Patch management: Find the weakest link

Sometimes that weak link is not a computer but a system designed to support those computers. You need a solution that proactively builds security defenses before the damage is done—instead of reacting after it’s too late.

So, are you going to patch it or fix it? Choosing the wrong patch management solution could seriously impact your company and possibly your career. Good intentions and hard work alone can’t head off today’s security threats.

The problem is, new vulnerabilities and new patches emerge so quickly that it’s nearly impossible to keep up by using manual methods. According to the Carnegie Mellon University, more than 90 percent of all security breaches involve a software vulnerability caused by a missing patch that the IT department already knows about. That means most IT departments lack a methodology for rapidly deploying patches. The rest are ones that they did not know about and probably lacked the resource to investigate. You need to get as close to 100% of your vulnerabilities covered as quickly as possible since one breach can be devastating and costly.

Until operating system and application vendors start writing perfectly secure software, IT administrators will have to deal with the patch problem.

But effective patch management is more than just plugging holes and hoping for the best. It’s an ongoing, systematic process that can benefit from automation. If your IT environment shows any of these early warning signs, you will have a problem:

• Basic system management functions are not in place, or cover only a portion of installed systems.
• System inventories are incomplete, inaccurate, or nonexistent.
• You have to actively and repeatedly monitor all known sources of information regarding new vulnerabilities and patches.
• You invoke patch management processes only when a problem is reported in the press—or worse, after it has already affected the business.
• Patches are installed manually, on a limited set of system configurations, by end-users rather than IT professionals.
• Your automatic patch distribution solution targets the wrong machines or misses some machines entirely.
• The scope of patch management is limited to recent Microsoft platforms.
• You have limited awareness of vulnerabilities in other platforms, and limited resources to deal with them.
• Integration and validation testing is limited or nonexistent, leading to potential software conflicts.
• You’re constantly diverted from strategic work to install patches or fix infected systems.

Not consistently addressing these links in your corporate network’s security leaves weak links that will break and cause your organization pain.

Patch doesn't mean fix
“Patch” is actually a misconception. You need to “fix” your IT environment to eliminate problems, now and in the future. Every vulnerability represents a serious risk. True business security means being prepared for those risks.

Not mostly prepared or retroactively prepared, but proactively prepared to eliminate vulnerabilities before the bad guys can take advantage, no matter what systems they target.

The answer is a systematic, documented set of IT best practices combined with best-of-breed enabling technologies for implementing those practices.

Technologies need to be comprehensive, integrated, and highly automated to help eliminate duplication of effort, minimize human errors, foster consistency across the organization, and ensure automatic distribution of the latest patches as soon as they’re available.

Best practices for patch management mean clearly defining and uniformly applying procedures that enable you to:

• Accurately inventory systems for current OS, application, and patch status.
• Discover known vulnerabilities.
• Assess the level of risk and your company’s potential exposure.
• Prioritize responses.
• Test patches and platforms for compatibility and consistency.
• Quickly and easily apply patches.
• Repeat the entire patch management process on a routine schedule.

A best-of-breed patch management solution supports these best practices while automating as much of the work as possible to minimize costs in IT time and effort while providing the flexibility to fit into your specific business model.

Patch management solutions can be clearly differentiated by their ability to meet these needs. Some widely adopted solutions only target one family of operating systems and only cover the most current OS versions. Other solutions only work with a highly limited selection of patch sources. Still others fail to evaluate the severity of vulnerabilities or provide for validation of patches—leaving you in the dark when it comes to prioritizing patches. These limitations can be quite costly in the long run, robbing productivity while leaving potentially serious security holes.

In evaluating patch management solutions, we recommend that you carefully evaluate how well each solution:

• Leverages your existing platform management systems.
• Works across heterogeneous computing environments, supporting multiple platforms, operating systems, and versions.
• Draws on industry-standard information sources to quickly identify new vulnerabilities as they’re discovered.
• Allows you to review, prioritize, and download available patches from a single interface.
• Facilitates validation of patches against test platforms.
• Automatically distributes patches based on specific platform configurations, allowing you to remediate vulnerabilities in an efficient and timely manner.
• Lets you establish active management policies that automatically maintain patch-level security as new desktops, servers, and laptops enter your computing environment.

You need to evaluate your current patch response, and be ready to make the commitment to continuous, systematic patch management. Choosing the right solution can mean the difference between quickly and effectively securing business assets, and trying to patch the bleeding in the aftermath of a major security breach.

You may have dodged the bullet up till now, but the law of averages will eventually catch up. Don’t take that chance with your business. Implement sound business practices today, and support them with the right tools to automate the process.

You can’t afford to patch your patch management process. Start out with a comprehensive solution—your business health depends on it.

biography
Brad Carpenter is the Senior Information Systems Analyst for Lane County, Oregon.