This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
We’re in an era in which pre-packaged exploit services make it possible for the average Joe, with no technological experience or prowess, to launch intricate attacks on our environments. So, what can be done? Patching operating systems and applications is a surefire way to block some attacks. But you need to do more than blast out auto updates.
Here are seven patch management best practices that take your organization’s cybersecurity to the next level:
#1 Use a proper discovery service
You can’t secure what you don’t know about. The only way to know if a breach or vulnerability exists is to employ broad discovery capabilities. A proper discovery service entails a combination of active and passive discovery features and the ability to identify physical, virtual and on and off premise systems that access your network. Developing this current inventory of production systems, including everything from IP addresses, OS types and versions and physical locations, helps keep your patch management efforts up to date, and it’s important to inventory your network on a regular basis. If one computer in the environment misses a patch, it can threaten the stability of them all, even curbing normal functionality.
#2 Use heterogeneous OS platform support
As you look to create an inventory and use proper discovery tools, you should ensure this includes a wide list of vendors and OS systems. Windows is no longer the sole preferred operating system, and, as a result, you can no longer get away with just supporting Windows. Apple’s Mac is prevalent for end users in many businesses today across the globe, and MacOS may be more susceptible to pernicious cyber activities like malware than many suspect.
A 2015 JAMF survey of IT pros found that 96% of enterprise IT professionals support Macs. Other operating systems are also making their way into the limelight. Linux and Unix often make up 5% to 35% of the data center footprint in large enterprises, depending on the region of the world, and Ubuntu is an up and coming Linux distribution being used as an end user system. You should support all of these types of operating systems within your patch management strategy.
#3 Perform application patching
Though many companies have implemented OS platform support and discovery services, the limitation for many lies in only accounting for the OS and applications from a specific OS vendor and ignoring third-party software. Take Windows, for example; as much as 80% of software vulnerabilities can come from non-Microsoft applications running on Windows, which means you not only need comprehensive OS coverage, but also comprehensive application coverage.
BYOD further complicates the pictures, as users bring different applications running on different operating systems that aren’t owned or under control by IT.
Vendors such as Adobe, Google, Oracle and Mozilla are highly prevalent in corporate environments, have many vulnerabilities that need to be addressed and are more highly targeted by attackers. As an example, in 2015, Flash player exploits made up as much as 70% of the exploits in Angler, an off-the-shelf exploit framework that was available on the black market but recently met its demise.
In these cases, relying on auto updaters is not an option as they can be disabled, ignored by users and can break. Even widely used auto updaters are vulnerable to breaking; Google Chrome’s auto update mechanism broke in 2016 for a period of six months or more. A lot of vulnerabilities can accumulate in that period that make a system perfect prey for the cyber-criminal.
#4 Apply coverage on and off premise
Patching your OS and applications can mean nothing, however, if not done for every computer in every location. As IT enables users to leave the network or even work remotely without ever touching the network, it still needs to secure these users as if they were on premise. Patch management systems and other security controls should provide the same level of coverage and control off premise as they do on premise.
A zero-day exploit can happen at any time and you can’t predict when a user will be back on network or connect to VPN and bring these security threats to the rest of the network. In today’s increasingly dispersed workforce, in which many end users are in various locations off-premise, it’s essential that you treat all end users the same to avoid unanticipated breaches.
#5 Patch every week
As more end user systems can leave the network, patching frequency becomes more important. You may be following the patching patterns of prominent tech influencers, but they could be wrong for you. Microsoft may keep to a predictable security patch release cycle (Patch Tuesday, second Tuesday of every month, except February 2017), but most other vendors have unpredictable release schedules. Oracle releases its quarterly patches on the first month of the quarter and Adobe releases quarterly in sync with Microsoft Patch Tuesday. Google and Mozilla don’t have set schedules, releasing as each branch matures and is ready to launch.
Each of these companies clearly has its own schedule that works for its specific software, but their frequencies are not right for everyone. For those who want to make patching frequency a main part of their security strategy, releasing new patches twice weekly is a great approach, which can especially help protect laptops.
#6 Be agentless in the data center
Servers are quite a bit different as far as patch management needs go. Often server admins don’t like to add additional agents to their systems, and there’s a need to support portions of the virtual infrastructure that an agent cannot operate on, such as templates and offline virtual machines (VMs). What’s more, installing an agent on every VM can stress the network resources, which can result in network degeneration. What’s needed is a blend between the two. Having a flexible architecture that allows both agentless and agent support for servers is ideal.
#7 Mitigate after exceptions
Regardless of agent or agentless support, you often need to make exceptions while patching. But for today’s security environment, you can’t stop at an exception; you need to include mitigation in that exception. For instance, a patch to a core component could break something and result in making an exception to not update Java 7 past update 63. In this case, you can make an exception for Java to remain on an old version, while locking down user permissions on the system, removing direct Internet access and applying whitelisting to the system to stop unknown/untrusted payloads from executing as mitigation to reduce the risk. Remember that exceptions are not the end of the patching process.
Patch management is vital to cybersecurity, but rarely generates enough attention. With these seven fairly simple practices in mind, you can stay on top of patch updates and ultimately safeguard your virtual data environments from the slew of security threats banging on the door.
Ivanti is IT evolved. By integrating and automating critical IT tasks, Ivanti is modernizing IT and helping IT organizations successfully navigate digital workplace transformation. Ivanti is headquartered in Salt Lake City, Utah, and has offices all over the world. For more information, visit http://www.ivanti.com/.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.