Guest Column | January 3, 2014

Pitfalls To Avoid With Patch Management

By Alistair Forbes, GM, LogicNow

By Alistair Forbes, General Manager, GFI MAX business unit

Our reliance on software, from operating systems to applications, has never been greater. It is essential, therefore, that businesses keep their laptops, desktops, and servers as secure as possible. Front line security products such as antivirus, anti-spam, and firewall solutions play a big part in achieving this. It is equally important that operating systems, as well as security solutions and other third-party programs, are kept up-to-date to prevent weaknesses in IT infrastructures, which can cause them to be exploited.

Unfortunately, many businesses pay lip service when it comes to patching their systems. They know it’s important, but either they do not have the time and do nothing at all or they have a half-baked strategy that only causes more problems. Patch management can be a nightmare in the hands of the inexperienced, and if they do not have the right tools, a lot can go wrong. Here are a few pitfalls that we come across frequently.

1. Patching the operating system only

On average, 10 vulnerabilities a day are discovered, and it is worth noting that the majority of known vulnerabilities continue to come from third-party applications, while the smallest percentage resides in the operating system itself. The implications of third-party software on PC security and reliability is further challenged by the role of browser plugins, media player codecs, and other bolt-on code that works in conjunction with an existing application or system service. Applying patches to the operating system is important but it does not address the full range of vulnerabilities on the machine. If third-party applications are not patched, you are still exposed to risk.

2. No centralized management

From an managed services provider (MSP) perspective, managing patching across multiple networks site by site instead of via a centralized management system is inefficient and a waste of resources and time — and therefore, money. Site by site management increases the risk that some systems are not patched properly or procedures and policies on patching have not been applied consistently across all locations. This is why MSPs need a solution that allows them to cover everything from a single dashboard.

3. Not automating the process

If you have one server and a handful of workstations, patching these machines manually is possible but will still take time. When you have dozens or hundreds of machines, managing software updates and critical patch deployment manually will quickly increase the maintenance overhead associated with applications and the operating systems they run on, to the point of overwhelming the network engineers and degrading organizational efficiency — not to mention putting the organization (or an MSP’s customers) at risk of security flaws being exploited and data being stolen or corrupted. It is impossible for an IT manager to follow vendor notifications manually and be aware of every new patch being issued. The problem is compounded for an MSP that is looking after multiple networks for different clients. When this happens, patching becomes an “I’ll do it next month” task. The solution is a product or service that can automate the process of checking for, downloading and then pushing out those patches with the highest level of automation and consistency. Manual patching is neither fun nor effective, yet some persist.

4. Free is not always best

Many businesses are happy to use the free patching service that Microsoft provides, but this is a false economy because it doesn’t give the MSP management capability across all the sites and applications — nor does it cover third-party applications. Various steps have been taken by vendors to simplify the process and to minimize the window during which a machine is exposed to a known vulnerability, such as integrating automated update download mechanisms and pop-up windows to alert users to the availability of a new update. However, such services have a weakness in that they rely on users actively connecting to the Internet and allowing updates to be downloaded and installed. The ease with which end users can update their own machines, coupled with the benefits of encouraging them to do so, also means that the IT department needs to maintain visibility of what patches have or have not been installed in the event that a problem arises.

5. Irregular maintenance

Patching once every few weeks may seem adequate but it’s not going to give you peace of mind that all known vulnerabilities have been patched. Patch management requires discipline and a strict schedule so that the attack surface is greatly reduced and the risk of infection is limited.

Patch management plays a critical role in ensuring that companies keep their PC real estate fully up-to-date with the latest security patches and software updates, without unduly compromising reliability, productivity, security, and data integrity. For MSPs, it’s important that they get it right the first time around, they use the best solution, and that they get buy-in from their clients’ management.