Guide: Best practices for efficient patch management

Efficient patch management plays a critical role in maintaining the security and integrity of an organisation’s systems and networks. 

It helps safeguard organisations against cyber threats by keeping operating systems (OS) and applications up to date, while also addressing vulnerabilities and bugs. 

While the importance of efficient patch management is well-documented and widely accepted, many organisations struggle to patch consistently.  

The consequences can be severe. According to the 2021-2022 Annual Cyber Threat Report, the majority of significant security incidents the Australian Cyber Security Centre (ACSC) responds to are due to inadequate patching. 

Over the 2021-2022 financial year, the ACSC received over 76,000 cybercrime reports, an increase of 13% from the previous year. 

ACSC

This guide provides strategies for building an efficient patch management process. We’ll explore: 

• The importance of efficient patch management 

• The challenges of patch management 

• Best practices for efficient patch management 

• Overcoming the challenges of patch management 

The importance of efficient patch management 

For patching to be effective, organisations need streamlined processes that enable them to deploy patches consistently at scale. 

The exploitation of software vulnerabilities accounts for 42% of external attacks, while web applications serve as the entry point for 35% of these attacks.

The State of Application Security, Forrester

Cyber criminals are quick to capitalise on publicly known vulnerabilities, often developing malicious code within 48 hours of discovery. In some cases, criminals exploited known vulnerabilities within hours of being discovered. 

To combat this, the ACSC recommends deploying patches for internet-facing services within 48 hours if an exploit exists. 

Failing to respond to known vulnerabilities leaves companies at risk of a data breach. The average cost of a data breach underscores the importance of effective patch management. In Australia alone, the average cost is $3.35 million, while globally, the average cost stands at $US4.35 million (AU$6.2 million), according to IBM Security.  

Keeping operating systems (OS) and applications up to date not only enhances resilience against cyber attacks but also improves user experience. When all employees use the same OS and application versions, collaborating with team members becomes more efficient. Keeping OS and applications current streamlines licensing processes and ensures your organisation and employees can access the latest features and benefits provided by the purchased software. 

What are the challenges hindering effective patch management? 

During his 25-year career as a cyber security expert, Martin McGregor, Executive Chair and Co-Founder of Devicie, has witnessed businesses consistently grappling with the same patch management issues. 

The challenges of patch management businesses face include: 

• Misunderstanding compliance 

• Lack of resources 

• Time-consuming processes 

• Stringent patching policies 

• Inadequate communication between departments 

• Misaligned goals 

• Lack of empathy and understanding among stakeholders

Disconnect between teams and stakeholders 

Disconnect between departments and stakeholders creates a misalignment of priorities and prevents a cohesive approach to patch management.  

These silos often result in departments focusing on their specific objectives rather than the overall security of the organisation. This problem often gets overlooked but can be the catalyst for the other common problems with patch management. 

IT teams may not have influence over all stakeholders, but by understanding their motivations, they’re one step closer to designing a solution to meet everyone’s needs. 

You might recognise some of these stakeholders: 

• The C-suite or board member who’s concerned about business continuity, fines, breaches, and regulatory compliance. 

• Security leaders who are stressed about constantly evolving threats, protecting the organisation, and in some countries, being exposed to criminal charges.  

• The compliance team who can’t verify whether the organisation is meeting patching requirements, or worse, knows they aren’t. 

• The IT team members who’ve been pulled onto other projects and don’t have capacity to patch. 

• The helpdesk members with multiple requests for operating system and application updates. 

• The end users who need reliable and secure devices, but don’t have capacity to accommodate downtime. 

Stringent policies impacting patch management 

While it is necessary to have a structure guiding how and when to patch, some businesses are enforcing policies and patching processes without considering their teams’ capacity. 

“If you don’t understand the capacity of your business to achieve your patching policy, you are setting yourself, your IT team and the organisation up for failure,” says Martin. 

For example, some businesses have a policy to patch critical vulnerabilities (CVE score of nine or higher) within 24 hours across the entire organisation. While this is a commendable goal, businesses often set these patching policies without considering whether they have the capability or capacity to implement them. 

This leads to pressure on tech or service desk teams to meet a standard that’s beyond their capacity. There’s a knock-on effect. Not achieving the standards met by patching policies also puts pressure on the compliance and security teams and is often a concern for the C-suite and board. If the worst happens and a vulnerability which could have been mitigated by patching is exploited, the impact reverberates to the top of the organisation and beyond to customers and vendors and attracts the attention of regulators. 

