Patch management is the subset of systems management that involves identifying, acquiring, testing and installing patches, or code changes, that are intended to fix bugs, close security holes or add features.
Patch management requires staying current on available patches, deciding which patches are needed for specific software and devices, testing them, making sure they have been properly installed and documenting the process.
This comprehensive guide explains the entire patch management process and its role in IT administration and security. The hyperlinks direct you to detailed articles on patch management best practices, tools and services.
Patch management helps keep computers and networks secure, reliable and up to date with features and functionality that the organization considers important. It is also an essential tool for ensuring and documenting compliance with security and privacy regulations. Patching can improve performance and is sometimes used to bring software up to date, so it will work with the latest hardware.
Patch management works differently depending on whether a patch is being applied to a standalone system or systems on a corporate network. On a standalone system, the operating system and applications will periodically perform automatic checks to see if patches are available. New patches will typically be downloaded and installed automatically.
In networked environments, organizations generally try to maintain software version consistency across computers and usually perform centralized patch management rather than allowing each computer to download its own patches. Centralized patch management uses a central server that checks network hardware for missing patches, downloads the missing patches and distributes them to the computers and other devices on the network in accordance with the organization's patch management policy.
A centralized patch management server does more than just automate patch management; it also gives the organization a degree of control over the patch management process. For example, if a particular patch is determined to be problematic, the organization can configure its patch management software to prevent the patch from being deployed.
Another advantage of centralized patch management is that it helps conserve internet bandwidth. It makes little sense from a bandwidth perspective to allow every computer in an organization to download the exact same patch. Instead, the patch management server can download the patch once and distribute it to all the computers designated to receive it.
Although many organizations handle patch management on their own, some managed service providers perform patch management in conjunction with the other network management services they provide to clients. MSP patch management can minimize the significant administrative hassles of doing the work in-house.
Most major software companies periodically release patches, which can serve any of three primary purposes:
Buggy patches are the most common problem in patch management. Sometimes a patch will introduce problems that did not exist before. They may show up in the product that is being patched or in other software that has a dependency relationship with the patched software. A patch might also have to be removed if the vendor releases a patch that can't be put in place while the previous patch remains on the system. Because patches can sometimes introduce problems into a system that was previously working correctly, it is important for administrators to test patches before deploying them.
Another common problem is that disconnected systems might not receive patches in a timely manner. For example, if a mobile user rarely connects to the corporate network, their device may go for long periods without being patched. In such cases, it may be better to configure the device for standalone patch management rather than relying on centralized patch management.
The sharp increase in remote work since the start of the COVID-19 pandemic has added a new problem: managing patches on a wider range of endpoints that connect to the network through various security mechanisms. While some users might connect to applications on a highly secure VPN, others might use single sign-on from the public internet, log into some applications individually or use unsecure Wi-Fi networks. There are more places for hackers to enter the corporate network, which can mean more patches to deploy.
The main stages of the patch management process -- identifying, acquiring, testing, deploying and documenting them -- are supported by the following important steps:
System management software vendors, MSPs and consultants have expertise in making patch deployment smooth and effective. Among the oft-mentioned patch management best practices are the following 10 recommendations:
Microsoft often provides patches to its Windows operating systems and other products such as Office. The patches are normally released on a scheduled monthly basis, often on a day that has come to be known as Patch Tuesday.
Standalone systems rely on Windows Update to automatically download and deploy any available patches. In business environments, however, it is much more common to use Windows Server Update Services (WSUS), which are included with Windows Server and specifically designed to centralize patch management. There are also numerous third-party WSUS alternatives for managing, downloading and deploying Microsoft patches.
Many IT departments also maintain systems that run the open source Linux operating system. Linux patch management is similar to Windows patching, but there are more Linux distributions, which means becoming familiar with the different patching procedures of several vendors instead of just one.
MacOS also has built-in software update tools, but an organization can have multiple versions of the operating system, which makes it challenging to keep every system up to date without using centralized patch management. Many third-party patch management tools support macOS, along with Windows and Linux.
The increase in cyber attacks in recent years makes cybersecurity probably the most common reason for deploying patches. Patch management is an important part of vulnerability management, a much broader strategy for discovering, prioritizing and remediating the security vulnerabilities of network assets. Patch management remediates the identified risks by upgrading software to the most recent version or by temporarily patching it to remove a vulnerability until the software vendor releases an upgrade that contains the fix.
In this context, software patch testing also involves documenting the test process for security compliance purposes, as well as coming up with alternative vulnerability management plans in case security patches can't be installed on the required devices.
Vulnerability management includes the following steps:
A distinct category of tools known as vulnerability management software is used for scheduling and documenting these processes and partly automating them. Some vulnerability management tools have patch management as a component.
Patch management tools are available on premises or in the cloud, and many vendors offer both deployment options. While some vendors specialize in patch management, most include it in a broader collection of IT systems management, endpoint management or security and compliance tools. Prominent players include Atera, Automox, GFI LanGuard, Kaseya VSA, ManageEngine Patch Manager Plus and SolarWinds Patch Manager.
Before investigating products, it's important to create a complete patch management policy. By ranking their reasons for deploying patches and specifying who needs to be involved, how patches will be tested, implemented and monitored, and what kind of reporting is required, organizations will be more successful at finding the software that meets their exact needs.
Buying teams should look for dashboards that are easy to set up, understand and use, and that can display the information they need. Reporting and documentation features should also be user-friendly and able to handle the required information on vulnerabilities, test results and patching history. The software should support patching for every operating system and major application used in the organization. Most vendors name the OSes and commercial applications their products can patch.
Other important patch management features include the following:
Organizations that take the time to develop a patch management policy, establish a comprehensive patch management process and use the software tools that best support those efforts will likely be successful at making their IT systems reliable, secure and current with the latest technology.
Apple patches Blastpass exploit abused by spyware makers
Apple has patched two vulnerabilities that formed an exploit chain which has been allegedly abused by spyware company NSO.
Read more
Ivanti issues fix for third zero-day flaw exploited in the wild
CVE-2023-38035 is the latest Ivanti zero-day vulnerability to be exploited in the wild. The vendor has released a series of remediation recommendations.
Read more
CISA, international partners identify top routinely exploited vulnerabilities
Threat actors commonly target outdated software vulnerabilities, but many organizations still lag in timely patching of known flaws, CISA said.
Read more
How AI is changing patch management
With the number of vulnerabilities surging, patch management is becoming complex and time-consuming.
Read more
Ransomware victim numbers surge as attackers target zero-day vulnerabilities
Ransomware groups are also prioritizing the exfiltration of files, which has become the primary source of extortion.
Read more
09 Sep 2023