Although patch management can be a time-consuming task, it is absolutely vital for all businesses to undertake, in order to keep their IT systems up to date and secure and to avoid any significant impact to their operations.
With remote-working now being the norm, increasing our threat vector, there is a heightened risk of cyber-attack caused by unpatched vulnerabilities, with cybercriminals taking full advantage of this; the volume and severity of attacks continue to rise.
However, whilst the threat landscape increases, many organisations are not reacting with the same level of due diligence to prevent exploits.
What is Patch Management?
Patch management is the process of bringing, any application, software, or device within your network, up to date to assist with security hardening, protecting against potential vulnerabilities.
Technology vendors are endlessly working to fix underlying issues within their systems to ensure their users are provided with updated and secure systems. In order to achieve this, they will release an update to the current version, or a “patch” to be installed to resolve a known issue, to improve product functionality, or to fix bugs.
However, with the increase in threats, it is becoming far more complex to not only identify vulnerabilities but to also manage the magnitude of patches required across multiple vendors and products. It is no longer a case of just following Microsoft’s “Patch Tuesday” release, it is, of course, not just Microsoft that needs to be patched, it’s multiple different vendors, multiple technologies, across different devices all with different tools and patching schedules. With the complexity of managing this, it is imperative to have the right tools in place, coupled with a dedicated patch management schedule, plan, and process. This will aid to ensure vulnerabilities are identified and patches are applied as soon as they are released.
Why is Patch Management important?
Patch management is vital for businesses for the following key reasons:
- Security: Patch management helps to reduce the risk of cyber-attacks and to protect against vicious malware as it builds a more secure network, eliminating vulnerabilities and correcting any known bugs in the software.
- Compliance with industry standards: To comply with the recommended standards within the government-endorsed Cyber Essentials Plus certification it states that you must patch high and critical vulnerabilities within 14 days of identifying them. Having effective patch management policies, procedures and tools in place ensures that you are complying with the recommended best practices.
- Productivity / System Uptime: It helps for applications to run smoothly, therefore increasing the work productivity rate. In addition, patches may bring performance improvements, making the system easier and faster to navigate, therefore reducing the downtime that would be spent resolving any issues.
Unpatched systems, a simplified target for attackers.
With security gaps and vulnerabilities being identified in software and applications daily, unpatched systems are considerably more vulnerable and much more accessible to hackers than those that regularly patch their devices. In a 2019 survey conducted by the Ponemon Institute, 48% of the organisations surveyed reported that they had a security breach, with 60% of them citing that the breach involved unpatched vulnerabilities. In 2020, as more employees worked from home, hackers had an increase in devices to target, many of which with unpatched remote access tools, helping to ease the effort required for cybercriminals further.
In a 2020 mid-year report from Security vendor Check Point, a worrying statistic reported was that a staggering 80% of attacks in the first half of 2020 were actually against vulnerabilities that had been reported in or before 2017, with 20% of them having attacked using vulnerabilities that were at least seven years old.
These kinds of statistics show just how many organisations are struggling to apply the appropriate patches to protect against even the known and registered vulnerabilities. A common factor in the delay of rolling out patches is the lack of resources available, with 77% of organisations stating that they don’t have enough resource to keep up with the sheer volume of releases.
So with little resource, but a magnitude of patches to roll out, let’s look at the tools that System Administrators should be using to help alleviate the burden of patch management.
Patch Management Tools & Processes
There are a variety of different tools available from numerous vendors, in order to have an effective patch management strategy in place organisations should be using a mixture of tools and schedules to maximise protection.
In the first instance, having some kind of vulnerability scanning utility is required to tell you where your vulnerabilities are, and where you need to patch; vulnerabilities are any flaws or weaknesses that can lead to exploitation or security breach. Our preferred scanning vendor is Tenable. Tenable has their entry-level Nessus product, which is a low-cost vulnerability scanning solution for organisations, with very little barrier to entry. Tenable solutions then advance into the enterprise Tenable IO or Tenable SC products, which are both great tools for high-end scanning, giving users a complete visibility report across their entire network. There are also products such as Qualys and Rapid7, Dark Trace, to name but a few.
Prioritisation of Patching
Once vulnerabilities have been identified, it is then critical to evaluate and prioritise, reviewing what the criticality of the vulnerability is, and whether it is one that needs resolving immediately, tomorrow, or it can actually wait a while? Whilst your scanning tool might find hundreds of identified flaws, it is wise to schedule your patches in order of severity, especially paying attention to those that are alerting as critical or high. Developing a patch management schedule based on your vulnerability reports should ensure that you are not only reacting to the critical issues, but you are also scheduling the minor issues for remediation within a timely fashion and before they then become higher or critical themselves. Ultimately by running regular scans of your environment and acting upon the reported findings, you should have your patch management scheduled defined and documented.
When reviewing patching tools for the Windows estate, there has previously been tools such as Windows Server Update Services (WSUS) or Microsoft System Center Configuration Manager (SCCM), Microsoft has however recently brought out their Advanced Threat Protection (ATP), which is now part of the Endpoint Manager tool-set, that scans your estate and gives you a scoring mechanism. Using the Endpoint Manager tool you can see where the risks in your network are, and identify any missing patches that need to be deployed. Microsoft has recently rolled that up with elements of SCCM into their cloud-based Microsoft Endpoint Manager, which includes Intune. Intune, Microsoft’s mobile device management product, enables you to not only manage your Microsoft estate, but it also allows you to manage other operating systems and devices, allowing you to bring them under a single pane of glass in Microsoft Endpoint Manager. From a device basis, using Microsoft Endpoint manager and Intune, you can use it natively to patch all the Microsoft applications in your environment, but you can also use it to deploy patches to other applications, including for example the latest version of Adobe Reader, all using the same tool, which allows you to effectively patch that and bring it under that same patching regime.
Hardware Devices & Firmware upgrades
Unfortunately, it is not just operating systems and application patching that you need to be on top of, there is also the hardware devices and firmware upgrades to take into consideration, whilst the vulnerability scanning tools will recognise any weaknesses, you’ll need another toolset to patch them. Dell, for example, using their iDRAC tool, allows SysAdmins to update and manage their Dell systems, HP also has their remote server management and update tool with iLO. Additionally, you will need to ensure devices such as your Firewalls are regularly scanned and patched for vulnerabilities, we work closely with Palo Alto Networks, having implemented them within the majority of our client base. We use the Palo Alto Networks Panorama tool to patch them, which allows us to push out updates centrally to a number of devices that we manage on behalf of our clients.
Despite having all of the scanning and automated toolsets available to identify, prioritise and patch, it can still be a time consuming, yet critical process.
If you, like many organisations, do not have the resources available in-house to manage your patch management schedule, we can assist; Krome has a dedicated managed services team who will work with you to identify your infrastructure patching requirements.
Our Managed Services Team run regular vulnerability scans on your environment, prioritising patching based on criticality, monitoring vendor releases, patching software, applications and hardware and generally taking away the headache of managing it internally.
Alternatively, if you would like us to review your patch management policies and procedures, we can also offer this service in the form of a gap analysis report, which forms part of our Cyber Security Essentials Plus Assessment service.
If you would like a simple snapshot to understand whether you are behind on patching critical or high vulnerabilities, we can assist you with a point in time vulnerability scan to report on the current state of your environment.
If you would like more information on our Managed Services or Cyber Security assessments please use the form below or contact us on 01932 232345