10 Ways to Conduct Patch Management

by Sarah Harvey / February 24th, 2020

Like with all software and technology, there are bound to be vulnerabilities found and updates needed to be made. For this reason, organizations must have a patch management plan in place. But for many entities who are just starting to create their information security management plan, or who lack the experience, personnel, or resources needed to execute patch management, they’re likely asking the basic questions like: What is patch management? How can you conduct patch management? What is the difference between automated patch management and manual patch management? Should you use patch management software? Read on to learn the answers to these questions and more.

What is Patch Management?

According to NIST, “Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems.” It involves updating pieces of code that would likely be compromised by malicious individuals and updating security features to software.

Why is Patch Management Important?

Patch management is an integral component of vulnerability management – and is something your organization must be vigilant in implementing, especially given the current cyber climate where malicious individuals and organizations are quick to compromise vulnerabilities due to patch management negligence (see breaches caused by WannaCry, Not Petya, and SamSam).

10 Steps to Conduct Patch Management

Establishing a robust patch management plan boils down to following these 10 steps:

  1. Inventory all IT assets
  2. Categorize and risk-rank assets
  3. Identify applicable patch management requirements (i.e. NIST 800-53, PCI Requirement 6.2, and SOC 2 Common Criteria 7.5)
  4. Create and implement a patch management policy
  5. Regularly monitor and scan all networks and devices to locate vulnerabilities and undiscovered patches
  6. Test patches
  7. Document all changes
  8. Implement patches
  9. Audit patches to determine if they were successful or not
  10. Report patches to stakeholders, business partners, and clients

Automated Patch Management vs. Manual Patch Management

It’s likely that patches will need to be made on a regular basis. For this reason, using automated patch management processes is the most effective way to ensure that patches are addresses on a timely, regular basis. By using an automated patch management system, your organization will also save time and financial resources. However, there are instances when manual patch management processes are also useful. For example, in the event that certain software and technologies are not supported by automated patch management, manual patch management techniques should be used.

Should You Use Patch Management Software?

Using patch management software is useful for making sure that all devices on your network are up to date. However, there are a few pitfalls to using patch management software, including:

  • Updates might not be installed across your entire infrastructure
  • The possibility of interruptions to other devices/software
  • A limited ability to patch third-party applications
  • Failing to update patch status

Staying on Top of Patches

While there are some discrepancies regarding how often you should install patches, it’s a best practice to continuously be patching software, networks, and other technologies. However, “continuously” is a rather ambiguous term. But according to a 2019 Ponemon report, only “31% of respondents are scanning more than once a month, half are only scanning quarterly or have no formal schedule at all, and less than half use up-to-date software patching to avoid data breaches.”

So, what patches should you be looking for? Most commonly, organizations should keep a close eye on patches from common OS and software providers like Microsoft, Linux, Mac, and AWS.

  • Microsoft/Windows OS: Microsoft regularly publishes software updates on Tuesdays (aka “Patch Tuesdays”) and all updates can be located here.
  • Oracle/Linux OS: Oracle houses all of their critical patch update advisories, security alerts, and bulletins here.
  • Apple/Mac OS: Apple frequently updates this list of software updates and patches.

Need a more in-depth conversation about patch management? Do you need guidance on how to implement patch management best practices? Contact us today to see how KirkpatrickPrice can keep you ahead of vulnerabilities in your software.

More Patch Management Resources

Hardening and System Patching

How to Build an IT Asset Management Plan

The Dangers of End-of-Support Operating Systems