Inadequate asset management hinders patching processes 

An organisation’s ability to patch operating systems is only as good as the visibility they have of their digital environment.  

“Without visibility or knowing the location of your assets, it’s going to be very difficult to maintain and update systems appropriately. And, if you don’t know where all these systems are, you’ll never have a complete patching approach,” Martin explains. 

The ACSC reports many organisations are unaware of the true patch status of the operating systems in their environment. This inadequate visibility means organisations may be unaware they are vulnerable to an attack. 

62% of breach victims were unaware their organisations were vulnerable prior to the data breach.

Ponemon Institute

Patching resources 

Patching is a monotonous task. When tasks are time-consuming and repetitive, it can be difficult to keep teams motivated. 

Some businesses opt to patch at night to avoid impacting employee productivity during working days. “While this allows for business continuity, tech teams are forced to work obscure hours and potentially overtime at night to complete the task. Not as a one-off, but month after month, after month. If this situation persists, you may find the tech team actively seeking other business priorities to work on to avoid patching altogether,” explains Martin. 

Patching is not effective when you take a piecemeal approach but having teams working long hours, overtime or at night to get the task done isn’t the solution. 

According to industry research, more than 50% of businesses say they are at a disadvantage in responding to vulnerabilities because they use manual patching processes. Most businesses (60%) say more time is spent navigating manual processes than responding to vulnerabilities. 

The average time to patch a vulnerability is between 60 and 150 days.

InfoSec Institute

Best practices for efficient patch management 

A pragmatic approach and collaboration between departments is key to efficient patch management. 

Break down silos and build communication streams  

Effective patch management requires a coordinated effort. With empathy and understanding as the foundation, departments can work collaboratively to implement best practices for patching. Regular communication channels, such as meetings, workshops, or knowledge-sharing sessions can facilitate the exchange of ideas, concerns and solutions.  

Communication between the compliance, security and IT teams can help establish a patching policy and processes fit for the capacity and capabilities of each team. 

Visibility and inventory management  

To adequately manage digital assets, organisations must establish a robust system for visibility and inventory management. 

This plays a pivotal role in achieving effective patch management. 

For inventory management and to gain visibility over the digital environment, organisations should: 

1. Begin by identifying and cataloguing all digital assets within the organisation and determine the individuals accountable for managing those assets.  

2. Implement an inventory solution that continuously analyses network traffic and cloud environments for new resources while collecting data or is updated by system build processes. Cross referencing these sources helps identify new devices or unauthorised systems, providing real-time visibility into the digital environment.  

3. Utilise automated scanning tools to conduct regular vulnerability scans across the digital infrastructure. These scans provide insights into potential weaknesses that could be exploited by attackers. 

4. Establish a robust patch management system to track and deploy patches across the entire fleet. This includes creating a centralised repository for patches, implementing testing procedures and defining deployment schedules. Automated patch management tools can streamline this process and ensure timely and consistent patching at scale. 

5. Establish a reporting system that alerts IT teams whenever a system or application fails to receive a patch or upgrade.  

6. Maintain a centralised configuration management system that tracks the software versions, configurations and dependencies of all assets. 

7. Implement a log monitoring and analysis solution to collect and analyse system logs, network logs, and security event logs. This helps detect any abnormalities or indicators of compromise, providing visibility into potential security breaches. 

8. Develop an incident response plan that outlines the steps to be taken in case of a security incident. This includes defining roles and responsibilities, establishing communication channels, and determining the necessary actions to mitigate and recover from an incident. 

9. Conduct periodic audits and generate reports on the state of the digital environment. Review security controls, assess compliance with organisational policies and identify areas that require improvement. 

10. Promote a culture of security awareness among employees. Conduct regular training sessions on typical topics such as identifying phishing attacks, reporting suspicious activities and adhering to security best practices. It is equally necessary to emphasise the importance of keeping systems up to date, along with the advantages. This helps fosters tolerance among stakeholders when occasional interruptions happen. It's essential for everyone to learn and adapt to working with tolerance for such situations. 

Protect critical assets and start with the crown jewels 

Systems which contain the most sensitive information are essential for business operations, need the highest level of protection. The ‘crown jewels’ are the most critical and valuable assets in an organisation’s digital infrastructure. Any compromise of these critical assets could significantly impact the business. 

“Start with critical systems, then make progress and update out from there. It does not need to be all or nothing. And, it never should be,” says Martin. 

Identifying the crown jewels enables companies to understand which systems are critical and prioritise patching accordingly. 

