Tear up Traditional Approach to Patch Management

Written by

Ensuring full IT security is a thankless task that is often undermined by regular software updates, but it’s a necessary evil in today’s workplace.

Businesses have little choice but to yield to this time-consuming task, or face being compromised by unrelenting cyber-attackers. Keeping on top of patch updates places considerable stress on IT teams who are already inundated with a variety of other security-based responsibilities. Also, many teams don’t have the time or resources, due to it being so labor intensive, leaving businesses at considerable risk.

Patch management means keeping every piece of software on every networked machine up to date to safeguard the business from vulnerabilities. This is something every IT manager must wish for, but most struggle to achieve this because of the complexity of the task. With a variety of operating systems, ranging from Mac OS Sierra to Windows 8.2 to running off a Linux server, making sure everything talks to each other is hard enough without constantly installing patch updates that could upset these delicate ecosystems.

The quick-fix affliction

Fulfilling the dream of seamless patch management and the associated security benefits requires an almost entirely self-sufficient tool that ensures all the available patches on applicable systems are up to date without troublesome, time-consuming daily intervention and management from the hard-pressed IT admin.

Yet patching third-party applications on a desktop remains a significant challenge for many organizations because of the fragility of many server environments. When virtualization is added, the administrator can be facing even greater complexity, especially when resources are limited, as they are in many medium-sized and larger businesses. Java, Adobe Reader and Flash and Firefox, along with many other business-specific applications are often patched considerably later than Windows and Office, for instance. 

Update inundation

With cybercrime rampant, hundreds of patches are released each month, all of which heaps even more pressure on the IT department. It has to decide which patches to install and which to ignore and what the optimum order of installation should be. Delaying could expose the business to a devastating ransomware or zero-day attack – and we all know who receives the blame when that happens.

Yet, the variety of platforms and configurations that a business may have and their vital importance in day-to-day operations may mean it is not desirable to install a new patch as soon as it is available.

Testing of patches before implementation is another necessity that can complicate matters. While it is important to test patches to ensure their stability, it can be difficult to achieve when an organization does not have the spare hardware, software or personnel readily available to create a testing environment.

Software inventory management also introduces another challenge because patch management is dependent on having a current and complete inventory of the software that is installed on every device in the environment.

Even when the IT department has an accurate inventory of systems, a list of controls, a system for collecting and analyzing vulnerability alerts and a risk classification system, it still has to deploy patches without disrupting normal operations.

Automation for the people

Automation is already overcoming many of these hurdles, using a single interface to make the whole process of patch management much easier and far less taxing on the brain. Automation of the entire patch-management life-cycle, like ManageEngine's Desktop Central, now means that it is possible to detect missing patches without staff intervention.

Patches are downloaded from the respective vendors’ websites and tested as required in relation to the business’s own assessment of its risk and business priorities.

Nonetheless, when opting for automation, it’s important to ensure that every one of an organization’s current IT infrastructure platforms, including operating systems and applications, are addressed and that remote offices and roaming devices are always included. Where necessary, it should be possible to exclude patches for specific groups of devices or the departments in which they are used, to prevent the network falling over if they use a specific OS.

Automation also makes it possible to minimize disruption and irritation for end-users by installing patches during non-business hours, or at least when applications are not in use. Devices are woken up before patches are deployed and then rebooted after installation.

The word “automation” can also suggest an undesirable level of rigidity, but in reality it gives admins all the flexibility they need so that a patch can be postponed if – for instance – an end-user is on a slow network at a remote location but urgently needs their notebook.

Lack of access to detailed reports is also a common problem with potentially serious consequences, which automation resolves. It is worth remembering that patch reports lacking detail can place devices and applications at risk. If the business has to meet specific industry compliance standards, these risks are never worth taking, because they can place the organization’s entire IT infrastructure in jeopardy.

Although IT departments continue to face so many challenges in relation to patches, there is no longer any need for them to spend so much time grinding through the process when automation can take care of almost every aspect of this never-ending task.

The advances in solution design not only cuts out much of the drudgery, but they offer better insight into current status and give greater reassurance that organizations will be safer without compromising business performance.

What’s hot on Infosecurity Magazine?