Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware. From a security perspective, patches are most often of interest because they are mitigating software flaw vulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities for exploitation. Also, patches are usually the most effective way to mitigate software flaw vulnerabilities, and are often the only fully effective solution.
Patch Management is mostly done by software companies as part of their internal efforts to fix problems with the different versions of software programs and also to help analyze existing software programs and detect any potential lack of security features or other upgrades.
Patches serve other purposes than just fixing software flaws; they can also add new features to software and firmware, including security capabilities. New features can also be added through upgrades, which bring software or firmware to a newer version in a much broader change than just applying a patch. Vendors often stop supporting older versions of their products, which includes no longer releasing patches to address new vulnerabilities, thus making older unsupported versions less unusable over time. Upgrades are then necessary to get such products to a supported version that is patch
Factors affecting organisation patch management
Components and Architecture
Enterprise patch management technologies are similar architecturally to other enterprise security solutions: one or more centralized servers that provide management and reporting, and one or more consoles. What distinguishes enterprise patch management technologies from each other architecturally are the techniques they use to identify missing patches. The three techniques are agent-based, agentless scanning, and passive network monitoring. Many products support only one of these techniques, while other products support more than one.
A number of organisational factors come into play when considering IT security solutions including the size of the organisation, distribution of its assets, current infrastructure and applications used, industry and compliance requirements, internal IT department skill-set etc
Once a patch management technology has been selected, its administrators should design a solution architecture, perform testing, deploy and secure the solution, and maintain its operations and security. This section highlights issues of particular interest with administration—implementation, operation, and maintenance—of patch management technologies, and provides recommendations for performing them effectively and efficiently.
Usability and Availability
Organisations should balance their security needs with their needs for usability and availability. For example, installing a patch may “break” other applications; this can best be addressed by testing patches before deployment. Another example is that forcing application restarts, OS reboots, and other host (computers/mobiles/servers or any other IP connected asset) state changes is disruptive and could cause loss of data or services. Again, organizations need to balance the need to get patches applied with the need to support operations.
Many host-based products that have patch management capabilities also provide a variety of other security capabilities, such as antivirus software, configuration management, and vulnerability scanning.Patch management technologies typically have capabilities for identifying which software and versions of software are installed on each host, or alternately, just identifying vulnerable versions of software that are installed. In addition, some products have features for installing new versions of software, installing or uninstalling software features, and uninstalling software.
Key questions organisation must check ask when evaluating effectiveness of their current patch management system
How often are hosts checked for missing updates?
• How often are asset inventories for host applications updated?
• What is the minimum/average/maximum time to apply patches to X% of hosts?
• What percentage of the organization’s desktops and laptops are patched within X days of patch release? Y days? Z days? (where X, Y, and Z are different values, such as 10, 20, and 30)
• On average, what percentage of hosts are fully patched at any given time? Percentage of high impact hosts? Moderate impact? Low impact?
• What percentage of patches are applied fully automatically, versus partially automatically, versus manually?