Patch Management Is About Process, Not Just Technology

Companies have been struggling with the increasing number of Internet-based attacks that try to exploit known vulnerabilities within systems and application software. So far in 2003, the CERT Coordination Center, the clearinghouse for Information Technology (IT) security issues, has reported almost 3,000 security vulnerabilities. Microsoft alone has released 45 security bulletins this year. Keeping software up to date with the latest patches has become an overly burdensome job for most IT departments.

The Bottom Line: Software products designed to facilitate patch management can automate distribution, but successful patch management depends more on process than technology.

What It Means: Companies attacking patch management with technology are looking beyond the limitations of Microsoft Systems Management Server (SMS) and are either deploying Microsoft Software Update Service (SUS) or third-party products from vendors such as PatchLink, Symantec (and its recent ON Technology acquisition), and Tivoli. However, technology can only automate the distribution and installation of the patches, it doesn’t create a sane policy for managing patches. If your patch management process results in chaos, automating the policy will only result in the chaos occurring faster.

Recommendations: A comprehensive patch management process must address all systems and applications deployed within a company.

It must encompass:

• Security policy--Must define rules for installing patches based on the criticality of the security flaw being patched and the criticality of the system or application being patched.
• Change management--Must define rules for installing, testing, and deploying the patches that ensure critical systems are not regressed by installing patches.
• Asset management--Must ensure that all systems and applications are known and processes are in place for patching each system and application.
• Emergency response--Must define the steps to be taken and the people involved when responding to a critical security patch.

Companies should go through a self-assessment to determine the adequacy of their current patch management strategy, identify the gaps between current process and a comprehensive process, and implement an updated process. Companies looking for assistance with developing a patch management strategy that addresses security concerns should consider risk management consultants such as PricewaterhouseCoopers.

AMR Research originally published this article on 2 December 2003.