The criticality of software patches is one again in the spotlight, as cybersecurity officials worldwide are contending with Spectre and Meltdown – a collection of security flaws affecting most computer chips made in the past 20 years.
That’s because available software patches can address the flaws, although the tradeoff could be chip performance.
Today’s situation echoes last year’s stories around the WannaCry and Petya ransomware, both of which exploited software that hadn’t been updated with available patches that came with their own potentials for complications.
Such tradeoffs begin to show the complexities of patch management, a discipline in which IT and cybersecurity need to understand the security risks and weigh them against the risks of business interruptions and IT infrastructure malfunctions that can arise when patches are applied.
What is patch management?
Patch management is simply the practice of updating software with new pieces of code – most often to address vulnerabilities that could be exploited by hackers but also to address other problems in the existing program or add new functions to it.
Although the practice sounds straightforward, patch management is not an easy process for most IT organizations.
Applying software patches in modern enterprises that have complex, often customized environments with multiple integration points could slow down hardware or software, as is the case with the patches designed to fix theSpectre and Meltdown vulnerabilities. Patches could close ports, disable critical pieces of infrastructure, could crash systems or cut availability –potential scenarios that could leave businesses without the systems they need to operate or handle transactions.
“When you have a large organization or diverse networks, applying a patch can do a lot of different things to a lot of different systems. Yes, the patch could fix a security hole, but there are a lot of unintended consequences that can come out of it,” says Frank Downs, director and subject matter expert in the cybersecurity practices at ISACA, an international professional association focused on IT governance.
Organizations also must contend with the time and resources required to implement patches. Staffers need time to test, deploy and document patches – time that takes them away from more value-add activities. Staffers need time to take down and reboot systems to fully implement patches, too, which can mean lost productivity for others in the business as well.
On the other hand, patch management is essential. Gartner, the information technology research and advisory company, in its 2017 white paper Technology Insight for Patch Management Toolsreports that 99 percent of exploits are based on known vulnerabilities, many of which have patches that fix them.
Steps in a patch management process
The recent wave of headline-making attacks that exploited unpatched systems has increased pressure on organizations to better manage, and more quickly deploy, patches to servers, endpoints, databases and applications.
Granted, developing a strong patch management process might not seem as exciting as implementing newer cybersecurity defenses, but it still has big payoffs, says Terrence Cosgrove, an analyst in Gartner’s IT Service Automation research group.
“We think that the single most important thing you can do is improve your patching,” he says. “It’s about doing the basic things well, that’s where you can really move the needle on reducing your risk.”
A strong patch management process involves several key steps, according to Cosgrove, Downs and other cybersecurity and IT leaders. They are as follows:
1. Establish patch management as a priority. IT operations workers generally apply patches, but they’re pulled in multiple directions by competing demands and priorities, Cosgrove says. So enterprise leaders who want to cultivate a strong patch management discipline need to recognize it as a priority, develop a patching schedule and allocate the resources required for the task.
2. Have an accurate inventory. IT needs to know every asset in its environment in order to identify which patches are needed when vendors make them available. “You cannot patch what you do not know you have,” says Scott Laliberte, managing directorat Protiviti and leader of the consulting firm’sGlobal Information Security Practice. This objective may be impossible, particularly in large organizations, but enterprise leaders should work toward that goal, standardizing on as few platforms as possible to help them get there. Network mapping and automation can also help create the most accurate inventory possible.
3. Develop a testing procedure. “You need to look at all systems before you patch and make sure the patch won’t break anything. Test the patch, go through all the steps and make sure there are no adverse consequences before applying it,” Down says. Brian Contos, CISO and vice president of technology innovation at Verodin, a technology company, recommends implementing a testing lab emblematic of the production environment. He acknowledges that this approach can be expensive and time-consuming, “but it’s less costly than breaking something in your production environment.”
4. Be committed. The complexities of the modern IT stack, with its numerous points of integration, customized pieces, add-ons, etc. that are often spread among multiple locations as well as mobile endpoints, make patching more complicated. “IT has to accept that there’s going to be some issues and work through those problems rather than defer and avoid,” Laliberte says.
5. Assign ownership. A typical IT department has many workers who apply patches as part of their portfolio of responsibilities; as a result, patch management can become a task done by many but owned by no one, IT and cybersecurity experts say. But it’s difficult for an enterprise to have a strong patch management process without clear accountability. “It’s not that you need to hire a patch manager, unless you’re a large multinational company who might need one. But there should be an individual, at least one, where patch management is officially part of their responsibility,” Down says.
6. Document. A strong patch management discipline should include, in addition to a documented inventory of assets, a way to identify and document patches as they’re released by vendors, when they’re scheduled to be tested and deployed in the enterprise, and when the patches have been completed. Laliberte also recommends developing metrics and dashboards to create visibility into the patch management discipline, so management knows where vulnerabilities have already been addressed, how long system may go without patching, and where vulnerabilities remain.
Using patch management software
Smaller organizations with less complex IT environments may be able to track, test, apply and document patches without any patch management tools. Some larger IT departments continue to go that route at times, using some homegrown script and manual processes to patch some systems.
However, cybersecurity leaders say businesses today need to invest in patch management software that enables them to quickly and consistently apply patch across the diverse platforms they have within their IT environments.
There’s no single tool that can handle every single patch across the range of technologies in most organizations. Patch management tools can be part of larger lifecycle management suites, plug-ins that augment those suites, or stand-alone solutions, Cosgrove says.
Most organizations deploy more than one type, selecting those that best serve their needs based on the specific software and hardware systems they use, the speed at which they want to deploy patches, their business risks and other such factors.
Patch management policy
Following such steps can help enterprises ensure a strong patch management discipline.
Yet enterprise IT and cybersecurity executives are well served by developing an overarching patch management policy and fit that policy within a broader cybersecurity strategy, Contos says.
“Everyone needs to patch, but it should be more programmatic, where it’s done in a planned effort, where things are evaluated and tested before they go into production. We’ve skipped over that in recent years as we had these headline-making events,” he says.
Because of the complexities and risks of applying patches, and because IT and security people have so many other competing responsibilities, organizations tend to have a reactive rather than systematic approach to tackling patches, he explains. That, however, only heightens the risk of both attacks targeting unpatched systems as well as complications resulting from poorly executed patching.
Contos advises enterprise leaders to develop a patch management policy that considers business risks and the organization’s overall security posture to best determine how often and on what schedule patching needs to occur.
“It’s not glamorous,” he concedes, “and when everything is working right, no one knows you’ve done anything. It’s only when something goes wrong that anyone cares about patch management. But patch management done right is patch management that has been validated over time. It’s not a knee-jerk reaction.”