Not too many years ago, Microsoft Corporation was viewed somewhat suspiciously in the information security community for what was perceived to be a lackadaisical approach to patching their software and (in particular) their Windows operating systems. Fast-forward to today, and Microsoft is recognized almost universally as having one of the most effective and timely security patching programs in the industry. Of course, Microsoft isn’t the only OS vendor to experience known vulnerabilities; although Apple for many years boasted that it’s software “doesn’t have security holes”, the fact is that the venerable OSX operating system, while a very mature BSD UNIX variant, still encounters periodic security issues which – to their credit – Apple addresses through frequent patch deployments. Even Linux, which runs so much of the Internet’s infrastructure, periodically has major security issues discovered in its supporting software, including a major vulnerability discovered just last week within systemd, a critical piece of software that provides name resolution services.
The “Good” side of patch management is that these organizations – Microsoft, Apple, the open source community, and many other commercial vendors – are getting serious about security. They’re getting better about working with the community of researchers who discover most security flaws, they’re addressing these issues in a timely manner, and they’re doing everything they can to get issued patches into the hands of their users as quickly as possible.
The “Bad” side of patch management is, unfortunately, a product of the good side: as OS vendors continue to improve their products, security flaws continue to get discovered, and exploit code makes it into the wild…
…which leads to the “Ugly”: organizations that fail to implement these patches quickly enough, or even worse, don’t deploy them at all. When the “WannaCry” ransomware outbreak hit back in May of this year, one thing that many analysts and pundits overlooked was the code that was exploited by WannaCry (SMB v1) had been fixed in a patch issued by Microsoft over two months before WannaCry hit. Had the organizations who experienced a data loss due to WannaCry been more vigilant about patching, the fact is that they wouldn’t have been a victim.
Fortunately, patch management is not exactly rocket science. Implementing an effective patch management process is all about implementing a simple set of fundamental processes and controls:
- If you can’t see it, you can’t manage it. One of the most pervasive gaps in security today is organizations that simply don’t know what assets are sitting on their networks. Having visibility into the systems touching your networks – and their current operating system and applications, including installed patches – is a critical first step to knowing what the risks are to your environment. Every organization should either have an endpoint agent, SIEM or some combination of other tools to be able to see the assets that are sitting on their network, and what they’re doing.
- Balance testing and deployment times. Often, organizations will not deploy patches immediately because they want to test how those patches will affect their other systems and technologies. However, a risk-based balance needs to be struck; what’s more impactful to your organization: a business application going down for a few hours due to a patch that interferes with it, or having the majority of systems in your environment affected by a major ransomware attack? It’s important to test patches before deployment, but that testing needs to be tempered with the understanding that once a patch is released, exploit code is likely going to be developed to exploit it.
- Automation is key. While it is possible to manually deploy patches, even in small environments of only a few dozen to a few hundred systems this approach quickly becomes ineffective. Implementing an automated tool for patching is vital to ensuring completed deployment coverage, and keeping your sanity. Automation tools come in a variety of formats, including both integrated tools (EiQ Networks’ own SOCVue provides integrated patch management, along with continuous monitoring and vulnerability management) as well as dedicated patch management tools. Also, consider leveraging tools that are used for deploying and managing software; for example, Microsoft’s SCCM can be used to not only build and deploy software, but also force deployment of OS and application patches.
While patch management is not the most glamorous aspect of information security, it is arguably the “last line of defense” when malicious code and attackers are not stopped by other security technologies such as firewalls, intrusion prevention or antivirus.