Malware exists to exploit vulnerabilities that are discovered in software. Patches exist to fix those vulnerabilities. Therefore, why do many vulnerabilities remain unpatched? Why is patch management so complicated? Is software patching an art or science?
Unfortunately, security and IT experts don’t live in a patch-everything-immediately fantasy land. Compromises are dictated by the conflicting priorities and interests within large organizations.
The Art or Science of Patch Management
People will always be who they are. Humans have cognitive biases that cause them to behave in different ways. The most dangerous of these biases is called hyperbolic discounting. People like to choose smaller rewards over larger rewards that may come later in the future.
When offered a choice between avoiding patch-related headaches now and avoiding cyber attack-related headaches later, most people are drawn to the former. Not all patches are created in an equal way. Some are urgent while others are not. Some can jam third-party applications, others cannot. Some require rebooting, others do not.
The notions of complex systems and organizations, compounded by the irrationality of the human mind and variations in patches themselves, mean that patch management is not a science - it’s an art.
Why is Patch Management Essential?
Patch management is an umbrella term for the process of knowing, acquiring, testing, installing and following up on patches. Patch management is important because of the variations in the patches themselves, the total number and complexity of systems to be patched and the complexity of orchestrating downtime in large organizations that are full of different priorities.
Organizations always precede the false idea that security issues go before patches. In fact, it’s the reporting and patching of a vulnerability that often offers cybercriminals the information they need to create an exploit. In other words, the availability of a patch makes security better for those who deploy the patch and worse for those who do not deploy it.
The Countless Challenges of Patch Management
Patch management is a strategy for defending against cyber attacks. Why aren’t organizations patching everything? And why aren’t they automating their security tasks? The reason can be summarized as patch fatigue. There are so many patches to process. Microsoft has released thousands of patches for security updates.
Also, there’s the technical debt issue. IT security experts have to ensure that applying a patch to one system won’t break another. Patch testing impacts the schedules, time and objectives of business users and application owners.
The Art of Patch Management
Patch management is an art because it requires ranking, soft people skills, quality vulnerability assessment, awareness of the latest threats, creative thinking and intuition born of experience. Here are some of the major elements of the art of patch management:
- Patching everything with the perfect procedures on the perfect schedule is unlikely, unless you have an unlimited budget and staff. Considerate prioritization is an important part of the art of patch management.
Prioritize the functions and systems that are essential to your organization’s business and those that would cause the greatest harm if an attack occurs. An advanced vulnerability assessment service or tool can help you discover where the most threatening vulnerabilities are hiding.
- Don’t exclude the people factor. Business users can have a bigger fear of patch-related downtime than the major threat of catastrophe resulting from unpatched systems. For this challenge, culture is important. Never stop working on building a culture of perspective and collective ownership when it comes to mitigating security risks.
- Agree on who does what with clear rules of ownership. Communicate service-level agreements (SLAs) and responsibilities. Right-size ownership for your organization, but be clear and communicate.
- It’s tempting to focus on workstations and servers, but don’t forget about internet of things (IoT) devices such as office equipment, security equipment and network devices. You still have to focus on legacy systems. Also, cloud resources need to be patched. Think of every system in the organization in terms of patchable elements. For instance, think of a server as many patchable things: OS, firmware and every application installed.
- Communicate needs and build an environment of collaboration among IT security teams. Track and record the effectiveness of patch management. Additionally, use that information to communicate risk mitigation so everyone understands why it’s worth the time and money.
- Another essential piece of effective patch management is a consolidated and simple approach. Automate as much as you can. However, don’t expect to automate everything.
Find the best patch management solution that will help you keep a database of the software, hardware and middleware updates that are available. These will either update automatically or alert users that they need to be manually implemented.
More importantly, a solution should alert admins about all unpatched software in the organization. Reduce the number of tools you are using and invest in a smaller number of solutions that each does more patch management tasks across a wide range of platforms.
- Watch out for the risks that arise from the mitigation of risks. Patches need to be tested before implementation and even patches that pass testing need the insurance policy of having a roll-back plan.
- Always pay attention to timing. For instance, never update software and firmware at the same time. Patching and rebooting need to be compatible with users and department schedules and needs to be carefully timed.
- Be mindful of unintended consequences. You will need to keep a handle not only on existing software vulnerabilities, but also vulnerabilities resulting from software dependencies.
- Lastly, remember to keep your patch management tools updated. This is essential for all IT tools.
In conclusion, patch management is an art. And IT experts, IT organizations and other IT shareholders are the artists. Start implementing the major steps above to turn your patch management system into a masterpiece.
If you need a software patching and patch management tool that can create strong countermeasures against cybercriminals or cyber-attacks, then choose Vicarius. Vicarius is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market.