Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4 Steps For Trimming Patch Management Time

The heat is on to protect your systems from the newest exploits; here's a look at how to speed up patching without causing problems

Special to Dark Reading

The time it takes hackers to exploit a vulnerability continues to shrink. While there's not a lot you can do to speed up the time it takes vendors to develop and distribute a patch, there are reasonable and prudent measures that can reduce the amount of time it takes to deploy it. Yet expediting the patch process remains one of the key factors in mitigating risk and remediating vulnerabilities.

How much time can -- or should -- you trim from the process, and what are the benefits and risks of speeding up patch deployment? Depending on the nature of systems, resources, and configurations, the answer to that question will vary from organization to organization, and often among data centers and operational groups within organizations.

There are steps you can take to whittle away at patch deployment time and without introducing the risks -- some of them potentially catastrophic, such as system or network downtime -- of deploying patches too quickly. Testing every patch, for instance, takes time, but undoing the unwanted effects of an untested patch -- a router patch, for instance, that crashes your router -- takes far more time. Make sure, as well, that the vendor has tested the patch that's being released: A few years ago, Microsoft scrambled to patch an Internet Explorer bug that fixed one vulnerability but opened up another one. Keep an eye on the news as you're keeping an eye on your test beds: Flawed patches tend to get attention quickly.

Following are four simple steps that can save time while increasing the likelihood of effective and untroubled patch deployment.

1. Level the patching field.

Not all systems or configurations are created equal, with some of the most critical bringing their own time requirements and timing factors into the patch process. Scheduling a patch deployment for the PCs in your accounting and bookkeeping departments is less disruptive than finding a convenient time to patch the Exchange Server that your entire business depends on to generate the money the bookkeepers are tracking.

Having a solid and ongoing sense of your organization's systems and configurations, most critical and less-than-critical apps, and, above all, the level of risk that vulnerabilities carry is perhaps the most important step you can take to prioritize your patching process, moving the most likely exploited vulnerabilities to the head of the patch list, which buys you time in the scheduling of less-critical patches. A critical Windows server patch, for instance, would rank as a high-priority patch over patching an application used by just one department.

"An effective patch priority strategy follows the lines of disaster recovery and business continuity planning," says Ranny Grubb, CTO at Virtual IT. "Patch prioritizing requires applying the most effort toward the applications that your business is most reliant on for continued operation."

Grubb suggests that patch scheduling and timing match the level of risk the vulnerable application poses. "Be aware of where your most significant exposure lies, which is most frequently on the perimeter, where your systems meet the Internet," he says. "Internal applications, which are not accessed, externally are important, but not as time-critical in terms of patching as those exposed to the larger world."

Time-saver: Develop a patch priority list based on business criticality: Your business continuity/disaster recovery plan is a good starting place for establishing a hierarchy of patch deployments that will see the most critical exposures patched first, with lower risk or lower exposure vulnerabilities patched on a less fast-paced (and, ironically, less time-consuming) schedule.

2. Know which systems impose their own patch schedule.

Not all systems or configurations are created equal, either, with some of the most critical bringing their own time requirements and timing factors into the patch process. Does deploying a patch require a reboot of affected systems? Does patch deployment and vulnerability remediation call for taking down a critical server or other component?

By knowing in advance that server A, for example, is down for regular maintenance for a certain amount of time every week (or other period), you also know in advance the likeliest and most efficient time to deploy a necessary patch.

This information itself can exert advantageous ripple effects throughout your overall patch process and efforts to reduce patch deployment time. In "The Laws of Vulnerabilities 2.0," Qualys CTO Wolfgang Kandek notes that, "Remediation may not be possible on all systems, such as those with criticality or uptime constraints. Consequently, IT administrators should segment their systems into fast patch and slow patch pools and review the possibility of using mitigating technologies for protecting the slower patch pools. The existence of a fast patch pool has the additional benefit of gathering additional in-house experience related to the application of the patch and its potential side effects."

In other words, while you're waiting to patch one system, use your resources to patch others.

Time-saver: Maintain a list of critical systems' regular maintenance and planned downtime schedules, and plan patch deployment accordingly, dealing with other more readily available systems in the meantime. Review and update system maintenance schedules (and their effect on other schedules) on a regular basis.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13545
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
CVE-2019-13541
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
CVE-2019-17367
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
CVE-2019-17393
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
CVE-2019-17526
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...