Unless you have an extremely flexible budget and well-staffed IT team, chances are your patch management process is a bit of a maze. Maybe you have difficulty classifying risks or testing patches before implementation.
If you think your patch management process could use some improvement, consider employing these five best practices:
1. Catalog Your Systems
Creating a detailed, comprehensive inventory of all of your systems delivers a comprehensive view of your infrastructure. The inventory should include OS versions, application deployments and network resources as well as highlight the dependencies and relationships associated with each system.
Design the system catalog to allow authorized sysadmins to enter available patches for OSes and applications. Every time a syadmin logs a new patch, the inventory must notify senior administrators, testers or others responsible for patch testing and implementation of the patch's availability. The notifications should include documentation and risk levels.
"60% of businesses are already using machine learning."
2. Automate Risk Classification
Machine learning technology is actually pretty accessible nowadays, even for small companies. MIT Technology Review and Google Cloud recently surveyed 375 business professionals, 48 percent of whom worked in organizations with 50 employees or less.
More than half (60 percent) of respondents said they were already using ML in their operations.
Developers can leverage ML algorithms to classify system vulnerabilities and inform patch prioritization. The ML application could review patch documentation and security forums to determine how important patches are. In addition, the ML algorithms could interpret input from sysadmins to continuously learn how to best assess vulnerabilities.
3. Create System Images Before Applying Updates
Even if a patch passes a test, that doesn't mean it won't impact system performance.
Before applying updates, create images for all of your systems. SANS Institute recommended installing these images on emergency repair devices. You could store the images on a public cloud environment, external drive, or wherever.
The Institute also advised sysadmins to roll out the patches to a group of test users before implementing them across all end users. Test users are tech-savvy workers who know how to backup critical data and restore their systems in the event issues occur.
4. Standardize Production Systems
If possible, get all of your applications to run on the same OS version. While a demanding project, this initiative will benefit you in the long run because it reduces the number of systems for which you have to manage patches.
For example, if the bulk of your applications run on Red Hat Enterprise Linux, but a few run on Ubuntu or Windows, see if you can transition those few to RHEL. Ultimately, you'll have to test fewer application dependencies and bug patches.
The same principle applies to end-user devices, including smartphones employees use for work. How many of your company machines are running on Windows 7 or 8.1? Could the hardware support Windows 10? Conduct an assessment of the end-user environment.
5. Implement a Test Environment
Create a test environment that mirrors your production environment. Think of the test environment as the "staging area" for all of your updates and bug patches. All of the mission critical applications you run in your production environment must have logical representations in the test environment.
If setting up a test environment isn't feasible, you have two options:
- Deploy patches to the least critical, most easily recoverable servers in the production environment.
- Get a team of consultants to develop a test environment on your behalf.
With respect to the latter choice, you may not have the human capital and team needed to create a test environment. In this situation, consider outsourcing the responsibility to sysadmins and development teams who can work under a budget.