Last updated at Wed, 29 May 2019 13:02:00 GMT
It’s no secret that modern software is complex and difficult to make, which means mistakes are unfortunately inevitable. Remedying these errors requires going back afterward to apply a fix—referred to as a patch. With the deluge of assets flooding corporate networks, organizations need to have a solid patch management strategy in place to ensure they are keeping up with updates and that their intricate quilt doesn’t unravel at the seams.
In a recent episode of Whiteboard Wednesday, we dove into the basics of patch management and explained why it is so important to your overall vulnerability management program. Watch the full video here, or read on below for a recap of what was discussed:
The history of patch management
Before we dive into the modern world of patches, let’s take a step back to see where this concept came from. Once upon a time, computers were programmed using punch cards. Yes, that’s right, people would actually punch holes into paper and feed it into a machine that would read the holes as instructions. When mistakes were made in those instructions, programmers would take back the original punch card, tape up the hole, punch a hole somewhere else, then feed it back in. Voila, fixed!
Today, the process is far more complex, though the same concept generally applies. Take a moment to think about the Windows Update box. This notification means that for some reason, the software Microsoft has provided needs to be retroactively updated due to some kind of error in the code. Being sure to install updates (right away!) ensures the mistake is rectified.
The role of patches in vulnerability management
Patching is a vital part of every vulnerability management program. However, having a consistent approach to patch management doesn’t always mean slapping a fix on everything in sight. When a vulnerability is identified, you essentially have three options:
- Install a patch for the vulnerability, if available, to fix the issue.
- Implement compensating controls so the vulnerability is mitigated without being fully patched. This route is common when a proper fix or patch is not yet available, and can be used to buy time before eventual remediation.
- Accept the risk posed by that vulnerability and do nothing.
It’s up to organizations to decide which option is best for them in specific situations, though patching is the ideal treatment to ultimately strive for.
The different types of patches, and who makes them
Common areas that will need patches include operating systems, applications, and network equipment. Operating systems have the very important job of managing all the components of your computer systems—which also means opportunities abound for things that need to be fixed. Microsoft is one well-known operating system vendor that releases patches to fix any type of OS issues they encounter.
Applications, such as Slack, Zoom, or Microsoft Word, will also need occasional patching. These tools are vital to business success, but it’s critical they are always fully patched.
Network equipment is a bit trickier. When you think of your home environment or office environment, you often have devices that are connected but less accessible, such as routers, switches, or even IoT devices like video cameras. Because these devices do run software that can contain issues, when fixes are available they also need to be patched.
Tools to simplify corporate patching
Let’s be honest—it’s hard enough to implement software patches on your own personal devices, as it’s all too tempting to click that “Remind me tomorrow” box when updates pop up. However, this manual approach is even more difficult to achieve in a corporate environment in which you have tons of assets to secure and diverse systems across the organization.
There are various tools available that can help with this laborious task. IBM BigFix, for example, shows you which patches are available and helps you install them, while Microsoft SCCM helps you ensure patches are installed for Microsoft assets (such as Windows servers and laptops).
In modern dynamic environments, such as cloud environments, you can use infrastructure orchestration tools like Ansible, Puppet, and Chef to make sure you’re installing the operating system and then layering on all appropriate patches when you’re going through the process of building these assets.
Click here to learn more about how to understand all the vulnerabilities in your environment, all the patches available to correct them, and how you can orchestrate the process to fix those holes.