Patch Management is the process through which updates are run on systems within an organization. It is an oft-overlooked – but never ignored – facet of service management. It’s unlikely any organization or department would ever claim to ignore patching entirely. The very thought runs counter to everything individuals learn and observe about good IT management. But, despite this supposed focus on up-to-date maintenance and patching, too often vulnerabilities are found and exploited as a direct result of poor patching schedules and procedures.
The consequences of these lapses in the patch process are dire and can’t be ignored. The recent wave cyber-attacks, from ransomware and other malware to the Spectre or Meltdown viruses, only serves to accentuate an issue that’s always been present and never went away. The easiest route via software intrusion into an otherwise secure system will almost always be through known software vulnerabilities that go unaddressed.
Outside of cyber security threats, the lack of a consistently followed patching process can create other nightmares and headaches throughout an organization. With a complete lack of updates, the software will experience bugs and miss out on critical features that would otherwise have been present, were a good patching schedule followed. Software development these days is a fluid process, and the initial release of a software is almost never the final version. Good developers will provide a near constant flow of patches and updates to ensure that the security, accessibility, and viability of their software is maintained.
On the other side of things, software that gets routine updates but doesn’t follow an established process for updating can potentially experience periods where entire systems are unavailable to the rest of the organization. Loss of critical services doesn’t have to be a side effect of good maintenance! Systems and procedures can be put in place to ensure that service outages are minimal or even nonexistent during the patch process. Redundant systems can be established or patches can be routinely performed at peak lows of service usage to circumvent potential problems.
1. Make patching a priority
Patch management needs to be a universally recognized priority, from the top of the organization all the way down to the bottom. If the support isn’t there, implementing good patching procedures will be extremely difficult, if not impossible. It’s helpful to clearly communicate the advantages of good patching practices to the rest of your organization so that they see the value in prioritizing the procedures. Given how disastrous a poor update schedule could potentially be, the benefits far outweigh the financial cost and potential risks.
This also extends to prioritizing what should be patched. It’s not always possible to cover every single vulnerability, and patch prioritization needs to be given plenty of focus.
2. Create a process and ensure it is followed
Have some kind of process. It doesn’t matter if it’s ITIL, or one of its derivatives, or something entirely unique, just have a process that works for your organization. While it’s good to follow an already established set of guidelines like those laid out in ITIL, the beauty of that system is its flexibility as an outline rather than a strict set of rules.
Each organization is different and as a result, each process is going to be different. What’s most important is finding a set of guidelines that works and sticking to it. Make sure the protocol that’s in place gets followed consistently and without interruption. It will become progressively easier to maintain and follow the schedule. Eventually, these processes will become ingrained within your IT management and become second nature for IT staff.
3. Be sure to have a testing process in place
Generally speaking, patches and fixes that are pushed out to commercial software go through extensive testing before reaching the end-user. Despite this, there’s no way for each developer to test the infinite environments and situations that their software finds itself a part of. Not every patch will integrate smoothly with every system, and bugs can happen even on patches and hot-fixes thoroughly tested in-house at the distributor. To reduce the likelihood of things going haywire after a patch a solid testing procedure is needed for new patches.
This could take different forms depending on how each piece of software is being used and how critical it is to other systems. Creating a test environment for new patches, whether it be an individual system or a small sample of systems, will eventually pay off in the long run. This is particularly true for service critical assets like financial or purchasing software. With a thorough in-house testing procedure, the chance of these systems having issues with a new update or patch will be greatly reduced.
4. Have a rollback procedure
In the event of the unthinkable have a plan in place to implement a rollback for new patches on critical services or systems. It should go without saying that backups and redundancies should already be in place for these kinds of systems and that having a procedure in place before a disaster occurs will save time, money, and potentially even jobs. Remember that all the prep work in the world can’t always account for the rogue bug that slips through all the nets and throws a wrench into your systems.
5. Know your assets
Having a detailed tracking method already in place will help smooth the patch management process. An existing CMDB or similar database should be kept up-to-date at all times and have information on relationships between assets in order to quickly assess how patching will affect the organization’s infrastructure. Easily accessible information in this format makes deciding how a patch will impact your systems quick and easy.
Stick to your plan!
This is just a short list of tips to help get your own patch management process going. There are a lot more guidelines and prep work that goes into establishing your own patching plan. Regardless of what form your procedures take, be sure that they are regularly followed. Your own system’s health depends on it!