View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Guest blog: 10 secrets to successful patch management

The recent spate of Java vulnerabilities has required a number of large vendors to react almost instantly to ensure security levels are kept to an optimum. Ian Van Reenen, CTO at CentraStage writes about how organisations urgently need to apply greater strategic thinking to ensure that security updates are reaching throughout the entire organisation.

By Cbr Rolling Blog

We found in an analysis that 40 per cent of servers and workstations are missing security patches. In addition, six vendors: Microsoft, Adobe, Mozilla, Apple, Oracle and Google, together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities , demonstrating the extent of the issue as well as the numbers of bulletins we annually face.

With more and more bodies utilising remote working, the challenge isn’t just to implement patches as they are released, but to be fully confident that devices have been updated and are thus continuously safeguarded. So what the ten key areas IT experts should tick off the list for a successful PM implementation?

1. Transparency is key

At the heart, asset discovery is essential. If you don’t know what you’ve got, you don’t know the extent of the problem you may have. If you do nothing else, make sure you know where your IT assets are; this is a quick gain that will put your house in order.

Once the estate is established, it’s key to have real-time visibility of the assets you support. With the urgency in which we need to manage patches, the first secret is to not only have full awareness of the estate but instantly know the health of it too.

2. Don’t just look at the security

Knowing the whereabouts and health of the IT estate is paramount, as it provides the intelligence for ensuring it is security. A study of public sector chief information officers in December 2012 found that 87% of respondents were either concerned or very concerned about the risks associated with IT security breaches. . A clear indication of the priority this is for many technology experts. In addition to security, also keep an eye on securing IP, as it can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

3. Define your patch nirvana

While the audit and assessment element of PM will help identify systems that are out of compliance with your guidelines, there needs to be additional work to reduce non-compliance. Start by creating a base line, a standard to which you want the entire estate to comply to. Once complete, it’s easier to bring controls in line to ensure that newly deployed and rebuilt systems are up to spec with regard to patch levels.

4. Face the facts

You must know which security issues and software updates are relevant to your environment. Further analysis of our data showed that 50 per cent of PCs and laptops are still running Windows XP, and 32 per cent of devices are over four years old.

Beyond PM and the protection against vulnerabilities and exploits which by now must have caught the attention of heads of IT globally, is the preparation and planning ahead of end of life Windows XP support. If you do not replace, there is no way to safeguard. If you do replace, this has implications on expenditure. So ensure you not only have a realistic view of PM and its limitations, but also ask whether the discipline of PM indirectly ensures the infrastructure and IT estate is a viable one from support and budget perspectives.

5. Do it your way with software policies

You can customise policies targeted at filters or groups at the account or profile level. The filter targets can be either the default filters provided within your account or any custom filters than you have previously defined. The secret here is to define custom filters or groups to identify devices with specific criteria, one or more of these filters can be associated with a policy so as to target those devices.

And of course, this goes back to your base line creation. Set the policies from the outset and customisation will be a simple step forward.

6. Is the time right?

Why wouldn’t you implement a patch management update as soon as you can? With baseline mechanisms in place, there’s no need to delay. If you have a solution that automates the process, then you would have given some consideration as to your ideal timing. Consider the time of day for updates by policy – what time will have the least impact on day-to-day business? The ideal timing for updating patches should follow any roll-out best practice. Consider the day of the week, the impact on the business if something doesn’t go smoothly, and consider whether there is sufficient resource and time to rectify if necessary. Furthermore, if your IT management solution is on-premise rather than cloud- based, you might even have to take responsibility of scale and load of the update.

7. Audit first – is it too broken to be fixed?

Gaining visibility of devices which are vulnerable is crucial, but so is analysing the overall health of each device. Ensure all devices are audited prior to rolling out patches or patch policies. There could be a more urgent matter requiring attention before the device can be brought in line.

8. Big estates, big patches, big problems?

We are led to believe that the bigger the enterprise estate, the more complex the management, but in most cases, solutions are easily scalable. The issue comes with usability, as complexity increases (and in some cases, the number of solutions and providers also grows), the technology team is used more and more to ensure the estate is kept up to date. Keep usability as simple as possible, there are solutions that do not require a technically skilled person to ensure the estate is kept up to date quickly and easily. In fact, it’s much easier than you think.

9. Tiny budgets, smart people

So often PM is a distress purchase because vulnerabilities such the ones we’ve seen recently place patch management in a crisis management budget and not an ongoing IT budget. And this of course, has financial implications. Enterprise IT management companies such as CentraStage help save costs by not just offering PM, but automating auditing and monitoring; helping IT service providers to work smarter and their budgets work harder. If automation is behind the scenes, it doesn’t interrupt the business and will keep all software solutions running smoothly, without input.

10. Visualise your patch management

Make sure you can see a graphic representation of your PM, tailored by severity and whether the patch requires a reboot or user interaction. This also fundamentally supports measurement and service level agreements to report SLA’s in a way that’s visual. Not only will this help with compliance, but it will demonstrate that you, as the technology expert is making a difference to the business. This makes for better relationships throughout an organisation, whether internal or external.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.