The 15th anniversary of Patch Tuesday is coming up, and now is a good time to rethink how we approach patching as a whole, and how we prepare for Patch Tuesday specifically.
What is Patch Tuesday? It’s the industry-applied name for Microsoft's monthly scheduled release of security fixes for Windows and related software. Each patch released on Patch Tuesday contains a fix for one or more vulnerability identified by number in the Common Vulnerabilities and Exposures (CVE) system. It has been happening on the second Tuesday of each month since October 2003, and the next one is on slated for October 9, 2018.
How to Prepare for Patch Tuesday
With the ever-growing number of vulnerabilities being identified each month, preparing for Patch Tuesday is an important monthly ritual for IT and Security. To ensure that your monthly patching goes as smoothly as possible, and with minimal business interruptions, consider the following three best practices:
1. Maintain an Updated Inventory
A key first step to Patch Management as a whole, and preparing for Patch Tuesday specifically, is inventory management. Effective inventory management (also known as asset management) can help meet the challenges of adapting to constantly-changing licensing conditions versus real-world software usage. There are many tools available to enable better inventory management, including some open source tools like Osquery.
An updated inventory is crucial to ongoing operations, since software and hardware assets carry significant labor and other associated costs. Rapid depreciation, constant maintenance, updates, and relocation overhead mean that IT assets are very taxing to the organizational bottom line. From a vulnerabilities perspective, when you know your exact assets, you can keep a constant check on related vulnerabilities. If a patch in the Patch Tuesday package relates to assets you don’t have – don’t bother with it.
2. Evaluate Business Impact AND Technical Severity
All patches are not equal, and many may not even need to be applied. While Microsoft is obligated to publish patches that universally impact their own software, keep in mind that not all vulnerabilities have fixes, and even those that do may not need remediation. For each given patch, you need to evaluate the actual impact of the vulnerability it addresses, the potential impact of patch application to tangential assets, and the criticality of the asset being patched. This is particularly true given the fact that vulnerabilities that are published are often far less significant in an organization’s specific context. As with other cybersecurity efforts, the question boils down to risk vs. the cost of addressing that risk.
Every organization must find the right balance between these two priorities [business and technical]…” said Jason Bloomberg, a Forbes contributor, in a recent article. Even the most severe vulnerability may never affect your business – so make sure to evaluate both technical and business aspects and consequences before you patch.
3. Orchestrate Patch Management
Patching is extremely labor-intensive, and is far more than installing software. And it always involves coordinating teams who are managing tasks and procedures across an enterprise. With several patch management systems for Linux, Windows, MacBooks and other servers, it’s next to impossible to figure out the best way to manage this manually - without errors and missed steps causing additional problems. Moreover with testing systems and change management processes already in place for organizations, orchestrating patch management is even more challenging.
“Although the practice sounds straightforward, patch management is not an easy process for most IT organizations,” notes CSO Online contributor Mary K. Pratt in a recent article. And this is exactly why many companies have begun to invest in patching orchestration solutions, which save significant time and create an overall smoother patch management process.
In addition to the more obvious benefits, patch orchestration offers organizations better security – reducing the risk of breaches and related problems like data loss, theft, reputational damage or even legal liability. Patch orchestration also augments compliance – and is appreciated by regulators for meeting security best practices more effectively than manual patching. Finally, the automation aspect of patch orchestration simply improves overall efficiency, stability and trans-organizational processes.
The Bottom Line
15 years later, Patch Tuesday is still as relevant as it was in 2003. However, the way organizations manage patching has changed dramatically, as have the threats they’re facing. If applying every single patch was once a given, today organizations have learned to be more selective and strategic in the way they evaluate, assess, prioritize and implement patches.