Patch Approval & Management 

Publication date: May 01, 2019

Last Published: Mar 30, 2020

Written by: Payam Pourkhomami, President & CEO, OSIbeyond

Table of Contents
Read Time : 5 minutes
patch management

These days, it rarely takes more than a couple of hours from the discovery of an operating system or application vulnerability for an exploit to emerge. Unsurprisingly, many organizations—both large and small—are struggling to keep up with the seemingly never-ending stream of new patches and updates they must install to stay safe.  

Those who fail to keep their systems and applications up to date can face severe consequences as unpatched organizations are gold mines for profit-seeking hackers. According to a ServiceNow study conducted by the Ponemon Institute57 percent of cyberattack victims reported that their breaches could have been prevented by installing an available patch. What’s perhaps even more alarming is the fact that 34 percent were already aware of the vulnerability before they were attacked. 

In other words, one third of all organizations know about unpatched vulnerabilities but are unable to act in a timely manner because of poor patch management. That’s simply unacceptable in the era of pre-packaged exploit services, and the only effective solution is the implementation of a streamlined patch management process.  

Understanding the Patch Gap 

The Ponemon Institute estimates that the average time to patch is 102 days. Yes, it takes the average organization well over three months to patch vulnerable systems. It’s not that IT teams don’t understand how critically important it is to patch vulnerabilities in a timely manner—far from it. The real reason why the patch gap is so massive is the fact that 37 percent of organizations don’t pro-actively scan their networks and systems to see what needs to be fixed.  

To make things worse, there is a global shortage of IT talent, and organizations may not be able to find qualified personnel as quickly as they would like. According to the ServiceNow study, 64 percent of security professionals are trying to hire dedicated resources for patching over the next 12 months, but nobody knows how many of them will succeed.   

Bridging the Patch Gap 

Even though so many organizations don’t have direct access to as many talented IT professionals as they would like, they can still significantly strengthen their cybersecurity posture by implementing an effective patch approval and management process. 

In fact, Gartner estimates that patching will be the single most impactful enterprise activity to improve security in coming years. “Counting attacks is fruitless. Taking action based on trends and vulnerabilities is the best step. As the monetization of exploits and security grows, patching, detection and vulnerability management are ideal ways for security and risk management leaders to face a ransomware-dominated landscape,” states Gartner. 

The entire patch approval and management process can be broken down into three stages—discovery, patch testing, and patch roll-out—with each state being as important as the last one.  

Discovery

As we’ve already explained, 37 percent of organizations don’t pro-actively scan their networks and systems for vulnerabilities. However, before an organization can start monitoring for new patches and vulnerabilities, it must first create a comprehensive network inventory to have a good understanding of its infrastructure.  

Especially large organizations sometimes lose track of their systems, forgetting to patch them for months and years. There are many tools that can help both with vulnerability monitoring as well as the creation of a comprehensive network inventory, and they can significantly reduce the burden patching places on the IT department.  

Patch Testing

“You don’t patch systems immediately,” explains Greg White, director of the Center for Infrastructure Assurance and Security at the University of Texas San Antonio. “You test a patch to see if systems act adversely with it. If that happens, you have a critical piece of software that no longer works.” 

The sad truth is that even though patches are intended to fix or improve things, they sometimes make them worse. Patch testing is an especially important component of an effective patch management process because it helps organizations avoid being caught off guard by unexpected issues. In practice, patch testing involves the creation of a testing environment or at least a testing segment, and it’s one of those activities that are guaranteed to quickly pay for themselves.  

Patch Roll-Out

Each and every patch roll-out should follow previously established patch management policies, which specify what will be patchedwhen, and under what conditions. Not all patches are created equal, and it only makes sense to assign a critical kernel vulnerability a much higher priority than a cosmetic bug discovered in some miscellaneous piece of software used by just one department.  

It’s always a good idea to conduct a detailed patch management audit after every patch roll-out. A patch management audit provides the information an organization needs to further fine-tune its patch management process. 

Conclusion

Knowing which patches to approve and being able to implement them before hackers manage to exploit the unpatched vulnerabilities is essential for all organizations that can’t afford to risk prolonged downtime and the loss of revenue associated with it. An effective patch approval and management process should be a key component of modern cybersecurity programs, and we’ve outlined it in this article.  For more information about monitoring patch vulnerabilities, consider contacting an MSSP.

Written by: Payam Pourkhomami, President & CEO, OSIbeyond

Related Posts:

CONFIGURATOR

Tell us about your organization.

What services are you interested in (select all that apply)?

CONFIGURATOR

IT Support for1 users

required licensing for remote control, patch management, and asset management at $6/user.

Remote Monitoring & Management

Retainer Plans

Subscription Plan

Unlimited remote, onsite, or after hours support $150 /user

CONFIGURATOR

Cloud Solutions

Private Cloud Hosting

Do you need an Application server (finance, AMS, CRM, Remote Desktop)? Includes 100GB hard drive, 8GB RAM, 1 CPU, Windows Server 2019, monitoring and patch management.

Yes No

Do you need a web server? Includes 100GB hard drive, 8GB RAM, 2 CPU, Windows Server 2019, monitoring and patch management.

Yes No

Do you need a Database server? Includes 200GB hard drive, 10GB RAM, 2 CPU, Windows Server 2019, monitoring and patch management.

Yes No

CONFIGURATOR

Enhanced Security Services

Includes:

Yes No

CONFIGURATOR

Equipment Lifecycle Management Subscription based equipment provided at monthly fee.

Do you need workstations?

Yes No

Do you need core infrastructure?

Yes No

CONFIGURATOR

Ready to get started?




















    View Itemized List

    Summary

    Organization
    IT Support
    Cloud Solutions
    Cloud Solutions2
    Enhanced Security Services
    Equipment Lifecycle Management
    Final

    Total Monthly Recurring Cost:$500

    SUMMARY

    Services

    • IT Support
    • Cloud Solutions
    • Enhanced Security Services
    • Equipment Lifecycle Management

    IT Support

    • RMM licensing $6/user per month

    Cloud Solutions

    Enhanced Security Services

    • + Email Security
    • + Multi-Factor Authentication
    • + Security Awareness Training

    Equipment Lifecycle Management

    • Core Infrastructure $175.00/mo
    Back to Form

    summaryTotal Monthly Recurring Cost:$