Patch Management Best Practices & Steps

Patch management is a critical aspect of IT security. If patches are not deployed in a timely manner, vulnerabilities remain exploitable by the bad guys. Those organizations that deploy patches rapidly and comprehensively across all endpoints and systems suffer far fewer attacks than those that are sloppy about their patch management practices.

“Effective patch management mitigates risk by eliminating domain-specific activities and applying standard processes across all enterprise systems,” said Gartner analyst Terrence Cosgrove.

See the Best Patch Management Software & Tools

Steps to Effective Patch Management

We’ll cover patch management practices in depth below, but first, here are the key steps for effective patch management:

  1. Discovery: Conduct a thorough scan of the enterprise to find every piece of software, every PC, laptop, server, tablet, and any other devices that are operating on the network.
  2. Patch Prioritization: Figure out what patches apply, and then, lay them out in terms of their CVSS rating and other scores.
  3. Risk Assessment: Include a risk assessment for your own organization that isolates the key systems and applications to patch first.
  4. Deploy Patches Regularly: Deploy patches rapidly and automatically but in such a way that it doesn’t tie up organizational bandwidth.
  5. Verify Installation: Verify that patches were installed correctly by reviewing reports and checking for any areas where patches failed to deploy.

Patch Management Best Practices

To do patch management right, you need to know what you own, what you need to patch, and what you should prioritize. Sounds easy on the surface, but in practice it can be quite challenging. Here are the best practices you need to follow for an effective patch management program.

Asset discovery

It all starts with asset discovery. You can’t protect or patch something you don’t know exists. Therefore, asset discovery — finding out what you have, with which end-user profiles — plays a critical role in any vulnerability management initiative. The NIST Cybersecurity Framework, CIS Critical Security Controls, and other frameworks make it clear that discovery and asset management are the foundation on which to build a cybersecurity program.

Patch management tools, therefore, should be able to scour the network for every device, endpoint, server, operating system (OS), and application that may need to be patched. Only with a complete inventory can patching be accomplished broadly across the enterprise.

Also see: Top IT Asset Management (ITAM) Tools for Security

Patch prioritization

In large organizations, it may be difficult to patch everything.

“It is hard for many enterprises to accept the fact they cannot patch everything,” said Bob Kelly, director of product management at Flexera. “As little as one in 10 patches actually get deployed due to challenges in identifying, testing, and rolling out updates to the constant backlog of security updates coming on a daily basis.

“Just patching as much as possible, focusing on the most widely deployed applications or even those with this highest criticality, is a blind approach which may not be reducing risk to the levels hoped.”

There are so many patches coming in from so many different sources that some system is needed to deal with them. One common approach is to follow the Common Vulnerability Scoring System (CVSS) which gives a score from 1–10 with the highest ratings being the most serious. Some organizations only patch those with a score of 7 or above, but some believe this is a flawed approach.

“We are seeing an uptick in exploitation of vulnerability in the 5–7 range because hackers know that those scored 7 and higher are more likely to be mitigated faster,” said Kelly.

He advocated prioritization focusing on those that present the most risk. He added that only about 8% of disclosed vulnerabilities are actually exploited. Therefore, basing prioritization on threat intelligence can be an effective way to prioritize and ensure the number of patches a team is able to deploy are the right ones.

A risk-based approach to patch management goes beyond CVSS scores and vendor severity to identify and qualify the specific vulnerabilities that pose the most significant risk to an organization’s devices, data, and end users.

“This extension of risk-based vulnerability management brings real-world risk context into the patch management process by correlating known exploits, ties to ransomware and malware, and trending vulnerabilities to OS and application updates,” said Chris Goettl, vice president of security solutions at Ivanti. “By putting vulnerabilities in context, operations teams understand the urgency of their activities through the same real-world risk lens as security teams, and patch admins can prioritize critical remediation activities.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of known exploited vulnerabilities. The list currently only shows about 800 vulnerabilities – a seemingly small number when more than 20,000 new vulnerabilities are identified each year – but it still requires good asset discovery and prioritization to target just that relatively small list.

Also read:

Patch supersedence

Vendors are quick these days to get patches released. When the critical Log4J vulnerability was discovered, vendors had patches available within a day or two in some cases.

However, initial patches may not be comprehensive. Over time, better patches might be devised, or they may include additional steps to ensure a vulnerability is fully addressed. Thus, there may end up being two or three different patches all dealing with the same issue.

Some organizations and some patch management systems deploy patches based on priority and time. First come first served is the mantra. Thus, the patching queue may contain an aging and perhaps outdated patch which is ahead of the newest patch. Enter patch supersedence to detect this phenomenon and only deploy the latest patch.

“Patch management should automatically exclude superseded patches and only include the newer ones,” said Ashley Leonard, CEO of Syxsense.

Network bandwidth

Traditionally, patch management has just fed patches to endpoints over the net. But when you get to large numbers of endpoints and several patches, this can quickly clog bandwidth to the point where user complaints arise.

The latest generation of systems address this by intelligently distributing patches without tying up bandwidth across the enterprise. This is done in a variety of ways, including the use of peer-to-peer within the network for local distribution.

Third-party applications

If you are putting your trust in a platform vendor such as Microsoft or Apple for managing updates, it is likely that a lot of applications and systems are being missed when it comes to patching. The update services of these vendors are designed primarily for their own tools and applications. They will neglect vital updates for Adobe, Google, Mozilla, Oracle, and many other vendors and applications.

Some patch management tools focus on certain parts of the IT ecosystem. They may lack comprehensive coverage of third-party applications. Therefore, ensure the solution deployed includes third-party applications. One area to watch, for example, is storage and backup. A surprising number of patch management tools miss well-known storage and backup applications.

See the Best Third-Party Risk Management (TPRM) Tools

Testing

Testing can be the downfall of patch management in many organizations. Perhaps due to past bad experiences, some organizations have rigorous patch testing procedures in place. Most of the time, the only thing these processes accomplish is to slow patch deployment to a crawl. As cyber criminals operate rapidly, there may be no time to lose in deploying patches.

Some vendors now offer testing and deployment within hours of patch release. This is probably the way to go rather than trying to test patches internally. If patch supersedence is available, that takes care of the rare times when a dependency wasn’t taken into account. Where testing is being done internally, patch roll out should be done in a controlled environment. But speed remains important.

“Applications and computer systems are extremely complex, and there’s always a chance that a new update may create unintended problems,” said Lou Fiorello, vice president and  general manager of security products at ServiceNow. “Roll out a new patch in a controlled environment before trusting it with an entire network.”

The ability to roll back to a previous state when a patch causes issues is thus another important patch management feature.

How Much Time Should Be Spent on Patch Management?

If patch management becomes a time-consuming activity, it is likely to fall into neglect or even disuse. Yet, it is a vital part of enterprise security. Automation is the key. With the right systems in place to take care of patch management and deployment, the function can be set up to run like clockwork with minimal involvement from IT.

Read next: Top Vulnerability Management Tools

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including ServerWatch and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

Top Products

Related articles