Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4 Steps For Trimming Patch Management Time

The heat is on to protect your systems from the newest exploits; here's a look at how to speed up patching without causing problems

Special to Dark Reading

The time it takes hackers to exploit a vulnerability continues to shrink. While there's not a lot you can do to speed up the time it takes vendors to develop and distribute a patch, there are reasonable and prudent measures that can reduce the amount of time it takes to deploy it. Yet expediting the patch process remains one of the key factors in mitigating risk and remediating vulnerabilities.

How much time can -- or should -- you trim from the process, and what are the benefits and risks of speeding up patch deployment? Depending on the nature of systems, resources, and configurations, the answer to that question will vary from organization to organization, and often among data centers and operational groups within organizations.

There are steps you can take to whittle away at patch deployment time and without introducing the risks -- some of them potentially catastrophic, such as system or network downtime -- of deploying patches too quickly. Testing every patch, for instance, takes time, but undoing the unwanted effects of an untested patch -- a router patch, for instance, that crashes your router -- takes far more time. Make sure, as well, that the vendor has tested the patch that's being released: A few years ago, Microsoft scrambled to patch an Internet Explorer bug that fixed one vulnerability but opened up another one. Keep an eye on the news as you're keeping an eye on your test beds: Flawed patches tend to get attention quickly.

Following are four simple steps that can save time while increasing the likelihood of effective and untroubled patch deployment.

1. Level the patching field.

Not all systems or configurations are created equal, with some of the most critical bringing their own time requirements and timing factors into the patch process. Scheduling a patch deployment for the PCs in your accounting and bookkeeping departments is less disruptive than finding a convenient time to patch the Exchange Server that your entire business depends on to generate the money the bookkeepers are tracking.

Having a solid and ongoing sense of your organization's systems and configurations, most critical and less-than-critical apps, and, above all, the level of risk that vulnerabilities carry is perhaps the most important step you can take to prioritize your patching process, moving the most likely exploited vulnerabilities to the head of the patch list, which buys you time in the scheduling of less-critical patches. A critical Windows server patch, for instance, would rank as a high-priority patch over patching an application used by just one department.

"An effective patch priority strategy follows the lines of disaster recovery and business continuity planning," says Ranny Grubb, CTO at Virtual IT. "Patch prioritizing requires applying the most effort toward the applications that your business is most reliant on for continued operation."

Grubb suggests that patch scheduling and timing match the level of risk the vulnerable application poses. "Be aware of where your most significant exposure lies, which is most frequently on the perimeter, where your systems meet the Internet," he says. "Internal applications, which are not accessed, externally are important, but not as time-critical in terms of patching as those exposed to the larger world."

Time-saver: Develop a patch priority list based on business criticality: Your business continuity/disaster recovery plan is a good starting place for establishing a hierarchy of patch deployments that will see the most critical exposures patched first, with lower risk or lower exposure vulnerabilities patched on a less fast-paced (and, ironically, less time-consuming) schedule.

2. Know which systems impose their own patch schedule.

Not all systems or configurations are created equal, either, with some of the most critical bringing their own time requirements and timing factors into the patch process. Does deploying a patch require a reboot of affected systems? Does patch deployment and vulnerability remediation call for taking down a critical server or other component?

By knowing in advance that server A, for example, is down for regular maintenance for a certain amount of time every week (or other period), you also know in advance the likeliest and most efficient time to deploy a necessary patch.

This information itself can exert advantageous ripple effects throughout your overall patch process and efforts to reduce patch deployment time. In "The Laws of Vulnerabilities 2.0," Qualys CTO Wolfgang Kandek notes that, "Remediation may not be possible on all systems, such as those with criticality or uptime constraints. Consequently, IT administrators should segment their systems into fast patch and slow patch pools and review the possibility of using mitigating technologies for protecting the slower patch pools. The existence of a fast patch pool has the additional benefit of gathering additional in-house experience related to the application of the patch and its potential side effects."

In other words, while you're waiting to patch one system, use your resources to patch others.

Time-saver: Maintain a list of critical systems' regular maintenance and planned downtime schedules, and plan patch deployment accordingly, dealing with other more readily available systems in the meantime. Review and update system maintenance schedules (and their effect on other schedules) on a regular basis.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.