FAQ: What is patch management and why is it important?
Last updated on September 6th, 2019
Quick definition to begin with: A patch is a set of changes for a piece of software which is designed to update, fix or improve that software’s functionality. Patches are deployed for various reasons including fixing security vulnerabilities and bugs, improving the user experience or increasing performance.
You may have heard of “Patch Tuesday”, which is the unofficial term coined for when Microsoft’s regular release of security patches for its software products. It typically occurs on the second Tuesday of every month in the early evening.
What is patch management?
Patch management is an automatic update process for every node on the corporate network. This includes endpoints in physically inaccessible locations such as remote laptops and mobile devices.
Deploying patch management means that staff will not need to manually check for and deploy software patches, which will typically be an exhaustive, time-consuming task – except for the very smallest of businesses.
How does patch management work?
There are different methods of patch deployment and they vary depending on the infrastructure design for each company information system.
Most companies with large infrastructures implement automated patch management systems which reduce the manpower requirements of manual implementation. Other companies will outsource this function to a trusted third party. Often, if your IT support is fully outsourced, patch management will be included as part of this service.
An automated patch management system requires the installation of a client agent. This enables network administrators to manage patch distribution from a centralised interface. They can configure the settings for patch distribution, generate reports on the status of patches and set distribution at different levels to cover different applications and devices.
Why is patch management important?
New vulnerabilities are discovered every day and unpatched systems are one of the easier attack vectors for cyber-criminals to take advantage of. Companies continually release new patches as vulnerabilities are uncovered by researchers and hackers and if your business does not apply these updates then cyber-criminals have an easy entry point into your network.
Furthermore, patch management also ensures that your enterprise technology continues to function as it should. Software bugs, even minor ones, can cause headaches and impact employee productivity so automatic patching ensures that these problems can be resolved as soon as possible.
What are the benefits of patch management?
Patch management ensures that all pieces of software – even those which are rarely used – remain up to date, ensuring that they don’t introduce major security holes within your business.
Automatically deploying updates also frees up a vast amount of time, allowing staff to focus on more productive areas of the business. Rather than checking through update lists, they can work on getting the most business benefit from the IT systems or looking into ways to further modernise the systems through digital transformation. Furthermore, if you have staff working remotely or from mobile devices, patch management ensures that these devices remain up to date regardless of location.
What are the consequences of not deploying patch management?
An average of 50 new vulnerabilities were discovered every day throughout 2017, nearly double the amount discovered in 2016, and more than three times the amount discovered in 2015. While patch management is not a cast iron guarantee against every potential vulnerability out there (or which may arise in the future), it is a preventative measure to protect the integrity and security of your network infrastructure and information systems.
However, it’s clear that many are still not implementing security patches. This can be seen by the fact that one of the most popular vulnerabilities to exploit is a remote code execution in the Windows common controls, known as CVE-2010-2568. An exploit which was patched in 2012.
If a vulnerability does arise, having a solid patch management system in place means that the network is being constantly monitored. This especially important when it comes to preventing a “Zero Day Attack”, which is an exploit which can occur while a patch is in the process of being produced to repair it.
How can you ensure your patch management is effective?
While automatic updates are beneficial, the best patch management strategy is one which balances automatic and manual updates.
Automatic updates are not a cure-all and can sometimes cause problems if they have not been properly vetted. Just this month, Microsoft had to roll out a second round of patches to fix bugs introduced by Patch Tuesday. This second round came just six days later and was aimed at four specific bugs and bought the total number of patches released in July to 156.
The most effective way to manage patches will vary between each organisation, but there are a few key factors which apply to all:
- Critical security fixes should be applied as soon as possible.
- For all other patches, consider how often the software is used and how business-critical it is to decide how urgent the patching is.
- Where possible, ensure that patches are installed outside of working hours to minimise disruption to business workflows.
The key concern for most businesses is the number of patches and the manpower required to deal with them, however, with patch management and new technologies, patches can be managed much more effectively.