Manage Learn to apply best practices and optimize your operations.

Perfecting the patch management process within enterprises

Patching enterprise systems and software can be a daunting challenge. Charles Kao explains how the patch management process should work and what pitfalls to avoid.

Patch management is one of the key security controls or processes that can help you keep the systems connected...

to the network secure and an unattractive target for malware attacks.

Depending on your organization's culture and size, the patch management process typically involves the IT operations or infrastructure team taking care of upkeep. Some organizations may opt to have their security teams be the primary owners of patching -- but this is generally not a best practice.

The word upkeep does make it sound like a daunting task, especially if the team is burned out or stretched too thin from their day-to-day job responsibilities. The upkeep tasks typically involve obtaining the patches, testing them, documenting the testing for approval and installing them. The prerequisites for patch management are having systems in place responsible for discovering assets on the network and having a public or private repository set up to enable systems to fetch updates.

Patching problems

Now that we have the definition of patch management out of the way, let's discuss why most CISOs continue to struggle with their IT Infrastructure teams to keep system patches up to date. There are two sides to this coin.

Let's start from the CISO perspective. A CISO is probably asking, how do I work with the patch management team effectively to get all the systems up to date with patches without missing a beat? What is the right patch management process for this organization? Who should the stakeholders be, and does everyone have a clear understanding of their systems and all the data elements in play? How should I prioritize the application of patches based on risk?

From the patch management team's perspective, however, there are challenges and hurdles on multiple fronts. The team is dodging the CISO as much as possible, not because they do not want to patch, but because they either don't know where to start or don't have any updates to provide or enough information to formulate a sustainable working patch management process.

Perfecting the patch management process

To have a sustainable, working patch management program, you need to first open up the two-way communication street. Identify and understand the systems under the hood inside out, as well as the business processes and data elements that are in play.

Then, customize and integrate patch standards into the current IT infrastructure and business processes -- and do not ask the patch management team to figure out how to retrofit their process into the standards that you have proudly developed. After all, patch management is not a one-size-fits-all solution.

To have a sustainable, working patch management program, you need to first open up the two-way communication street.

Without first understanding how business systems interconnect, the back-end processes, the data elements moving from point A to point B, how to normalize the information gathered, how to map it back to your risk-based algorithm, how to inject the data gathered, and how to automate the patch management process, your patch management team will continue to treat all the systems with the same risk level, and they will apply every single approved patch manually.

And, before you know it, the team will drown silently in the testing cycle, push a bad patch to production causing massive disruption to the business, and CISOs will find themselves sitting in the corner of the room along with others trying to explain the root cause to the business executives. Meanwhile, in their mind, CISOs are asking themselves if the patch management team knows what they are doing, and if they should put a stop to patching altogether -- which, of course, is not the best option.

Patch management is vital to properly protect your organization from unwanted visitors and threats while keeping your systems stable and in a working functional state. It is inevitable that issues will crop up, and working together with the IT and business team is one of the key ingredients to success.

Collect as much relevant information as possible when developing your patch management program and execute it by partnering with the business and the IT department. Without their support, the patch management program will never be successful.

This was last published in February 2018

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

How does your patch management program work?
Cancel
Providing tech support to small healthcare providers, I am currently researching the best strategy for managing Windows 10 Pro patch updates in these small peer to peer workgroup networks. I am concerned because some of my Win10 Home users have had their PC's repeatedly crashed by successive automatic monthly patch updates, and I can only imagine the day when I get the call that several medical clinics all have multiple PC's down from a crippling update.

Also, some of the Windows 10 version updates can be GB in size, so managing internet traffic requires some way of getting the update onto an internal P2P patch server and pushing or pulling it from there.

Another issue is the wise precaution of making a couple of PC's at each site the update "test dummies", and delaying updates to all the other PC's until the test dummies have proved the updates are safe to fully deploy. I'm not sure the Win10 update tracks system will do this in a way that will be very efficient when multiple sites with multiple PC's are involved.

I hope other members have some concrete suggestions on patch management in Win10 peer to peer workgroup networks.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close