Over recent weeks at Wanstor, we have had several businesses contact us about helping them with their IT security strategies, and specifically Patch Management. IT security is and has been for a number of years a real “hot IT topic”. Even though IT security seems to always be in the news, the engineering team at Wanstor are constantly amazed at the number of businesses who are not undertaking basic IT security measures, and leaving themselves open to attack. One of the main causes of IT security attacks on businesses is through devices and networks which have not had a patch management strategy applied to them.
Over recent years in the security debate, Patch Management has fallen down the priority list of many IT Managers. Feedback we have heard at Wanstor through IT Managers includes:
- “Patch management is an endless, thankless task, why should I bother doing it?”
- “It’s only worth undertaking patch management if a major IT security scare is happening”
- “It’s unlikely my business will be targeted through the operating system, all my users are office based”
- “Patch management costs my staff an inordinate amount of time each week, plus the money I have to spend on staff to do the job could be deployed elsewhere on bigger and better IT projects.”
Because of this attitude amongst a number of IT Managers and professionals, informal, ad hoc patching without a central strategy often takes place, and fails to deliver what Patch Management is supposed to deliver; a safe, secure and available IT environment.
At Wanstor we believe Patch Management is a crucial task which should be at the top of the IT team’s “to-do” list each week. Without an effective patch management strategy in place, businesses are leaving themselves open to security attacks and breaches. Because the risks are so great for businesses from not undertaking this simple yet highly effective IT task, the security experts at Wanstor have developed a set of tips for anyone who’s job it is to undertake patch management for their business. The tips below should give IT professionals an outline of a patch management strategy which makes the process simpler, more cost effective, and less resource intensive. So let’s get started:
Understand your network – It’s important to understand that a network is only as strong as its weakest link, whether the business is considering IT security, stability or functionality. It only takes one unpatched computer to make the entire network vulnerable. Therefore, patch management is about bringing the entire network (every computer and device), up to an acceptable level. To do so, the IT team needs to start by knowing exactly what’s on their businesses network. The first action an IT team should take is to conduct an asset inventory to find out exactly what is on the company network. By undertaking this task the IT team can then quickly gather information about what is/isn’t patched and where any vulnerabilities may appear.
By having a true picture of the network, the IT team can understand more about the patch management work needed now and in the future, so patch management tasks can be allocated at relevant times.
Assess the patch status – Scanning and assessing helps the IT Manager to manage a large patch management workload, particularly when they are just beginning to implement patch management procedures. It is important that IT Managers understand not every patch is equal in severity or criticality. An effective patch assessment report can let them focus on the computers that need immediate attention for severe issues, helping the IT Manager to prevent the worst possible problems as quickly as possible. They can then work through less-critical patch problems using a phased approach.
Try to use a single source for patches – Quite often IT Managers make patch management overly complex by relying on multiple point solutions for patch deployment. That might include one solution for Microsoft updates, another for Adobe, a third for Mac OS patches, and yet another for other applications. The reality is that businesses are faced with patching not only Windows operating systems and applications, but also other vendor and custom applications that WSUS cannot address.
At Wanstor we believe it is better to have a single patch management solution that can do it all: Microsoft patches, third-party software patches, PC-based hardware, Mac computers, client systems, servers etc. In many of our customers we have deployed a Manage Engine patch management solution to rectify this problem. A single source for patches offers a number of advantages. It helps reduce the complexity of IT infrastructure because IT Managers are not maintaining multiple patching solutions, simplified team training, better end-user communications, and a reduction in overall IT operating costs due to consolidated management and effective use of staff time.
Make sure you can roll back – One of the most crucial capabilities IT Managers can add to their patching strategy is the ability to roll back, or “undo,” patches. With the knowledge that patches can be easily rolled back, the IT team might feel more comfortable deploying patches that haven’t been through a rigorous, weeks long test-and-pilot process. This results in reducing the overhead involved in testing patches, gets critical patches out faster to users, and still gives the IT team the ability to keep the environment reliable and secure.
Using a phased approach – Critical patches may need to be pushed out immediately to computers that are more sensitive to whatever problem the patch addresses. Less-critical patches might be able to wait for a regular maintenance period. Some critical patches might apply only to certain servers, or to certain departments; others might need to be quickly pushed out to the entire business. Additionally, phased approaches can help to mitigate the need for patch testing. At Wanstor we have found the best way to conduct phased patch releases is by means of a policy-driven targeting system. Centrally controlled, top-level policies define target populations, enabling the IT team to be in control at all times. This makes it easier to plan schedules, user communications and other aspects of the overall patch management process.
Don’t forget the user experience – At Wanstor we believe part of a good user IT experience is giving users some control over the patching process. Set deadlines that define when a patch must be installed, but give users the ability to postpone the install up to that deadline, or to opt to conduct the installation right away.
Develop a good administrator experience – With a proper patching solution, IT administrators should be able to coordinate patch updates across complex and distributed user bases, and have visibility into the patching phases on a machine by machine basis. Reports that identify non-compliant computers, alerts that trigger IT administrator responses to failures and other tools can all help simplify patch management.
Be organised for success – Proper organisation is critical to effective patch management. Every day, the IT team will receive dozens or even hundreds of software updates. Simply reviewing them, categorising them, and selecting approved ones for deployment can become a full-time job, but how many businesses can afford an IT Manager whose only job is to look after updates and patches? (In Wanstor’s experience not many, if any). At Wanstor we recommend IT teams use a single patch management tool that can accommodate the entire IT environment. Seeing all of the patches in one place will enable far better organisation than having to review patch lists across different tools. Having only one patch management solution also enables IT Managers more control over scheduling patches, and will allow them to set up patch windows with specific guidelines and forced updates to make sure users experience minimal disruption during working hours.
Develop the right size solution – If businesses deploy the wrong patch management tool or approach, they will find themselves frustrated, overwhelmed, unsuccessful, and, more importantly, at risk for security breaches. It is therefore important to choose a patch management approach and associated tools that fits your business size. Consider the overhead you’re willing to deal with in terms of cost and staff resource, the size of your environment, and the amount of time you have to plan and deploy a solution. For many businesses it actually makes financial and IT sense to outsource patch management to a managed service provider who has experience of different patch management tools, techniques and processes, so the right solution can easily be developed, deployed and managed.
At Wanstor we believe patch management is crucial to IT security success. Replacing old, ad hoc approaches to patching with a comprehensive, systematic strategy will improve security and reduce the patch management workload. By following the tips detailed in this article, Wanstor’s patch management experts believe many businesses can eliminate network vulnerabilities, deploy patches in an orderly and controlled fashion, make it easy for end users, and save the IT team time, money and effort.