The key to identifying and protecting crown jewels is to adopt a risk-based approach.  

1. Conduct a comprehensive risk assessment to determine the criticality of each asset. This assessment calculates the potential impact of compromised assets and will help determine which assets should be considered crown jewels. 

2. Based on the risk assessment, define and document the crown jewels. These are the assets the business needs to operate and typically contain data considered valuable to cybercriminals. If compromised, there would be a significant impact on the operation, safety, or reputation of the organisation, their employees and potentially customers. 

3. Establish stringent access controls to ensure only authorised individuals have access to the crown jewels. This includes implementing multi-factor authentication mechanisms, role-based access controls and least privilege principles. Regularly review and update access rights based on personnel changes or shifts in responsibilities. 

4. Apply security best practices to harden the infrastructure supporting the crown jewels. This includes ensuring systems are up to date with the latest security patches, disabling unnecessary services and protocols, using strong encryption for data transmission and storage and implementing firewalls and intrusion detection systems. 

5. Utilise monitoring and detection mechanisms to continuously monitor the crown jewels to detect any potential security incidents or irregularities. 

6. Segment systems to isolate the crown jewels from the rest of the digital environment. This will reduce the attack surface, limiting the potential impact of a security breach. 

7. Ensure sensitive data associated with the crown jewels is encrypted during transmission but also when stored. Use strong encryption algorithms and secure key management practices to protect the confidentiality and integrity of the data. 

8. Conduct regular vulnerability assessments and penetration testing to identify potential weaknesses and vulnerabilities that could be exploited by malicious actors. 

9. Create a comprehensive incident response plan specifically tailored to address security incidents involving the crown jewels. This plan should include predefined actions, communication protocols, and escalation procedures to mitigate the impact of an incident effectively. 

When organisations have complete visibility over applications and operating systems, they can identify critical assets and prioritise patches with a risk-based approach. This targeted approach allows security teams to develop tailored policies. More stringent measures are applied to critical systems and this allows for a more lenient framework for less critical systems or where sensitive data is not involved. 

Understand the definition of done before creating the patching policy 

Before creating a patching policy, all departments and stakeholders need to what it means to be done. 

This allows team leaders to set realistic targets that align with the business’s capabilities and create patching processes that foster a good dynamic between all departments.  

To achieve this, there first needs to be visibility. There needs to be a clear understanding of uptime requirements, and the time and resources needed to complete a patch cycle. Team leaders need to participate in change control processes by regularly engaging and communicating with their teams and other department heads. 

“Remaining receptive to feedback, troubleshooting issues, and problem-solving are key for developing an effective patching policy,” says Martin. 

Consider a scenario where you establish a requirement for all systems to be patched within 30 days. It is crucial to fully comprehend the implications of such a mandate. For example, this may involve shutting down and restarting every system in the organisation within that 30-day timeframe. It is necessary to assess whether your business can manage such a disruption. 

If the operational impact would be too severe, it would be more reasonable to extend the patching deadline to 45 or 60 days. “The key is to maintain control and visibility over these decisions and understand the impact they have on business operations. Making informed choices demonstrates progress, maturity, and a harmonious alignment between security and business needs,” shares Martin. 

By setting and consistently achieving smaller objectives, your organisations can demonstrate their commitment to improving security practices—helping establish credibility with auditors and regulators. 

In situations where resources are constrained, organisations are encouraged to prioritise the deployment of patches.

ACSC

It’s more advantageous to set realistic and achievable goals than unattainable ones. Strive for a policy that allows the security and tech teams to consistently deliver results, including completing a patching cycle which doesn’t disrupt daily operations. You may need to revise architectural decisions and adjust infrastructure to achieve this.  

Consider automating patch management 

Automating patch management is becoming more accessible. Automated operating system patching and application updates helps businesses overcome many of the key challenges associated with patching. IT teams can avoid working late hours or overtime, minimise disruptions and prevent missed patches. Using automation, operating system patches and application updates are consistently and promptly deployed. Automating repetitive tasks decreases the potential for human error and allows IT teams to focus on higher value and more satisfying projects. 

Having operating system patching and application updates automated gives security and compliance leaders confidence in responding to security questionnaires and providing compliance reports. Achieving efficient patch management 

By prioritising patching based on risk and impact, adopting a continuous patching approach, and breaking down silos, businesses can patch effectively. Consider device management automation to relieve your IT team of the burden of repetitive patching tasks and ensure patches are always applied in a timely manner.