The way to keep software vulnerabilities from becoming threats is to keep your systems up to date. Therein lies the importance of patch management. Vulnerabilities happen because software always contains errors and oversights, which threat actors exploit. Your best hope of staying ahead of vulnerabilities is to continually patch your systems and keep them current.
What is patch management?
Patch management is the fundamental best practice of discovering which software products need to be updated (patched), then obtaining, installing and testing those updates. Without patch management, it’s difficult or impossible to secure a network against cyberattacks.
In most enterprise networks, patch management takes place in several steps:
- Using tools and utilities, system administrators scan for vulnerabilities and weak spots in the network.
- They rank the vulnerabilities they’ve discovered by severity and potential harmfulness. That ranking allows them to set priorities for which patches to apply first.
- Patches are software, and all software introduces changes, so smart IT teams test and validate patches on a small subset of the network and watch for any unintended effects.
- Once assured that patches are safe, admins deploy them widely across the enterprise network, either manually or using automated patch management software.
Why is patch management important?
Patches are an essential component of network security. The threat landscape is constantly evolving, and the vendors of software and operating systems issue patches to defend their products against new threats.
Companies ignore patch management at their peril, as exemplified in the Equifax breach revealed in September 2017. An unpatched vulnerability in Apache Struts resulted in a massive theft of data, affecting 148 million Americans and more than 200,000 credit card accounts. The company spent about $1.4 billion in fines and clean-up costs — all because they ignored a simple, widely available patch.
Besides the financial aspect, patch management matters for preserving brand and reputation with existing and future customers. The patching process is also required in many regulatory frameworks; out-of-compliance organizations risk being sanctioned or fined by regulators, and can even be shut down.
So the importance of patch management is that it keeps your software and applications updated and maintained for several reasons:
- It gives you access to the latest features and functions offered by the software, operating system or network equipment.
- You ensure that your systems are running efficiently and smoothly because they’re up to date.
- You stay compliant with regulations and industry standards.
- Your security profile improves because you address the vulnerabilities that could be exploited by cybercriminals. That reduces your cyber-exposure and attack surface.
How important is proactive patching to businesses?
Patch management does not happen by itself, and it does not happen simply because you want it to happen. IT teams must make it happen, and that leads smart organizations to adopt a formal process of proactive patching.
In some organizations, insufficient resources or lack of awareness of the patching process keeps even high-priority patches from being deployed. According to a survey conducted by the Department of Defense, some 60% of computers in the United States are not protected by a patch or virus protection program. That leaves organizations exposed to risk and vulnerable to attack.
The rise of the mobile user and working from home tends to exacerbate the problem, with employees working from locations not within the reach of IT. In those cases, proactive patching means manual patching, unless the organization has invested in endpoint management solutions that save precious time and effort on system administration.
The importance of proactive patch management is that it helps to protect against cyberthreats, ensures compliance with regulations, saves costs, maintains reputation and improves system performance.
What is the main objective of patch management?
The goal of patch management is to deploy software patches carefully and on time so that the organization reaps the security benefits that patches provide. A related goal, of course, is to avoid unnecessary exposure to risk.
A robust patch management process includes policies that set out the best practices and procedures for sysadmins to follow when deploying and testing patches. The objective of the policies is a one-size-fits-all, established patching process that guides technicians as they set priorities and decide how to execute on them. The policies apply all along the patch management path and include error correction and dealing with unforeseen network conditions.
What are the risks of not having patch management?
In the era of remote computing, it’s common that users rarely if ever connect to the corporate network or VPN. They may work strictly over browser-based communications and collaboration tools, and the software they use may not even interoperate with Active Directory. It’s a departure from the traditional IT model and it causes headaches for the system admins and support teams responsible for maintaining devices. How can they keep those devices up to date with the latest patches to avoid attackers?
Several prominent risks arise from not having patch management:
- Threat actors — Patched software is secure software, safe from headline-grabbing cyber-threats. Threat actors regard unpatched systems as locks just waiting to be picked, and they gladly sow malware and viruses on them.
- Compliance — Organizations like NIST and Cyber Essentials publish certification schemes that emphasize the importance of patch management and software updates among their requirements. Compliance with those schemes ensures prospective customers and partners that the company is taking IT security seriously.
- Compatibility — As IT and software products evolve, integration with other products ensures interoperability. A common reason for a software update is trouble-free compatibility with another product on which users rely. Patching systems leads to higher employee productivity driven by the most recent features and performance improvements in the product.
- Reputation — Will your company’s reputation withstand a data breach if your customers find out you overlooked the deployment of a simple security update? There’s a lot riding on your ability to protect the information of your customers, users and business partners.
Finally, there is the simple financial risk of not having patch management. When a typical data breach costs between $4 million and $10 million, it’s a clear sign of the importance of patch management in your organization.
What are common types of patches?
The type of patch plays a big role in the priority you assign to it in your patch management process. Most software vendors rank patches according to urgency, or at least according to whether the patches are important, recommended or optional.
As described above, the most urgent patches are remedies for system compromises and security holes. Threat actors look for and eagerly exploit such vulnerabilities, so it’s wise to take any security patch seriously and deploy it promptly. Other patches address software errors and bugs that creep in during development or occur because of changes in other areas of the product. They are remedies for problems that are vexing but not necessarily dangerous, like unexpected behavior or inconsistent operation. And still other patches contain performance improvements and new features. They do not address security problems specifically but affect user experience by adding functions or accelerating them.
How often should you perform patch management?
Given the importance of patch management, the best practice is to begin the cycle of testing and deploying patches as soon as they become available. That applies even if it means rolling out patches before their normal patching schedule dictates.
Even when system administrators follow a normal patching schedule, there is no guarantee that they will be able to deploy patches in a timely manner. For example, it’s rare for the patch management process to conflict with a service-level agreement, but if it does, sysadmins may be obliged to suspend deployment to accommodate the SLA.
In reality, some organizations push out patches too late, while others don’t push patches out at all, as described above. Of course, any delay in applying patches can set the stage for a breach. No matter how quickly a breach is detected, it may cause significant damage before the organization can restore normal operations.