Five Steps to Improving Your Patch Management Program

Reading Time: 3 minutes

How many security professionals feel like no matter how many security solutions enter the market and no matter how big your security team is you never seem to get ahead of patching vulnerabilities? I know we are far beyond the idea of applying every patch released by vendors. But we didn’t get to this place for a lack of trying…trust me. We just realized the law of diminishing returns was real and that while we were focusing all of our time and resources on patching insignificant vulnerabilities on insignificant systems that we are exposing ourselves to greater risks on higher risk systems. This is evident when we see breach after breach in the news where a company’s crown jewels have been compromised by exploiting an vulnerability a vendor released a patch for more than six months prior. I would argue that these organizations are patching, executing vulnerability scans, and spending hundreds of thousands to millions of dollars on security tools/resources. Don’t take this as me placing the blame solely on security. I know the organization’s culture plays a significant role, as well as, ensuring security is integrated into the systems development life cycle (SDLC). Those two subjects alone are related but an entirely different article that would take pages to cover. Right now, I want to focus on how you can improve your patch management program directly.  While it is important to select a patch management tool that has the ability to patch all of the software vendors in use in your environment, it is equally important to deploy a vulnerability scanner. A vulnerability scanner cuts through all of the promises and plans and allows me to keep my finger on the pulse of how we are executing the patch management plan and if we need to tweak it to improve our security posture.

Having said that, when seeking to improve your patch management program follow these five (5) steps.

  1. Understand the business
  2. Prioritize systems by criticality
  3. Identify gaps in the patch management plan
  4. Identify patching inconsistencies
  5. Incorporate findings

Understand The Business

Security must be aligned with the business. To accomplish this, you must understand the objectives of the business, the business processes created to support those objectives, the information technology supporting those processes, and the threats that could disrupt those processes.  Remember that security is a service and does not generate revenue.  Security exists to enable the business.

Prioritize Systems By Criticality

Patching all systems for all vulnerabilities is nearly impossible but even if it were not you would have to prioritize which systems and vulnerabilities you would remediate first. The way to approach this problem is by prioritizing critical systems first and applying patches to the most severe vulnerabilities. Critical systems in an organization are systems that are critical to the operation of the business and/or could impact human life. A common characteristic of these systems is that they cannot be offline for any significant amount of time because it could adversely impact the organization’s ability to carry out its mission or ability to generate revenue. Critical systems could also be systems that store process, transmit personally identifiable information (PII), personal health information (PHI), the organization’s “secret sauce” recipe. These systems are often identified in the organization’s business impact assessment (BIA). These systems should be prioritized as the highest priority to be patched and secured.  Here are the types of systems I consider for the highest prioritization:

  • Systems identified in the BIA
  • Critical Infrastructure
  • Systems with PII/PHI
  • Public Facing Systems

Identify Gaps In The Patch Management Plan

Many organizations have a patch management plan so review their plan to ensure it includes all of the tenants of a good patch management plan. The National Institute of Standards and Technology (NIST) Special Publication 800-40 revision 3 Guide to Enterprise Patch Management Technologies is a great resource to use to guide the creation of a sound patch management plan. Gaps in the plan and implementation in the plan will be documented and presented to management for improvement.

Identify Patching Inconsistencies

The security team typically is running a vulnerability scanner at some frequency and has a snapshot of the vulnerability state of the organization. Review these reports to determine if critical systems are patched; to understand how long it takes to patch vulnerabilities; to see the age of vulnerabilities; to determine if certain departments are better patched than others; and to determine if certain departments are more patched than others.  This is very information that can be used to shore up the patching program.

Incorporate Findings

Collect all the information learned in the previous steps and use it to ensure you are appropriately prioritizing your patching efforts, consistently patching the information system, and updating the patch management and vulnerability assessment plans to reduce any gaps.

If you follow these five steps you will certainly improve the security posture of your organization’s information system by focusing on what is most important and ensuring it is protected. Stay vigilant.

Leave a Reply