So, here’s the thing. IT ecosystems are only as protected as their most vulnerable service. And yet, as IT professionals, it can sometimes feel like no one wants to even think about, much less take, the appropriate action to manage, control, and protect our environment. The unfortunate truth is that an organization could be exposed to a threat whenever we install something new, update an application, or allow an end user to download something onto their device. Done well, effective patching can protect your organization, its users, and its data from harm and keep things running smoothly.
This blog will look at the basics regarding vulnerability patching, what it is, what the patch process looks like, the challenges, and how to get started.
First things first, let’s cover the terminology:
A vulnerability is defined by the National Cyber Security Centre as “a weakness in an IT system that can be exploited by an attacker to deliver a successful attack”. They can occur through flaws, features, or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.
Patches are pieces of code that can be applied to remove vulnerabilities from an IT system or service. Patches usually come from the vendors of the affected hardware or software.
Vulnerability patching: the delivery of security patches to improve functionality or remove vulnerabilities from an IT system or service.
The first step in the process is identifying vulnerabilities and threats. The most common ways include:
Scanners and endpoint agents. Scans provide an understanding of known anomalies or vulnerabilities that could indicate a malware attack or malicious event has occurred.
Advisories from your hardware and software suppliers and third-party best practice organizations.
Penetration test results.
The next step is for IT to analyze the data and understand the nature of the threat and if it could be exploited on applications, servers, or networks. Not all vulnerabilities are created equal, so care must be taken to understand what vulnerabilities are present and prioritize accordingly. Not all vulnerabilities need to be patched, for example, if they’re not loaded to memory or if they’re not exploitable in your environment. The final step is to patch the vulnerability, ensuring that the appropriate testing is carried out and any downtime is agreed upon with the business to minimize service disruption.
In an ideal world, vulnerability patching would be the most straightforward IT activity to get done. As with everything, there’ll always be difficulties. Here are some of the most common challenges and potential ways around them:
Lack of ownership
IT security is sometimes treated as SEP or “someone else's problem”. It’s all well and good saying that everyone should be aware of IT security, but clear ownership needs to be assigned to ensure that security threats and vulnerabilities are identified, assessed, and acted on. Codify roles and responsibilities in a RACI chart so that everyone knows what they’re responsible for, and nothing gets lost or forgotten about.
Work with your organization's change management (or enablement) team to agree on an appropriate maintenance window for patching (and any subsequent reboots and downtime) and secure the proper approvals.
Lack of testing
Effective testing benefits everyone as the last thing you want after a patching exercise is a flurry of calls to the service desk the following day with users reporting issues. If possible, establish a non-production environment that hosts all your business-critical applications and services to test the patches in a way that doesn’t impact end users. Once the patches have been tested and deployed to your live environment, run some additional tests and ensure that the affected services are responsive and responding normally before standing everyone down.
Patching can be the difference between a safe environment and one that is vulnerable to malicious attacks. Here are some tips on getting started:
Agree ownership - The responsibility for vulnerability management typically sits with security teams while IT is responsible for patching and patch management. Build clear workflows to ensure security can scan for and detect vulnerabilities, with clear handover points into IT support so that the appropriate support team can test and apply the patch before reporting the status back to security to close the loop.
Know your environment - You can’t manage what you don't know. The first step in any successful patch process is to understand what’s out there. Create an inventory or baseline of all devices, services, and dependencies in your IT infrastructure, including operating systems, custom in-house services and third-party applications.
Set your scope well - If you’re reading this article, the chances are you're new to the world of patching, so let’s start with your most significant pain points or areas of exposure. Vulnerability management and patching can be complex, and it’s too easy to get sidetracked or focused on the wrong things. Prioritize by overall risk and concentrate on the big hitters, to make the biggest impact.
Create a patching policy - A vulnerability patching policy governs how you determine the patching process. The objective is to protect your environment by reducing security risks to ensure that technical vulnerabilities are quickly identified and reviewed, risks are evaluated, and patches are applied within a reasonable timeframe. The policy must cover all the hardware, software, and applications on your network, including when they were last patched, a database of known vulnerabilities, and an agreed patching schedule.
Teamwork matters - IT security is too complex and too important to operate in isolation. There are many stakeholders and moving parts to manage, so lean into a collaborative approach. Work with change management (or enablement) to ensure patch activity is on the change schedule, the appropriate support teams have been engaged, and any downtime has been agreed upon with the business. Talk to the service desk about the timings of any patch activity so that the appropriate resources and checks are in place to protect the customer experience. Engage with the service level and relationship managers so that when new services and service level agreements (SLAs) are negotiated, IT security requirements are captured and supported with the appropriate maintenance windows.
Automate and optimize - Where possible, use automation and software tools to manage and maintain your patches and updates to improve accuracy and reduce the potential for human error.