Patch Management Best Practices

Skim today’s cybersecurity headlines and the scope of damages from cyberattacks will likely shock you. Not only are the number of security breaches increasing each year, but so is the average cost of a cybercrime incident. In 2018, the average cybercrime incident cost $13 million, which represented a whopping 72% increase from 2013. By 2021, experts estimate that cybercrime will represent a total global cost of $6 trillion annually. These financial concerns are why managed services providers (MSPs) should take a proactive approach to their customers’ security countermeasures and risk intelligence.

Patch management is one essential way MSPs can help keep their customers safe. Patches are small fixes made to the code of software applications and programs, often with the intention of addressing bugs or security issues. The consequences of improper patching can be far-reaching—some of the largest data breaches of the past few years can be traced back to a lack of patch management best practices.

For instance, the 2017 Equifax data breach, which exposed the data of 143 million Americans, was linked to an Apache Struts vulnerability that had gone unpatched for two months. Another high-profile breach came in 2018, when an outdated version of Outlook at SingHealth was responsible for exposing the data of 1.5 million patients. Ultimately, strong patch management policy and procedures are essential for data privacy, and security.

What are the general steps for patch management?

General patch management strategy includes several processes: scanning networked devices for missing software updates, downloading these patches when they become available, deploying the patches to the necessary devices, and ensuring they are properly installed.

Patch management for Windows machines tends to rely on two software updating services, depending on the size of the networked environment. Small- and medium-sized companies can get by with Windows Server Update Services (WSUS), which manages and deploys updates for Microsoft-specific operating systems and software across multiple machines. System Center Configuration Manager, which is designed for large-scale enterprises, builds upon the capabilities that WSUS provides but includes greater functionality for scheduling and automated patch deployment.

Windows patch management best practices will help with the Microsoft infrastructure, but things get more complicated when considering the various third-party applications and programs that many companies rely on to achieve their strategic and organizational goals. That’s why implementing a patch management software solution is often key. Patch management software not only helps to ensure that Windows server patching best practices are maintained, but that open source patch management needs are seen to as well—thereby helping ensure that all applications within the computing environment are kept up to date.

Why is patch management important?

Proactive patch management policy and best practices provide several benefits, security being perhaps the most obvious and important. In fact, one 2018 study found that more than half of data breaches could be traced back to identified vulnerabilities that had been left unpatched. Because patches identify the specific vulnerabilities they’re meant to fix, it’s essential that they be installed quickly, because hackers and malware can start to exploit those vulnerabilities within hours of the patch’s release.

However, patch management best practices can also help to optimize business-critical functions in other ways. Take productivity, for example. While patches help to prevent the exploitation of vulnerabilities in software code, many of them also provide performance improvements, leading to fewer application crashes and system downtime. Automated patch management also helps to ensure that organizations stay abreast of the latest technological developments and updates, which can include new features and capabilities that often increase the ease and speed of use for end-users.

One other benefit that patch management provides is compliance. Because of the ubiquity of cyberthreats, many regulatory bodies require businesses to demonstrate they’re actively staying on top of security updates and best practices. Failure to do so can result in legal and financial ramifications.

What are patch management best practices?

Pressing concerns about security means patch management best practices are vital to a safer and more secure computing environment. Here are a few of the policies and practices that MSPs should be enacting to help ensure their customers’ assets are safe.

  1. Maintain accurate systems inventory
    If you don’t have an accurate inventory of all the software and hardware elements connected to a network, it becomes incredibly difficult to ensure that all applications and devices are kept patched. Running regular scans of a network’s asset inventory is important for keeping an accurate portrait, which can then be used to determine which patches need to be applied.
  2. Assign assets to categories
    After creating an accurate inventory, group them by how exposed they are to attack and how great an impact they would have on business functions if they were to be taken offline. This helps determine which assets require immediate patch deployment (anywhere between hours and days of a patch’s release) or a more standard timeframe (which could take up to several weeks). Assets that store sensitive information, support public-facing elements, or enable important functions should be given priority.
  3. Consolidate software
    The more versions of software a customer is using, the more complicated patching becomes. That’s why streamlining software is another important practice—it reduces administrative overhead and promotes internal cohesion by helping ensure that multiple distinct applications or programs aren’t being used for the same purpose. Fewer software options result in fewer patches that will eventually need to be deployed, meaning less risk for vulnerability.
  4. Stay on top of vendor patch announcements
    Third-party products are commonplace in networked environments, which makes keeping up with vendor patch announcements a key part of maintaining patch security. Having an accurate asset inventory allows you to subscribe to third-party vendor security updates, which can often be sent to specific email inboxes or communication channels to help ensure that they aren’t overlooked.
  5. Work around patch exceptions
    It’s likely you’ll encounter situations in which a patch can’t be deployed immediately or requires changes in order for it to work properly. Given that this can take time, the best course of action is to limit how much risk the asset in question is exposed to until the patch can be applied. While you should have already restricted user permissions to necessary personnel only, this step becomes even more essential when patch exceptions come into play. You should never expose high-stakes assets like servers to the internet when left unpatched.
  6. Test before you deploy
    Every network environment is going to have at least a few unique quirks. For this reason, it’s important to test patches in restricted sandbox environments that allow MSPs to help ensure a given patch doesn’t cause problems or cause assets to crash. If a patch clears the smaller subset of systems, you can likely roll it out in additional subsets across the rest of the network.
  7. Automate when possible
    You can often automate open source patch management. If your customers rely on open source applications and libraries, you should patch them as soon as possible. Because it can be difficult to track the various open source libraries and tools in use by your customer’s developers, automation is an essential part of helping ensure that asset inventories are kept up to date—including which open source tools are in use and the software versions that are vulnerable and require patching.

The best automated tools will come with library integrations baked-in, meaning that you’ll be able to instantly know which libraries customer’s developers are using. This will allow you to automatically deploy updates when unsafe library versions are detected. Because vulnerabilities in open source code will affect whatever applications end up using those portions of vulnerable code, it’s strongly advised that open source patching be automated so you don’t have to track down each application and individually fix affected code.

While there are a few key things to keep in mind when it comes to patch management best practices in 2020 and beyond, the bottom line is that patch management is crucial to helping protect your customers in today’s computing world. To make patch management as smooth as possible, consider user-friendly tools that make rollout and reporting easy. SolarWinds® RMM and N-central® both feature a robust patch management feature that can help fine-tune your patch management policies and make updating your customers’ software a seamless process.

Interested in learning more about how patch management software works? Explore our product suite to see how you can prepare for potential vulnerabilities.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site