The Patch Management Crisis and How to Solve It

Patch Management

Most end users, and even some IT pros, feel pretty safe if they have up-to-date anti-virus/antimalware, firewalls turned on, and complex passwords in place. This overlooks one of the biggest threats to your PC and network – poor or non-existent patching.

The vast majority of successful exploits are against unpatched machines, some 85% according to US-CERT, part of the US Department of Homeland Security.

Why is This So Bad?

While viruses can be a nuisance (and often worse) to unprotected machines, the kind of attacks aimed at unpatched machines can be far worse. These are targeted at doing real damage – stealing data, escalation of privilege, releasing bots, gaining deep entry into the network, and worse.

Some of these attacks are so broad that the corporate victim can’t avoid bad publicity, loss of reputation and even loss of income. Not to mention downtime and the costs of repair.

How Patch Hacking Works

Patches are by definition publicly released, otherwise, users wouldn’t be able to install them. The patch itself fixes a vulnerability, and, as a result, defines and then exposes that vulnerability. It usually takes hackers only 1-4 days to release an exploit attacking that hole. And knowing that millions of machines won’t be immediately patched, cyber attackers have a field day.

Why is Patching So Difficult? Does It Have to Be?

Patching is hard because there are so many PCs and servers spread about. That makes it hard to even find all the machines that need patching. Now add in all the different OSes and browsers, applications, and various states of update and you have a real problem. Mobile workers make it even worse. How can you patch an end user’s device if it’s off the network?

There is also more software to patch. A decade or more ago, most patches were for Microsoft operating systems, browsers and applications. Microsoft released patches once a month on Patch Tuesday and there were also automated ways to fix Windows PCs and Servers.

That was then. Now the bigger problems are Java, Adobe tools such as Reader and Acrobat, and myriad other bits of third-party software. These vendors, while offering patches, have a less rigorous approach than Microsoft, and fewer, less robust automated patching tools.

In fact, Java and Adobe Reader alone account for the majority of vulnerabilities, according to recent reports, with Microsoft accounting for far less than 10%. We’ve even seen times when Oracle released over 100 Java fixes in a single month.

Just by keeping Java and Adobe tools patched, you can get rid of over three-quarters of your vulnerabilities.

Meanwhile, Apple’s QuickTime and iTunes are increasingly vulnerable, with most Windows users of these tools using out-of-date, unpatched versions.

The result of all these hassles? Only 36% of SMBs patch their machines.

Ovum is one research house that has been sounding the patch alarm. “Customers may shy away from addressing regular patching or overdue software upgrades because they have concerns about price, time, or complexity. However, based on our conversations with customers, an ‘only as-needed’ approach to software support is short-sighted, and could expose customers to security and compliance risks, not to mention losses in employee productivity and business revenue,” wrote Ovum analyst John Madden in his “Avoiding security risks with regular patching and support services”.

The Answer is Automated Patch Management

The good news is the answer is simple – keep your network and machines fully patched and updated.

How you chose to do so can be simple or hard. If you go the old manual route, there is a slim chance you’ll be able to identify all the needed patches on all the systems and get them installed properly. Meanwhile, you can spend your whole week trying.

The simpler, more complete route is to automate all steps in the patch process.

Ovum’s John Madden believes automation is the way customers want to go. “Once a customer has made a decision to initiate a regular software patching and maintenance program, what they want most is automated tools and support from their vendors to make such a program run as seamless as possible,” he wrote.

The first step in patch management is conducting an inventory of all your machines, even mobile devices. This asset management audit should include information on operating system and status, and all applications – with their patch and update status.

This inventory process should be regularly and easily repeatable so that new devices and software are quickly and automatically discovered – and patched.

Next, the tool should gather all needed patches, and based on policies and priorities you define, automatically install them. In some cases, you may want to test the patch before deploying to avoid software conflicts, and this should be automated as well through acceptance testing and the ability to do a rollback.

Reporting is the Final Touch

The best way to know that your infrastructure is patched properly is through reporting. You should be able to easily see what patches are installed and how they are performing. At the same, you should be able to spot at a glance which patches are missing. Even better, with good real-time monitoring tied to reporting, these reports aren’t just easy to create, they are always 100% up-to-date.

These reports aren’t just critical for security checks but ensuring compliance as well.

Quick Guide to Patch Types

  • Critical Update: Patches for issues considered “critical” but not security related.
  • Hotfix: These are built to quickly fix problems, and can even be a patch for specific customers.
  • Hot Patch: A patch that can be installed without shutting down or restarting the system.
  • Patch: A fix for a specific software hole.
  • Service Pack: Microsoft is most known for Service Packs, which are batches of fixes with some new features released every six to 12 months. These Service Packs roll up previous hotfixes and updates.
  • Security Update: Fixes for security problems, a term used largely by Microsoft.
  • Update: Fixes for non-security problems.
  • Workarounds: These are quick fixes for a hole without installing a patch. Most often users are told to shut down the vulnerable function.

Let Kaseya Help

Kaseya understands the difficulties of patch management, and our Kaseya VSA solution fully automates every aspect of patch management, including:

  • Comprehensive Discovery and Audit to find all devices in the first place, as well as monitoring operating details (to know what needs to be patched)
  • Policy-based Management and Control Automated Patch Deployment that you set up, controlling exactly which patches get deployed, as well as when and how to match your business’ specific needs
  • Remote Management to access and patch all devices, including off-network devices sitting on an employee’s countertop. If laptops need to powered on or powered off, VSA can automatically take those steps to ensure the patch is fully installed.
  • Real-time, comprehensive reports with drill-down and the extensive ability to use filters

Learn more about proper patch management with our piece “A Patch Made in Heaven”.

Want to empower your team with automated patching? Request a demo for VSA by Kaseya here.

Posted by Doug Barney
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.
How to Win More Business During Cybersecurity Awareness Month

How to Win More Business During Cybersecurity Awareness Month

Cybersecurity Awareness Month is here! This October, get in front of your audience and educate them on the evolving cybersecurityRead More

Why You Need to Talk About Cyber Insurance With SMBs

Over the last few years, we’ve watched cybercriminals increasingly targeting small and midsize businesses, while many small business owners still thinkRead More

IT Reports: Examples, Benefits, Best Practices and More

Data makes the world go round, forming the basis for some of the most critical business and political decisions. InRead More

Patch Management Policy Features, Benefits and Best Practices

In 2020, Ryuk Ransomware operators shut down Universal Health Services by exploiting the zerologon vulnerability to gain control of domainRead More

Download the 2022 IT Operations Survey Report - Click Here
2022 Benchmark Survery Results