Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4 Steps For Trimming Patch Management Time

The heat is on to protect your systems from the newest exploits; here's a look at how to speed up patching without causing problems

Special to Dark Reading

The time it takes hackers to exploit a vulnerability continues to shrink. While there's not a lot you can do to speed up the time it takes vendors to develop and distribute a patch, there are reasonable and prudent measures that can reduce the amount of time it takes to deploy it. Yet expediting the patch process remains one of the key factors in mitigating risk and remediating vulnerabilities.

How much time can -- or should -- you trim from the process, and what are the benefits and risks of speeding up patch deployment? Depending on the nature of systems, resources, and configurations, the answer to that question will vary from organization to organization, and often among data centers and operational groups within organizations.

There are steps you can take to whittle away at patch deployment time and without introducing the risks -- some of them potentially catastrophic, such as system or network downtime -- of deploying patches too quickly. Testing every patch, for instance, takes time, but undoing the unwanted effects of an untested patch -- a router patch, for instance, that crashes your router -- takes far more time. Make sure, as well, that the vendor has tested the patch that's being released: A few years ago, Microsoft scrambled to patch an Internet Explorer bug that fixed one vulnerability but opened up another one. Keep an eye on the news as you're keeping an eye on your test beds: Flawed patches tend to get attention quickly.

Following are four simple steps that can save time while increasing the likelihood of effective and untroubled patch deployment.

1. Level the patching field.

Not all systems or configurations are created equal, with some of the most critical bringing their own time requirements and timing factors into the patch process. Scheduling a patch deployment for the PCs in your accounting and bookkeeping departments is less disruptive than finding a convenient time to patch the Exchange Server that your entire business depends on to generate the money the bookkeepers are tracking.

Having a solid and ongoing sense of your organization's systems and configurations, most critical and less-than-critical apps, and, above all, the level of risk that vulnerabilities carry is perhaps the most important step you can take to prioritize your patching process, moving the most likely exploited vulnerabilities to the head of the patch list, which buys you time in the scheduling of less-critical patches. A critical Windows server patch, for instance, would rank as a high-priority patch over patching an application used by just one department.

"An effective patch priority strategy follows the lines of disaster recovery and business continuity planning," says Ranny Grubb, CTO at Virtual IT. "Patch prioritizing requires applying the most effort toward the applications that your business is most reliant on for continued operation."

Grubb suggests that patch scheduling and timing match the level of risk the vulnerable application poses. "Be aware of where your most significant exposure lies, which is most frequently on the perimeter, where your systems meet the Internet," he says. "Internal applications, which are not accessed, externally are important, but not as time-critical in terms of patching as those exposed to the larger world."

Time-saver: Develop a patch priority list based on business criticality: Your business continuity/disaster recovery plan is a good starting place for establishing a hierarchy of patch deployments that will see the most critical exposures patched first, with lower risk or lower exposure vulnerabilities patched on a less fast-paced (and, ironically, less time-consuming) schedule.

2. Know which systems impose their own patch schedule.

Not all systems or configurations are created equal, either, with some of the most critical bringing their own time requirements and timing factors into the patch process. Does deploying a patch require a reboot of affected systems? Does patch deployment and vulnerability remediation call for taking down a critical server or other component?

By knowing in advance that server A, for example, is down for regular maintenance for a certain amount of time every week (or other period), you also know in advance the likeliest and most efficient time to deploy a necessary patch.

This information itself can exert advantageous ripple effects throughout your overall patch process and efforts to reduce patch deployment time. In "The Laws of Vulnerabilities 2.0," Qualys CTO Wolfgang Kandek notes that, "Remediation may not be possible on all systems, such as those with criticality or uptime constraints. Consequently, IT administrators should segment their systems into fast patch and slow patch pools and review the possibility of using mitigating technologies for protecting the slower patch pools. The existence of a fast patch pool has the additional benefit of gathering additional in-house experience related to the application of the patch and its potential side effects."

In other words, while you're waiting to patch one system, use your resources to patch others.

Time-saver: Maintain a list of critical systems' regular maintenance and planned downtime schedules, and plan patch deployment accordingly, dealing with other more readily available systems in the meantime. Review and update system maintenance schedules (and their effect on other schedules) on a regular basis.

 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13288
PUBLISHED: 2020-08-12
In GitLab before 13.0.12, 13.1.6, and 13.2.3, a stored XSS vulnerability exists in the CI/CD Jobs page
CVE-2020-13290
PUBLISHED: 2020-08-12
In GitLab before 13.0.12, 13.1.6, and 13.2.3, improper access control was used on the Applications page.
CVE-2020-13291
PUBLISHED: 2020-08-12
In GitLab before 13.2.3, project sharing could temporarily allow too permissive access.
CVE-2020-6294
PUBLISHED: 2020-08-12
Xvfb of SAP Business Objects Business Intelligence Platform, versions - 4.2, 4.3, platform on Unix does not perform any authentication checks for functionalities that require user identity.
CVE-2020-6295
PUBLISHED: 2020-08-12
Under certain conditions the SAP Adaptive Server Enterprise, version 16.0, allows an attacker to access encrypted sensitive and confidential information through publicly readable installation log files leading to a compromise of the installed Cockpit. This compromise could enable the attacker to vie...