Analecta Cyber Company Blog: Patch Management: Stay Ahead by Planning Ahead


Patch Management: Stay Ahead by Planning Ahead

patch management challenges - Analecta LLC graphic Patch management, Plan ahead - Analecta Graphic
Hackers exploit the fact that many businesses do not update their software as often as they should. Zero-day exploits, ones that have not been discovered by the software developers yet, sound flashy and make for exciting news stories. However, it is easier to develop or use an exploit against a known vulnerability. If you lack proper patch and vulnerability management plans, you could be potentially giving cyber criminals free access to your data.

What is patch management?

The NIST Cybersecurity Framework (CSF) includes the task of developing and implementing a vulnerability management plan in the Protect: Information Protection Processes and Procedures subsection. Vulnerability management should be incorporated into your overall patch management process. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems. Some of these patches are intended to correct security and functionality problems in software and firmware. From a security perspective, patches are often of interest to cybersecurity professionals because they mitigate software flaw vulnerabilities, which significantly reduce opportunities for exploitation. Patches can also include additional security capabilities.

Patch management challenges

There are several challenges that complicate patch management. If you fail to acknowledge and successfully overcome these challenges, you will be unable to patch systems effectively and efficiently, leading to compromises that were easily preventable. Efficiency is key: companies that can minimize the time their employees spend dealing with patching can use that time for addressing other security concerns. Many organizations prioritize patch management, making it more of a core IT function than a part of security. However, it is still important for all organizations to carefully consider patch management in the context of security because patch management is so important to achieving and maintaining sound security.

Enterprise patch management vs legacy needs

Organizations with newer devices usually can manage patches using an enterprise solution. There are a variety of solutions, depending on the components of the network and overall architecture. Three basic techniques to enterprise patch management include:
  • Agent-based: requires an agent to be running on each host to be patched, with one or more servers that manage the patching process and coordinate with the agents.
  • Agentless Scanning: has one or more servers that perform network scanning of each host to be patched and determine what patches each host needs.
  • Passive Network Monitoring: monitors local network traffic to identify applications and operating systems that are in need of patching. 

Prior to implementing any of these techniques, it is important to understand which technique your devices are configured to support. Some devices may support only one technique, while others may support more than one.

Organizations with legacy devices may need a more hands-on approach. NIST guidance (NIST Special Publication 800-40 Version 2) suggests forming a Patch and Vulnerability Group (PVG), which is a formal group that incorporates representatives from information security and operations. Depending on the size of your organization, this could be a small group of individuals with knowledge of vulnerability and patch management, system administration, intrusion detection, and firewall management. Include personnel who currently provide system or network administration functions, perform vulnerability scanning, or operate intrusion detection systems when planning for your PVG.

The PVG is responsible for monitoring for vulnerabilities, remediations and threats:
  • Vulnerabilities. Vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system. 
  • Remediations. There are three primary methods of remediation: installation of a software patch, adjustment of a configuration setting and removal of affected software.
  • Threats. Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network. Threats usually take the form of exploit scripts, worms, viruses, rootkits and Trojan horses. 

Remediation recommendations

In order to stay ahead of vulnerabilities, apply remediations and protect from threats, the PVG should perform the following core tasks:
  1. Create a system inventory
  2. Monitor for vulnerabilities, remediations and threats
  3. Prioritize vulnerability remediation
  4. Create an organization-specific remediation database 
  5. Conduct generic remediation tests 
  6. Deploy vulnerability remediations
  7. Distribute vulnerability and remediation information to local administrators
  8. Perform automated deployment of patches
  9. Configure automatic update of applications whenever possible and appropriate
  10. Verify vulnerability remediation through network and host vulnerability scanning
  11. Conduct vulnerability remediation training 
Most of these tasks are incorporated into enterprise patch management software for more modern devices, but if you cannot apply an enterprise patch management solution to your network it is important to understand these steps. See NIST Special Publication 800-40 Version 2 for more information.

Additional information

Check out some of the resources below for more information on patch and vulnerability management programs:

Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework guidelines. Reach out to us to learn about a robust, more complete cybersecurity program for your company. Contact us at or visit our Cybersecurity website.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

1 comment :