Patch management refers to the process of acquiring software updates for operating systems and applications and deploying them in an effort to eliminate known security vulnerabilities, fix bugs or add new features. In spite of this seemingly simple definition, the patching process can be quite complex.
Here are 10 key steps for getting a handle on the patch management process and ensuring its effectiveness.
1. Establish a baseline inventory
The first step in the process is to establish an up-to-date baseline inventory of all of your production systems. This inventory must be comprehensive in scope and at minimum should include all of the operating systems and applications your organization uses.
However, creating an application and operating system inventory is really just a starting point. Just as software vendors release software updates that are designed to correct bugs and known vulnerabilities, hardware vendors periodically release firmware updates that are intended to address issues at the hardware level. So you'll also need to include firmware in the inventory.
The reason it is so important to start with a baseline inventory of your production systems is because you will need it to assess the current state of patching in your organization.
Depending on the size of your organization, you can collect the inventory manually or use automated patch management software for the job.
2. Have a plan to standardize systems to the same version type
Standardization is an important part of the patch management process. Having multiple versions of an application running in production drives up support costs and increases security risks. The same can be said for multiple versions of an operating system. Therefore, one of your major goals should be to determine the version of each operating system and application that your users should be running and come up with a plan for standardizing around your preferred version.
The process sometimes involves more than just upgrading to the latest version. There may be dependencies that have to be upgraded prior to deploying your chosen version. There might also be hardware requirements to consider. Windows 11 for example, requires a Trusted Platform Module 2.0 chip, and not every system that runs Windows 10 can support Windows 11. Hence, if Windows 11 is your preferred operating system version, you will need to scrutinize your hardware inventory to make sure all your systems can support Windows 11.
3. Categorize each asset by risk and priority
During the initial phases of the patch management process, organizations will generally identify a number of upgrades that need to take place and patches that need to be applied. Performing all of these upgrades and patch deployments at the same time would be incredibly risky. Instead, organizations should take a very methodical approach to the patch management process. This means assessing the vulnerabilities that the various patches are designed to correct and then prioritizing critical updates. The vast majority of patches for operating systems and applications are designed to address some sort of security risk, but not all security risks are equally serious. Some may be quite minor while others are critical. You should deploy the critical updates first.
4. Use a test lab environment
Any time you deploy patches there is the possibility that a patch will cause problems. Before you apply any patch to your production environment, it should be thoroughly tested in a lab environment. You will need to determine whether the patch is safe for use in production, or if it causes issues with mission-critical software. Even though software vendors presumably perform some level of patch testing, vendors are anxious to address security vulnerabilities quickly and may not test patches as thoroughly as they should. There have been numerous situations where software companies have released buggy patches that have introduced problems into environments that were working fine.
5. Have the security team test patch stability
When testing a patch in your lab environment, it is important for your security team to confirm that it is stable and doesn't crash. At the same time, though, the security team should verify that the patch does indeed correct the vulnerability that it was designed to protect against. It should also work to make sure the patch doesn't introduce any new security vulnerabilities.
Your organization should establish a policy for how long patches should be tested in the lab environment. Every patch needs to be tested as thoroughly as possible, but the need for testing must be balanced against the need to address the security vulnerability. Some organizations use a relatively short testing phase for critical patches but perform more in-depth testing for patches that are designed to address less serious vulnerabilities.
6. Gather software patch, vulnerability and test information
At the completion of the software testing phase, your security team should compile a list of the patches that have been tested, the vulnerabilities that those patches address and the outcome of the testing process. Those who are responsible for patch testing are essentially verifying that the testing process has been completed and making recommendations to the people responsible for deploying the patches.
7. Identify endpoints that need patching
The next step in the process is to determine which endpoints the patches need to be applied to. A good patch management application can help you keep track of the software that is running on each endpoint. That way, you can use a filter to obtain a list of the systems that should receive a particular patch.
8. Review, approve and mitigate patch management
At this point, there needs to be a formal review process in which the people responsible for managing software consider the patch that is to be deployed, the results of the testing process and the list of endpoints that are tentatively slated to receive the patch. With this information in hand, they can decide whether to approve the patch deployment process.
If the team decides not to deploy a particular patch, the organization's patch management software will need to be configured to prevent that patch from being deployed. This is an essential step that keeps unwanted patches from being installed accidentally.
9. Do a pilot deployment on a sample of patches
Even though one of the main goals behind the patch management process is to standardize around a specific software version, few organizations roll out patches to all users at the same time. Instead, organizations will commonly do a pilot deployment to a representative sample of the user base prior to performing an organization-wide deployment. This pilot deployment helps to verify that the patch is indeed safe for production use. It gives the organization one last chance to catch any issues that did not surface during lab testing. If an issue is found, then only a relatively small number of endpoints will be impacted, since the patch is yet to be deployed across the entire organization.
10. Document systems pre- and post-patching
The last step in the process is documentation. It's important to document the state of your systems both before and after a patch is applied. That way, if problems begin to occur later, it will be easier to figure out if they can be attributed to a patch that was applied.
By carefully following this patch management process, your organization can gain the benefits of patches while minimizing the risks of deploying them. With a well-executed process, your systems will have the latest features and be largely free of bugs and security vulnerabilities. Plus, your IT and security teams will have peace of mind knowing they have a process they can count on that is predictable and relatively stress free.