely on patching your CLOUD resources & assets, because they also need patching all the time.
2.
Organizations should reduce the risks associated with 'Enterprise Patch Management Tools' themselves through the application of standard security techniques that should be used when deploying any enterprise-wide application.
Deploying such tools within your organisation will also create 'additional security risks' for your organization. However, a much greater risk is faced by you if you do not effectively patch your systems.
Have no doubt that such tools usually increase your security far more than they decrease security, especially when these tools contain 'own' built-in security measures to protect themselves against security risks and threats. There are many risks of such tools, you need to be aware of:
-
What if, patches they are supposed to deploy as altered by threat-actors?
(Precisely, this is what was done to execute the recent world-famous Solarwinds breach-cum-attack.)
-
What if, the credentials used in the tools are being misused?
-
What if, they themselves have some serious vulnerabilities which can be exploited?
-
What if, people or non-human entities who are monitoring such tool fail to communicate well about identified vulnerabilities?
I would suggest you to do the following things to manage the risk of such tools:
Always keep ALL the components of patch-manage tools, tightly secured and up-to-date.
Take guarantee that all the network communication/traffic generated by these tools is highly encrypted all the times.
Take extra precaution while verifying the integrity of ALL patches before installing them, and testing patches before deployment. NEVER EVER TAKE A CHANCE HERE....NEVER!
3.
Organizations should balance their security needs with their needs for usability and availability.
You must have already experienced that sometimes installing a patch of one application may “break” other applications; this can best be addressed by testing patches before deployment.
Similarly, forcing application restarts, OS reboots, and other host state changes is disruptive and could cause loss of data or services. Again, you need to balance the need to get patches applied with the need to support operations.
4.
Triage your patching
Not all patches stands equal. You must always be aware of your critical assets which contain your most important data, or where the RISK is higher from your organisation's perspective, you must prioritize them higher in your patching queue. Automated Patching solutions would still warrants a careful triage, no exception!
-
Kindly write 
your comment on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM