How to Deploy Patch Management
Keeping up with patches is one of the most important things you can do to protect your company from security issues. But if you are staying up late on a Saturday night, logging on to server after server to patch by hand, and sending out emails to users instructing them to run Windows Update before they go to lunch on Friday, you are doing a disservice to yourself, your company, and your users. You need to deploy a patch management strategy that is scalable, automatic, and that ensures maximum compliance with patching and that also enables you to validate that. Here are some quick tips to help you develop your own patch management solution.
One of the most important things you can do is to stay informed about patches for your operating systems, your network gear, and your applications. Subscribe to your vendors’ security bulletin/notification services, and consider also subscribing to emails from vendor neutral groups like the SANS Institute or CERT.
Use patch management software
One of the most important things you can do for successful patch management is to implement patch management software. It’s extremely difficult to maintain patching by hand on more than a handful of servers, and relying on your users to patch their own workstations is fraught with peril. There’s the free Windows Software Update Services from Microsoft, and a number of excellent third party patch management suites that can handle all of your patching tasks automatically. If patching takes you more than a few hours a month, you are wasting more money on busy work than a patch management software suite will cost. That’s immediate ROI.
Don’t forget the applications
There’s much more to patching than the operating system, and many of the most well publicized hacks of the past year exploited vulnerabilities in third party applications. You must keep your third party applications up-to-date, especially those that are used to access media you can download from the web; so make sure all third party applications are included in your patch management solution.
Logging and reports
Assume nothing. When you deploy a patch management solution, make sure all systems log their activities, and review reports to ensure 100% compliance. Even the best vanilla patch might encounter an issue if an application is hung or a file is in use, so when you deploy a patch, part of patch management is verifying that it stuck. Reports are your friend here, unless you really want to manually inspect every system on your network.
Patch management includes testing patches before deploying them, so include a subset of workstations and servers that you can patch early to validate that no issues are introduced into production.
Even the best testing might not uncover an issue until it gets into production, so make sure your patch management includes strategies for rollbacks. Look for patch management software that can automate this, so if you do have to pull a patch back, it is a quick and automatic process.
Patching is critical, and when security patches are involved, should take priority over all other activities. Your patch management strategy should include maintenance windows that cannot be made subordinate to other activities, to ensure you can patch systems in a timely fashion, before the latest public disclosure becomes the next worm or Metasploit plugin. Here’s a pro tip for you: set your maintenance windows for during the day on a Friday. You’re more awake, the rest of IT is also already on the clock if things go wrong, any issues will be readily identified and resolvable by the team quickly instead of one poor tech searching KBs and blogs at 3AM on a Sunday, and in the worst case scenario, if you are going to take everyone down, would you rather it happen Friday afternoon, or Monday morning?
With these seven points in mind, you are well on your way to deploying an effective patch management solution, and you might just get some of those Saturday nights back.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution.
All product and company names herein may be trademarks of their respective owners.