The rise in the number of network attacks and breaches in the last few years has seen the need for IT managers to be more proactive in their approach to managing patches. A majority of the attacks are as a result of known vulnerabilities being exploited. With the increasing sophistication of the attackers compounded by the hundreds of patches that are released every month for all OSes and applications in your organization’s network, it is easy to see why the patch management process is such a complex process.
Despite the complexities and challenges of the patch management process, it can be broken down into 6 general steps. The amount of time you spend on each stage and the amount of resources assigned will depend of the size of the infrastructure and the in-house security policies.
Step 1:
Develop an updated inventory of all production systems in the network. This includes OSes, physical location, IP address, function and custodian. This process can be daunting for a large organization. However, there are tools that can make the work easier. These include automated discovery products and network scanners. You should take inventory on a regular basis.
Step 2:
Patches can bring about problems in the network as a result of compatibility issues. To make your work easier, you should ensure that the production systems in your organization are standardized. They should all use the same version of OS and application software. This will make your job much easier as you will only be required to deploy one version of each patch.
Step 3:
To make it easier to respond to a vulnerability alert, you should make a comprehensive list of the security controls you have installed along with their configurations. This includes any firewalls, routers, AV, IDSes etc. Should you have any nonstandard configuration settings, make sure to include them. It will be easier to respond to vulnerabilities should need arise. A good example of this is where you learn that there’s an OpenSSH vulnerability that can facilitate a buffer-overflow attack. From your list of controls, you can tell that SecSH protocol is not allowed through your firewall. This gives you plenty of time to respond to the vulnerability.
Step 4:
You should compare any vulnerability reported to your control list. To do this effectively, you need a reliable vulnerability alerts system. You also need to identify vulnerabilities that can affect your system and those that cannot. You can either automate this process or assign dedicated staff to manage it.
Step 5:
Classify every risk. The level of risk usually varies with the LAN environment in your organization. It is therefore important to determine the level of risk and the likelihood of an attack. While there may be vulnerabilities in some of your servers, they are not always mission-critical. For example, you can have a scenario where your firewall already blocks the service exploited by the vulnerability. When classifying a threat, you should consider the severity of the threat, cost of mitigation and recovery, and the level of vulnerability.
Step 6:
The last step is applying the patch. With a list of controls and a system for collection and analysis of vulnerabilities and another for risk classification, you are ready to go. However, it is not as easy as it seems. You need to pull off the deployment of the patches without causing system downtime or affecting production.
This process can be made much easier by using tools such as BatchPatch. Batch Patch is the ultimate Windows Update Tool that will help with patch deployment in your organization. It is bound to fit both your environment and your budget. While it is sometimes more cost effective to deploy patches manually, the associated costs are normally negligible if you have a large network. You will be way ahead of the curve next time there is a worm knocking at your network’s door.
