5 Patch Management Best Practices for Success in 2023

11 months ago AndyC

Patching remains a difficult task for many organizations – but it’s critical for security. Discover 5 patch management best practices for 2023.

5 Patch Management Best Practices for Success in 2023

Patching remains a difficult task for many organizations – but it’s critical for security. Discover 5 patch management best practices for 2023.

Image: iStockphoto/JulieVMac

Not all patches are the same, explained Syxsense’s chief customer success officer Robert Brown. Some are strictly updates that introduce new features, drivers and or firmware. Other patches fix issues such as software glitches or security holes.

Cybersecurity agencies and vendor rating systems grade patches based on their importance. The Common Vulnerability Scoring System (CVSS), for example, gives a score from one to 10, with the highest ratings being the most serious. Some patch management systems use CVSS scores, while others incorporate other metrics and evaluate a vulnerability against how much risk it poses to a specific business or application.

Critical updates offer a significant benefit: improved security, better privacy or greater reliability. Updates that are graded as important but non-critical will still enhance the system; optional patches typically relate to drivers or new software.

“Different vendors rate things differently,” said Brown. “As one vendor may grade a patch as critical and another as non-critical, it is best to take multiple factors into account.”

Syxsense provides a “Syxscore,” which is based on an organization’s attack surface with vulnerabilities and endpoint posture. It leverages the National Institute of Standards and Technology and vendor severity assessments in relation to the health status of the endpoints in an environment.

“Syxscore is a personalized evaluation of what devices are vulnerable and the criticality of updates to the overall protection of your network, giving you the ability to target endpoints that pose the most serious levels of risk,” said Brown.

Brown offered some tips on patch management, outlined below.

Jump to:

  1. Don’t neglect 3rd-party patches
  2. Implement patch automation
  3. Identify all devices
  4. Test and roll out carefully
  5. Follow the golden rules

1. Don’t neglect 3rd-party patches

Too many companies tend to turn on Windows and Apple updates and believe they are covered. However, they are missing a great many open-source and third-party patches that may represent severe exposure.

“Third-party updates account for 75% to 80% of all vulnerabilities,” Brown said.

SEE: Learn how to create a solid patch management strategy here.

2. Implement patch automation

Once organizations begin to confront third-party vulnerabilities, the volume of patches can soon become overwhelming. Some try to manually deal with all the vendor patches that come their way, but this ties them up in knots as they must test each one, figure out the best sequence of deployment and time the patch delivery to avoid overwhelming the network.

Cloud-based patch automation is the answer. The vendor takes care of prioritization, testing, patch rollout and the verification of a successful patch.

Brown advised enterprises to first establish their exact needs and choose a patch management toolset that fits. By taking advantage of all available automation features, IT and security personnel will have time to get on with more strategic projects.

3. Identify all devices

One of the biggest issues in patching is making sure you cover all systems and devices. Cybercriminals only need one unpatched app or device to wreak havoc.

Moreover, not all patch and vulnerability scanners are the same. Some miss smartphones, others are operating in a system-specific fashion and more than a few are weak when it comes to backup and storage applications.

4. Test and roll out carefully

Brown also explained the best way to test and roll out patches: To start, a handful of systems should be used to create an initial baseline for patch deployment. These devices are used to verify that the patch is installed correctly and no issues come up.

From there, deploy across a larger set of devices, which should include machines from different departments. You want to have a device or two in IT, finance, marketing and other departments, for example, so you can verify there are no issues with any core business applications. If that all checks out, set up a schedule to deliver the patch everywhere.

SEE: What is patch management?

5. Follow the golden rules

Finally, Brown ran through some additional golden rules of patching:

  • Don’t test a patch on your own machine: If it crashes, you may be locked out of your device for hours and unable to stop a rogue patch from broader deployment.
  • Look for patch management systems that allow you to uninstall patches and roll back systems.
  • Organize the rollout so as not to overwhelm the network or impact user experience. Split it up based on logical groups or by department, region, location or device type.
  • Ensure all new devices are added to the patching schedule.
  • Document patching successes and failures. Know if any devices failed to patch and be able to drill down to find out why.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , ,

More Stories

How Can Businesses Defend Themselves Against Common Cyberthreats?

How Can Businesses Defend Themselves Against Common Cyberthreats?

2 days ago AndyC
Sophos Germany Champions Girls’ Pathways into Tech

Sophos Germany Champions Girls’ Pathways into Tech

2 days ago AndyC
Combatting Deepfakes in Australia: Content Credentials is the Start

Combatting Deepfakes in Australia: Content Credentials is the Start

4 days ago AndyC
20 Coolest Cybersecurity Products At RSAC 2024

20 Coolest Cybersecurity Products At RSAC 2024

4 days ago AndyC
Proofpoint Sets New Industry Standard in Email Security with Adaptive Threat Protection Capabilities Across the Entire Email Delivery Chain

Proofpoint Sets New Industry Standard in Email Security with Adaptive Threat Protection Capabilities Across the Entire Email Delivery Chain

4 days ago AndyC
Defenders assemble: Time to get in the game

Defenders assemble: Time to get in the game

4 days ago AndyC

You may have missed

Ohio Lottery data breach impacted over 538,000 individuals

Ohio Lottery data breach impacted over 538,000 individuals

9 hours ago AndyC
Ohio Lottery data breach impacted over 538,000 individuals

Ohio Lottery data breach impacted over 538,000 individuals

9 hours ago AndyC
Notorius threat actor IntelBroker claims the hack of the Europol

Notorius threat actor IntelBroker claims the hack of the Europol

9 hours ago AndyC
Notorius threat actor IntelBroker claims the hack of the Europol

Notorius threat actor IntelBroker claims the hack of the Europol

9 hours ago AndyC

How to talk about climate change – and what motivates people to action: An interview with Katharine Hayhoe

15 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.