Patch management is essential for managed service providers—for both their own systems and their customers’ systems. A patch management strategy is critical to avoid outages from unpatched vulnerabilities or errors during a patch rollout.
Here’s a good illustration of the criticality: In 2020, more than 18,000 security flaws in software and information systems owned or utilized by the federal government were discovered, with a record-breaking number of high and critical severity vulnerabilities, according to a report by the National Institute of Standards and Technology (NIST). The report also found that there was a significant increase in the number of Common Vulnerabilities and Exposures (CVE) reported, which required no user interaction or limited technical skills to exploit. NIST is leading this government-wide effort for reporting, assessing, and managing vulnerability disclosures in coordination with other agencies, including the Office of Management and Budget, the Department of Defense, and the Department of Homeland Security.
Given these numbers, it’s no surprise that patch management has become one of the biggest challenges and concerns for IT service providers and their clients. As more vulnerabilities are discovered, patch management becomes increasingly tedious and difficult. Thus, the only solution to this problem is to develop a patch management process with four essential components to ensure a sufficient level of risk management:
1. Develop a patching documentation policy
It is essential to implement and document good processes and policies to ensure that all personnel working on the patch are equipped with the understanding of the who, what, when, why, and how of the patching strategy. The policy should be documented, so that whenever a critical vulnerability is detected on a client’s software, the security teams can shift from a reactive to a proactive mode that allows for anticipation and decisive actions to ensure the organization is maintaining productivity.
2. Create a process for patch management and control
Developing a patch management policy for handling each new patch as it is released is the next step. There must be a formal process that is repeatable and consistent to minimize risk of a loss of service for clients.
3. Be consistent and utilize automation
Consistency is key for policy and process effectiveness. New vulnerabilities appear daily in old and the latest patches. Remaining highly vigilant and consistent helps to maintain effectiveness. Automation is an excellent way to boost efficacy within your entire patch management strategy. Automate functions such as undertaking a regular rediscovery of systems that may potentially be affected, scanning these systems for vulnerabilities, downloading patches and patch definition databases, and deploying patches to the systems that need them allow for security teams to concentrate on higher-priority tasks.
4. Utilize patching resources
Windows 10 updates on an “”as needed”” basis so teams are alerted the moment a patch is released and ready to be downloaded. For other programs, MSPs can use a multitude of resources to stay up to date on patch rollout. These include SearchSecurity Patch News, Oracle’s Critical Patch Updates and Security Alerts, and Patch My PC.
By documenting all patch policies and processes as well as incorporating them into standard operating procedures, MSPs can better protect clients from cyberattacks due to unpatched vulnerabilities.
BRETT CHELOFF is vice president of global security operations ConnectWise.
