For the CEO or COO hearing the word patching for the first time from the experts in their IT department, an array of ideas might float into their head. “How much is this going to cost me?” “I thought we just solved that data breach protection protocol two months ago?” Or, “I am tired of solutions that don’t fix the problems with our company data, they just seem to be band-aids.”
Unfortunately this is the hurdle facing information technology professionals as they work around the clock to protect their company’s proprietary data from exogenous threats. According to the Cisco 2015 Annual Security Report, only four in 10 company IT departments have a coordinated patching strategy.
A patch is in fact not a temporary solution at all, but rather a strategic method by which to update existing software programs by inserting new code into the current operating code. These updates may involve areas such as mitigation of software bugs to addressing vulnerable security systems, or simply installing software upgrades provided by vendors.
These operating system updates may be from Microsoft on their Patch Tuesdays, but also can include third party vendor software updates like Adobe, Cisco, Java, Apple and others.
In the current environment where data security issues and protocols are the primary concern for a business, the fundamental issue becomes how an IT department provides the necessary patching services to all of the organization’s endpoints.
In developing a strategic approach to patching, the reality is that there must be buy-in from the leadership team. Patching is a pro-active engagement, not a reactive one. Think of this analogy, a computer much like the human body can get sick. In order to alleviate the symptoms, one would take medicine, or in the case of the machine an antivirus. The concern though is that the antivirus/medicine does not solve the underlying reasons for being sick: diet, exercise, etc. Following the analogy, computers that just rely on antivirus software and have not been attended to with a coordinated patching effort (solving underlying problems) are more vulnerable to breaking down, malfunctioning or having security compromises.
Once buy-in is established from company leadership, an effective patching framework needs to be built, and can be done by answering five key questions associated with deployment.
Which updates should I install?
The best approach to this first query is to prioritize what updates are most necessary and beneficial for the firm’s end users. Three categories are useful to designate the types of updates that flow from software vendors.
- Critical updates offer significant benefits, such as improved security, privacy, and reliability.
- Important updates address non-critical problems or help enhance your computing experience.
- Optional updates can include updates, drivers, or new software to enhance your computing experience.
As each update is considered on this basis, a secondary, but equally critical assessment must be utilized, the severity of possible threats that could impact the operating system and ultimately the end user if the update is not installed. In other words, a third party update may be listed as critical, but in actuality the severity of a non-install is quite low. How do you know? The most simple and effective method is to review the Department of Homeland Security’s sponsored Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of computer system security vulnerabilities. Metrics span from 0 to 10 with vulnerability measured in the range of 7.0-10.0 (High), 4.0-6.9 (Medium) and 0-3.9 (Low).
It is not uncommon to have a vendor tagged critical update attached to a CVSS score in the Low range, or an important update that actually is associated with a High score. In making the assessment of which updates to install, it is finally important to understand that updates provided by vendors are in many cases superseded updates, meaning that they are taking the place of an existing update. Effectively “roll-up patches.” In the final analysis, the best decision is to patch the highest severity of non-superseded vulnerabilities with the highest exposure in your environment.
How can I test my updates thoroughly?
When it comes to testing updates, the key is to consider the purpose of deploying the patch strategy in the first place, protect the company’s operating systems and devices.
Rule number one: never test on your own machine and two: make sure the patch is able to be uninstalled. To this end, assemble a “test rig” of virtual machines (which will experience the initial test), using any available technology, which most closely mirrors endpoints most representative of the firm’s technology environment including: workstations, and server and tablet operating systems covering all OS service packs.
The process itself will have three phases: research, identification and physical testing and grading success of each. Phase one-research must generate answers to these questions:
- What does the update actually fix?
- What OS does the update effect?
- Does the update require a reboot?
- Is the update silent?
- Does the update require any user interaction?
- How large is the update?
Phase two-identification and actual testing must meet the following criteria: specifically identify a minimum of five devices for each update to be deployed, and then doing so with the virtual “test rig,” colleague endpoints, pilot endpoints (which tend to carry less risk) and any extended pilots.
Lastly, phase three—measuring success—requires looking at the following and recording the information: Did the software update install correctly? Were there any interruptions during the process? Does the update conflict with other software or antivirus? And of course the rebooting procedure: always reboot at least twice to ensure the update has been applied.
Taking these steps will help mitigate frantic calls from colleagues saying they lost work or their machine has a “bluescreen,” complaints which ultimately get blamed on the patching procedure.
How many updates should I install at once?
If you take one lesson from this section, make it to never deploy all patches at one time. The list of catastrophes resulting from massive deployments are too great in number to quantify, but the stories are always the same, trying to do everything at once leads to major problems. A great rule of thumb to work by is this formula:
Number of Missing Updates X Number of Devices/Average Network Speed
If your patching strategy is just getting started consider starting with five updates, and work up from there.
How do I safely deploy my updates?
Answering this question flows from the previous one, how many updates to deploy. Safety brings the conversation back full circle to system vulnerabilities, and as such needs to focus on not only the number of updates deployed, but the correct ones, which have already been verified and tested, and what devices are patched on the correct day. The most common errors occur when the wrong devices are upgraded on the wrong day causing significant business impact.
The most logical method of pursuing safe deployment is through a baseline methodology, which is a group of fully tested updates deployed each month in a phased and controlled way. If we return to the IT department rolling out their first patch strategy, the team might begin with five updates and then each month roll-out the next set on a timed and coordinated basis. Depending on the type of organization and its set-up, a patching effort might involve categorization by: department, region, location or device type among others.
How do I gauge the success of my strategy?
This is really a question of working the patching plan, monitoring and communication with stakeholders. Success can be measured in many different ways including the number of incidents raised on the helpdesk following deployments, the ease of which the patching process can be followed and regularly repeated and the efficiency of the patching strategy on reducing system vulnerabilities.
Development of a patching assessment protocol complete with dashboard reporting for company leadership is the most effective means of stating the message that the patching strategy is producing positive results, reducing the threat posed to operating systems and delivering bottom line financial returns.
Patching is one of the most important undertakings for an organization from a technology perspective, yet its name connotes one meaning, which can confuse company leadership, while in actuality patching denotes an absolutely critical function in delivering a highly productive and secure information workplace environment for employees.
Working with patch management service professionals is an IT department’s best way to deliver the promise to executives of providing safe, reliable and efficient endpoint security across an organizational infrastructure.
ABOUT THE AUTHOR: Robert Brown is director of services at Verismic Software, Inc. During his 10+ years with the brand, his role has evolved from onsite technical consultant through to his current role. Robert’s approach to deployment of services, continuous review of process efficiency and putting the customer’s experience at the forefront has led to the establishment of one of the most capable technical teams in the UK who support Verismic’s award-winning Cloud Management Suite.
ABOUT VERISMIC: Verismic Software, Inc. is a global industry leader providing cloud-based IT management technology and green solutions focused on enabling greater efficiency, cost-savings and security control for users, all while engaging in endpoint management. Headquartered in Aliso Viejo, Calif., Verismic is a growing and dynamic organization with offices in four countries and 12 partners in nine countries. Over the past two years, Verismic has worked with more than 150 companies ranging from 30 to 35,000 endpoints delivering a variety of solutions for organizations of all sizes as well as managed service providers (MSPs). Verismic’s software portfolio includes the first-of-its-kind agentless, Cloud Management Suite (CMS); Power Manager; Software Packaging and Password Reset. For more information, visit www.verismic.com.