Server Patching Best Practices for Enterprise Patch Management
Park Place Technologies
Malicious cyberattacks continue to make headlines. It seems like there is a massive new breach every month or so. The truth is that cyberattacks can happen to any business at any time. And although there a very few universal truths when it comes to information technology, one of the best ways to reduce your risk is through timely server patching and firmware updates.
Enterprise patch management is not particularly glamorous. It doesn’t get the same attention that anti-malware and DevSecOps Tool Chains do, but it’s even more important. Patching servers ensures that you’re able to eliminate potential vulnerabilities before they are exploited by bad actors.
Of course, patch management is not a simple thing. You’ll need the right strategy and program in place, and you must ensure that you’re adapting best practices to your business needs. We’ve developed a list of the most critical steps for patching cycles, as well as a rundown of the benefits of patch management for your servers.
What Is Patching?
Let’s start with an overarching definition. Patching is the act of applying a change to installed software – such as firmware, operating systems, or applications – that corrects security or functionality problems and in some cases adds new capabilities.
Now consider this: when the operating systems (OS) of your servers, network, and storage are developed, programmers write code to achieve functionalities. In some instances, that code can be exploited by human attackers and malicious software.
Original equipment manufacturers (OEMs) and software vendors regularly roll out updates to those operating system issues to prevent bad actors from exploiting them. These updates are called “patches.” So, patching is nothing more than applying the updates delivered from the software authors.
That’s something of an oversimplification because patching is a complex process that applies to all network connected devices in your organization (anything with an IP address should be considered). Every application your organization uses will also require patches and updates to protect against vulnerability exploits. Orchestrating the installation of those patches while minimizing downtime is critical and yet very challenging.
Why Patch Management Is Important
Why is enterprise patch management so important? First, patching can improve server, network, storage, and application performance. It can also increase functionality – some updates deliver new functionality or expand existing capabilities.
However, the most important reason to practice good patch management habits is to reduce security vulnerabilities. According to recent vulnerability response research, up to 60% of companies experiencing a data breach were aware of security-related patches that had not been implemented.
Patch Management vs. Change Management
Patch management is the technical process of managing and implementing software updates for servers, network, storage, and applications. Change management, on the other hand, is the business process used to plan, approve, communicate, test, and orchestrate the implementation of those patches. They work together to ensure that patches are applied correctly, promptly, and without a detrimental effect on the organization, such as unexpected downtime.
7 Best Practices for Server Patching
While patching is critically important, it’s just as important that you do so correctly. Patch management industry standards help you address security vulnerabilities as soon as patches are available from the vendor. Below, we’ve outlined the most important patch management best practices as recommended by the National Institute of Standards and Technology (NIST).
1. Take Inventory
The first step is to take inventory. You should know the number of devices and applications within your organization that will need updates over time, but this type of patch management audit goes even deeper. It’s important to explore the dependencies between those assets so you can predict what will happen when a particular device or application is not available due to an ineffective IT patching process.
2. Assess Risk
Next, assess the risk for each component you identified. For instance, is a server at greater risk than a particular app used on just a few workstations? Some of the things you’ll want to consider during this stage include:
- How easily a vulnerability can be exploited.
- The duration of time in which a system has been left unpatched.
- If the system accesses the Internet.
- The results of vulnerability scans.
By assessing the risk level for each component and system identified during your inventory, you can create an accurate schedule.
3. Establish a Schedule
How often should you perform patch management? Use what you learned in the previous steps to establish a schedule for updating your systems and components. What should that schedule look like?
Recommended Patch Schedule
The recommended patching schedule should look something like this:
- Once per month, update desktop operating systems, malware and antivirus software, security tooling, VPN clients, and client applications.
- Once per month, update server operating systems and applications.
- Every quarter, update physical and virtual appliances, management tooling, and hypervisors.
- Every six months, update your infrastructure firmware, drivers, and management software.
4. Create a Patch Management Policy
In addition to implementing an informed patch schedule, it’s also important that your organization adheres to patch management policy best practices. This policy should spell out when systems and components should be scanned, how patches are applied, how to determine priority in specific situations, and more.
NIST Patch Management Policy
The National Cybersecurity Center of Excellence (NCCoE) has recently released two new final publications on enterprise patch management policy and standards.
NIST Special Publication (SP) 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and operationalizes patching while also improving its reduction of risk.
NIST SP 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, demonstrates how tools can be used to implement the patching capabilities described in SP 800-40 Revision 4. It also shows how organizations can use commercial tools for routine and emergency patching situations, as well as implementing temporary alternatives to patching.
Both documents reflect the importance of a timely patch management strategy and policy for organizations striving to maintain a robust cybersecurity posture.
5. Track Patch Availability
It’s impossible to keep your servers up to date with the latest patches if you’re unsure about when those patches are released. Patch availability tracking ensures that you know what patches are being released and when. One should can then create a schedule that ensures high-priority patches are installed as quickly as possible while creating an overall plan for lower-priority patches.
Remember that every vendor will have a different patch/update release schedule. Most of them publish this information to their websites, but some may also communicate their update schedule in less typical ways.
Tracking patch availability will require that you have a process in place to monitor vendor communications so you can keep tabs on when updates and patches will be made available.
6. Centralize Patch Management
Centralized patch management is a solution designed to help limit the time and effort required to implement patches across your organization. This is a software-based approach that eliminates the need to manually apply patches; it works across multiple operating systems and can even work in the cloud.
7. Automate Patch Management
Automated patch management is the next step up from centralized patch management. Like centralized solutions, automated solutions rely on advanced software to eliminate manual updates. However, in this situation, you allow the software to handle all aspects of patching and updating. This ensures that your systems are always up to date and that you’re able to minimize security vulnerabilities quickly.
Choosing the Right Patch Management Partner
It’s clear that successful patch management is integral to finding and addressing security vulnerabilities along with improving software performance. But despite widespread recognition that patching is effective, and attackers regularly exploit unpatched software, many organizations do not have the resources to keep up with regular patching. The good news? You don’t have to be responsible for your organization’s patch management any longer.
IT infrastructure managed services from Park Place Technologies streamline IT operations by simplifying the management of compute environments and provides you with incident management, patch management, and remediation. Our 7×24 Enterprise Operations Center (EOC) engineers, combined with our robust monitoring tools, will keep watch over your servers and perform regular patches to free up integral team members for more important projects focused at innovation—not maintenance. OS Patching specifically is currently available under our Plus (Defined Remediation) and Full (Enterprise Management) ParkView™ support tiers.
Looking to take patch management off your IT team’s to-do list? Contact Park Place Technologies today to get a quote and learn more about what our IT infrastructure managed services with OS Patching can do for your organization!