With more and more cyber attacks every day, and multiple endpoints and devices for organisations to keep track of, it’s never been more important to ensure that they’re updated. Not only do updates help your devices run smoothly and more efficiently, but they can help to patch vulnerabilities before they can be exploited by attackers.

What is patch management?

Patch management is the simple but often forgotten process of managing all the patches and software updates that are distributed within an organisation and its respective infrastructure. This can be done manually, where updates are installed and tracked one by one. Alternatively, it can be done via a selection of solutions provided by vendors, where the distribution and logging of said patches and versions can be almost completely automated depending on the organisation’s needs.

Where is it needed?

As a blanket statement, patch management is required by all organisations if they want to uphold a good security standard. To put it simply, patch management allows an organisation to secure any identified and fixable vulnerabilities, and decrease the organisation’s attack surface. In most cases, if a vulnerability has been discovered and publicly disclosed to the vendor, then a security update or patch should follow shortly after. What organisations need to do is manage the installation and acquisition of patches as soon as possible in order to ensure that their tools and utilities are kept safe - keep in mind, though, that these updates may have an effect on your current services.

The dangers of ignoring patch management

One of the most high-profile vulnerabilities in recent years was Log4Shell,  which helped to show that the stakes for keeping your software patched and up-to-date couldn't be higher. Log4Shell was a zero-day vulnerability in Log4j, the popular logging Java library, and it took the world by storm in late 2021. The exploit allowed attackers to execute code (typically malicious code) on the machines of any victims who had the vulnerable library installed. This caused catastrophic damage and left people panicking over the holiday season - not just because of the incidents that occurred as a result of the vulnerability, but also the widespread media coverage of Log4Shell, which created a frenzy online. This vulnerability has since been mitigated in later versions of Log4j, but if your organisation doesn’t have patch management procedures or solutions in place, then you may still be vulnerable.

Another example of a well-documented vulnerability came to light during the SolarWinds supply chain cyber attack back in 2020. The vulnerability, SUNBURST, was used to attack companies and organisations using SolarWinds’ Orion software, 

 a performance and health monitoring platform for IT devices. By exploiting it, malicious actors were able to gain access to over 30,000 organisations using several versions of the software - 2019.4 Hotfix 5, 2020.2 with no Hotfix installed, and 2020.2 Hotfix 1.

It’s been almost two years since this breach came to light, and security patches have been released for each of these versions. During that time, however, organisations were left panicking, uncertain of their patch management policies. By being proactive and putting policies in place, you can rest easy knowing you have everything in place to help remediate any threats that might arise.

Ways that you can configure patch management

One of the best ways to work out a patch management solution for your business is to focus on the three pillars of People, Processes, and Technology - otherwise known as PPT.

People

When considering ‘People’ as part of your patch management solution, user awareness is key. By keeping up with the latest vulnerabilities and working closely with your cyber security team, you’ll be able to better understand where you should be focusing your attention when it comes to managing the patches and updates.

Processes

The ‘Process’ part of patch management, typically follows this rough structure:

• Discovery – identify and document your organisation’s IT asset list.
• Categorisation – group your IT assets by risk and priority.
• Patch Management Policy – identify the what, when, how and under what conditions the patches will be rolled out to the categorised items. For example, vulnerabilities with a critical CVE (Common Vulnerabilities and Exposures) score should be patched immediately on all public-facing devices, and vulnerabilities with a low CVE score affecting a niche toolset could be patched once a month.
• Monitoring – ensure monitoring is in place for newly-released vulnerabilities, whether that be through manual or automated means.
• Test Lab – create an environment that allows for patches to be tested before they’re pushed to the live production environment. Some patches could have unintended and adverse effects and, on some occasions, create zero-day vulnerabilities - putting the business in a worse position than it was prior to installing the patch. It’s important to ensure patches are tested first, to ensure the aforementioned is less likely to happen.
• Rollout and Documentation – when all parties are happy with the test case, document and configure the rollout of the patches to the agreed devices in the live production environment.
• Auditing – patches don’t always work on every device first time, so you should ensure there’s a way to identify the devices that fail to update. This is a good point in the process to involve people in helping to identify any patch anomalies.
• Reporting, Reviewing, and Renewing – document and report all of the actions taken throughout the process, as well as the devices that were updated. Afterwards, review the process to identify any parts of the process where improvements could be made - and then enact them.

Technology

As mentioned above, manual patch management is an option. However, it can be quite cumbersome and resource demanding. Another option is to look at automation tools, which can be used to assist with patch management. RMM (remote monitoring and management) solutions can help with most aspects of the procedures described above. Some of the best ones out there on the market are N-Able, ConnectWise, ManageEngine, and Microsoft 365 Lighthouse, which can all assist you with patch management and help you to manage and monitor the devices within your network.

Patch management is a crucial part of the operation of any modern organisation, and if ignored, it will leave a large attack surface. Fortunately, it can be automated, allowing for you to control your investment. Furthermore, having this self-sustaining layer of protection helps you to improve your company’s security posture and overall technical cyber culture, allowing you to be proactive to be defended instead of reactive and open. To learn more about how you can shore up your own cyber defences, don’t hesitate to get in touch - the expert team can help