Best Practices for Patch Management

The increased complex enterprise networks, use of bring your own device (BYOD), broader array of application and the rise of malware, ransomware attacks necessitates businesses to adopt patch management policy to secure the environment to run the business seamlessly by protecting the environment specifically critical data of organization. Delay in the application of patches can have severe consequences. Who will forget WannaCry impact! Just focusing on Windows OS patches and neglecting patching window applications( i.e., 3rd party applications) can lead to severe damage.

Patch management is the process of researching, testing and installing patches to production systems and applications installed. Based on few large enterprise deployment experience, SapphireIMS team offers some Windows patch management best practices.

1. Inventory of Windows Assets: The network infrastructure will have servers, workstations and PCs and may be spread across remote locations. It is important to discover and scan all the windows assets which gives accurate view on machines which needs to be patched. The discovery and inventory cycle must be regular to make sure we have all windows asset records. SapphireIMS provides both agent and agent-less inventory of windows assets seamlessly with period update.
2. Identify Critical and Non-Critical Assets: Once inventory is done, it is recommended to identify the assets based on exposure and risk. This analysis defines which system need immediate patching(in hours/day) and which can go through the standard cycle(in weeks). The important question to be asked during this phase is “What is the impact to your business if the system is compromised”. If the impact is large such as downtime, threat to data, etc., that particular asset is candidate for immediate patching. In SapphireIMS, this grouping of assets can be done manually once and define different rules for scan/deploy for specific set of systems in different interval.
3. Scan for missing patches and updates: Microsoft publishes patches on its web site every second Tuesday of month(Patch Tuesday) with latest patches and updates. And 3rd party application publishes on their web site on each releases. Each patch will have detailed information with criticality such High, Medium, Low, etc. It is very important to scan the missing patches proactively and need not wait for security team to produce vulnerabilities and ask you to be patched. Scanning against these officially published database will help to know the current patch state of organization which helps to take actions accordingly depending on severity and criticality of vulnerabilities found. SapphireIMS provides a scanning capability using both offline and online methods for Windows operating systems and it provides capability to scan well-known 3rd party application and provide a holistic view of missing patches/updates on configured intervals.
4. Asses the risk and vulnerability: Figure out which servers and machines are vulnerable and mission critical. Three things that needs to be thought of are severity of the threat, impact of vulnerability, the cost of recovery/mitigation.
5. Testing patches: Testing is mandatory step to avoid the complication arise due to new patch deployment. Though the patches are applicable to machines, it may not be compatible with some of the applications running within the specific OS. Sometimes patches may crash the systems, lead to machine hung, frequent reboots hence it is recommended to do a Pilot by simulating close mirror of production systems and test it for any unknowns before deploying it in production environment.
6. Plan and Deploy: Once the vulnerabilities have been disclosed, small-time is enough for attacker to use the information for machine exploits. As per Data Breach Investigation Report(DBIR) in the year 2016 “Half of all exploitation’s happen between 10 and 100 days after the vulnerability is published”, the same report from 2019 states that “Every time a vulnerability is disclosed or a system update or patch is released, a hacker sees an opportunity. They research the disclosure or update notes to learn if they can exploit the vulnerability and where, searching for their best opportunity to monetize the vulnerability“. It is recommended to have strategy to deploy over the weekends so not to disturb production hours and have a plan for roll back if something not working. SapphireIMS provides fully auto-deployment methodology to save time and avoid being non-vulnerable.
7. Assess the deployment and mitigate exceptions: It is recommended to assess the environment post deployment to discover the issues that require mitigation. If significant issues encountered, roll-back plan be implemented to bring the machine to old state. Sometimes rolling back may lead to some exception like isolating the system from network, locking down user permissions, etc to mitigate the risk.

Apart from these best practices, few recommendations which helps you to arrest risks:

Pilot/Lab Environment: Try to have lab which mirrors the production environment to test out newly released patches and updates. It is popular to use virtual machines for this.
End use privileges: Avoid granting full administrator rights to end users and give access to privileges which will fulfill their day to day activity. Giving admin rights may create bigger issues as patches getting deployed getting dismissed and installing vulnerable software.
End point protections: It is recommended to have proper EPP to arrest malicious attacks.
Change Management: change management is important during patch management cycle and it is specifically important when patching taking place for mission-critical machines.
Bandwidth consumption: As patch download is high bandwidth consumption activity, it affects the bandwidth specifically when patches getting downloaded from head office to remote branches by each machine. It can be avoided using distribution points at each location. SapphireIMS has concept of master agent which acts as distribution server and also has capability to limit the bandwidth to be used for patch download from central location.