Qualys
By Jimmy Graham, Senior Director of Product Management at Qualys
Vulnerabilities that vendors have disclosed and issued patches for remain a major source of breaches. The reason? Too many organizations take too long to deploy those patches -- or never do. Why does this baffling problem persist? Like for most IT and security challenges, the problem and its solution depend on a combination of the technology and processes in place.
Below are several best practices for an effective, proactive patch management program.
Adopt integrated breach prevention
Patch management should be part of an integrated breach-prevention program that includes asset inventory, vulnerability management and threat prioritization. When patch management is isolated, time-to-remediation slows down. For example, correlating vulnerabilities to patches becomes time-consuming, and prioritizing remediation gets difficult.
Make PM a proactive practice
Organizations shouldn't find themselves frequently going into emergency patching mode. Instead, they should proactively remediate as patches are released, based on prioritization analysis. That's the goal of a patch management program: To have repeatable patching.
For example, patch deployment jobs can be created for different types of devices to run on specific schedules, while rules and workflows can trigger automatic patch deployment.
Get full patch visibility and centralized control
Organizations must know which patches they've deployed, which are missing, and how the process should flow for optimal results. Otherwise, they'll experience delays and gaps in patching.
Thus, it's essential to discover missing patches quickly, comprehensively and at scale across assets located on prem, in clouds, and at remote endpoints.
Correlate vulnerabilities and patches automatically
Organizations must move from manual to automated correlating of vulnerabilities and patches, to more quickly identify what patches must be deployed and increase remediation response time. If you have to manually track down which patch goes with which vulnerability, your mean-time-to-remediation will be inevitably long.
Check immediately remediation's effectiveness
You should use continuous agent-based scanning, and run frequent authenticated scans, so your patching's effectiveness becomes clear quickly by tracking patches from a central dashboard.
Many patch teams must wait for a scheduled vulnerability report to determine if the deployed patches worked. Sometimes these reports come out weekly or less frequently. That's a week -- or longer -- before you know whether your remediation is working.
Don't forget about remote systems
It's challenging to deploy patches on remote systems that connect to your network infrequently. But those systems must have the latest patches. This process can be simplified and streamlined with a patch management product that leverages agents installed on each asset, because it can use the agents to deploy patches to these systems.
Make patch management OS- and vendor-agnostic
It's common for patch management tools to work only with products from one vendor, or with one type of software. This forces organizations to have multiple patching products, and prevents them from having a unified view of the patching process. Instead, look for a product that can be used to patch operating systems and applications from different vendors, and that can manage vendor-specific patch repositories.