Patching remains a difficult task for many organizations – but it’s critical for security. Discover 5 patch management best practices for 2023.
Not all patches are the same, explained Syxsense’s chief customer success officer Robert Brown. Some are strictly updates that introduce new features, drivers and or firmware. Other patches fix issues such as software glitches or security holes.
Cybersecurity agencies and vendor rating systems grade patches based on their importance. The Common Vulnerability Scoring System (CVSS), for example, gives a score from one to 10, with the highest ratings being the most serious. Some patch management systems use CVSS scores, while others incorporate other metrics and evaluate a vulnerability against how much risk it poses to a specific business or application.
Critical updates offer a significant benefit: improved security, better privacy or greater reliability. Updates that are graded as important but non-critical will still enhance the system; optional patches typically relate to drivers or new software.
“Different vendors rate things differently,” said Brown. “As one vendor may grade a patch as critical and another as non-critical, it is best to take multiple factors into account.”
Syxsense provides a “Syxscore,” which is based on an organization’s attack surface with vulnerabilities and endpoint posture. It leverages the National Institute of Standards and Technology and vendor severity assessments in relation to the health status of the endpoints in an environment.
“Syxscore is a personalized evaluation of what devices are vulnerable and the criticality of updates to the overall protection of your network, giving you the ability to target endpoints that pose the most serious levels of risk,” said Brown.
Brown offered some tips on patch management, outlined below.
Jump to:
Too many companies tend to turn on Windows and Apple updates and believe they are covered. However, they are missing a great many open-source and third-party patches that may represent severe exposure.
“Third-party updates account for 75% to 80% of all vulnerabilities,” Brown said.
SEE: Learn how to create a solid patch management strategy here.
Once organizations begin to confront third-party vulnerabilities, the volume of patches can soon become overwhelming. Some try to manually deal with all the vendor patches that come their way, but this ties them up in knots as they must test each one, figure out the best sequence of deployment and time the patch delivery to avoid overwhelming the network.
Cloud-based patch automation is the answer. The vendor takes care of prioritization, testing, patch rollout and the verification of a successful patch.
Brown advised enterprises to first establish their exact needs and choose a patch management toolset that fits. By taking advantage of all available automation features, IT and security personnel will have time to get on with more strategic projects.
One of the biggest issues in patching is making sure you cover all systems and devices. Cybercriminals only need one unpatched app or device to wreak havoc.
Moreover, not all patch and vulnerability scanners are the same. Some miss smartphones, others are operating in a system-specific fashion and more than a few are weak when it comes to backup and storage applications.
Brown also explained the best way to test and roll out patches: To start, a handful of systems should be used to create an initial baseline for patch deployment. These devices are used to verify that the patch is installed correctly and no issues come up.
From there, deploy across a larger set of devices, which should include machines from different departments. You want to have a device or two in IT, finance, marketing and other departments, for example, so you can verify there are no issues with any core business applications. If that all checks out, set up a schedule to deliver the patch everywhere.
SEE: What is patch management?
Finally, Brown ran through some additional golden rules of patching: