Before we consider patch management – it’s worth starting with the basics!

Essentially, a patch is update that performs one or more of three functions:

• Security updates – patches that fix a vulnerability.
• Feature updates – patches that introduce new functionality or improvements to user experience and performance.
• Bug fixes – patches that correct coding problems that prevent desired functionality.

Patching and updating is reasonably straightforward for an individual device. The complexity increases with the number and range of devices that require management. Some may be on premise, others could be distributed geographically, especially as many operations teams are required to support remote working. Patch deployment should really be considered as one step in a continuous process. Every organization has unique requirements, but your ongoing process should contain the steps below as a minimum for best practice.

Most authorities on cybersecurity advice organizations to allow automatic software updates. In most cases, this is best practice – especially if you don’t have a patch management solution in place. In all cases, this policy should go hand-in-hand with cybersecurity awareness training to ensure users can identify phishing emails that pretend to include important update information. In addition, updates should be applied over a trusted network connection whenever possible or using a VPN connection if not.

Relying on users to update their own devices can increase risk, buy you may have specific devices or applications that require special attention. A good example of this is your website content management system (CMS). Unless a vulnerability is already actively being exploited, you might prefer to update a test version or staging site first, in order to make sure the update doesn’t bring down your website.

If you’re struggling with patch management, you’re not alone. As cyber threats rise, effective patch management is crucial to protect your organization. This Help Net Security article offers a step-by-step guide to streamline your process, prioritize critical updates, and ensure smooth deployment. Don’t let vulnerabilities like WannaCry catch you off guard—learn how to safeguard your systems and enhance your security posture.

When formulating a patch management strategy for your organization a key factor to take into consideration is risk. There are many types of risk that arise from cybersecurity, these include reputational, financial, and operational. They can and should be measured in terms of cost to give you a clear idea of their impact and this can be calculated as follows:

(Threat×Vulnerability×Probability of Occurrence×Impact)
Mitigation controls

Where:

Threat: The potential cause of a cyber incident (this can include insider threats as well as targeted threats from bad actors or potential collateral damage from a supply chain incident.

Vulnerability: The weakness that can be exploited by any of these threats. Vulnerabilities can be caused by poor access management, misconfiguration, or human error as well as software or operating system issues.

Probability of Occurrence: The realistic chances of vulnerability being exploited – this will largely depend on what a threat actor can gain out of an attack. Factors to be taken into consideration here are the type and value of the information you process, the likelihood of having a ransom paid and the effort required to execute the attack.

Impact: The potential damage or loss if the threat is realized.

Mitigation controls: Any measures you have in place to reduce the risk of a vulnerability being exploited.

Essentially – the more your organization stands to lose, the more care you should take to protect it. This formula can help to you prioritize risks and allocate resources effectively to safeguard against critical threats; those where you stand to lose the most. For example, even if your organization has a limited digital footprint – you may need to invest more in measures to mitigate threats because of the value of your data or the potential catastrophic impact of cyber incident on your reputation.

Mitigation measures fall broadly into two camps – offensive and defensive. To effectively reduce risk – you should include both as part of any risk reduction strategy.

 Offensive cybersecurity measures are proactive strategies designed to identify and address vulnerabilities before attackers can exploit them. Common techniques include penetration testing, which simulates attacks to uncover and fix weaknesses; red teaming, which tests the effectiveness of security measures through simulated attacks; threat hunting, which involves actively searching for potential threats by identifying and recognizing “threat signatures”; and phishing simulations, which test employees’ responses to simulated phishing attacks to enhance awareness and training. These methods help organizations stay ahead of potential threats and strengthen their overall security posture.

 Defensive cybersecurity measures are reactive strategies designed to protect systems and respond to attacks. Common techniques include firewalls, which block unauthorized network access; intrusion detection systems (IDS), which monitor network traffic for suspicious activity; antivirus software, which detects and removes malicious software; encryption, which protects data by converting it into a secure format; access controls, which restrict access to sensitive information based on user roles; and incident response plans, which prepare for and respond to security breaches. These measures help safeguard systems and ensure a robust defense against cyber threats.

Patch management is primarily a defensive mitigation strategy. It involves regularly updating software and systems to fix vulnerabilities and protect against potential threats. By applying patches, organizations can close security gaps that attackers might exploit, thereby strengthening their overall security posture. That said, with the addition of vulnerability scanning and remediation capabilities, modern patch management tools are moving ever closer to proactively protecting your infrastructure.

As part of your ongoing cataloguing of devices and applications you will need to understand three main types of dependency:

1. Compatibility: Software that runs on a virtual or physical devices must have sufficient resources available for it to function properly. Resource intensive applications are commonly developed to run on specific operating system (OS) versions, so it’s vital to check if updates are compatible with OS versions and hardware. Equally, OS updates can impact the performance of applications and may need to be delayed until a compatible version of the application is released.
2. Sequencing: It is crucial to follow the specified order when applying updates. Each step must be completed in sequence to ensure the system’s integrity and security. Skipping any step can lead to potential issues or leave vulnerabilities unpatched.
3. Interdependencies: Software components frequently rely on each other where they run in a specific ecosystem. One example is the ecosystem of software used to manage sales and marketing. Applications including content management systems (CMS), marketing automation, customer relationship management (CRM) and accounting software could require specific versions to be in place for connectors or API integrations to work. Another (critical) ecosystem is the stack of applications you use to manage security. Updating one system might require updates to others to guarantee functionality and security.

In a word – No! As we’ve seen, simply applying all patches is no guarantee of success. Updating in the right sequence is critical, especially as problem patches can be replaced in some cases. Patch supersedence occurs if a new software update or patch replaces an older one. This new patch not only addresses the issues fixed by the previous patch but also includes additional improvements or fixes. Essentially, the newer patch makes the older one obsolete.

Problems can also occur if Network Connectivity is interrupted whilst patch deployment is happening. Keeping a reliable network connection is crucial for downloading and applying updates. A dropped connection can result in multiple issues:

Losing a network connection during a software patching process can lead to several issues, depending on the type of patch and the stage at which the connection is lost. Here are some potential consequences:

• Incomplete Installation: A lost connection can halt the patch, leaving your software unstable or unusable. Expect crashes and unpredictable behavior.
• Corrupted Files: Interrupted patches can corrupt files, potentially requiring a full software or OS reinstallation.
• Security Vulnerabilities: An incomplete patch leaves your system exposed to security threats, as critical flaws remain unaddressed.
• System Instability: Expect frequent crashes and performance issues, especially in critical systems needing high availability.
• Rollback Issues: If the connection drops, rollback mechanisms might fail, leaving your system in a limbo state.
• Data Loss: Database updates interrupted by a lost connection can lead to data loss or corruption, which can be tough to recover.

And then of course there are always vendor related #patchfail problems. Even if you deploy the right patches in the correct order to right devices – the content of the patch itself may cause loss of service, data loss, or compromised security. As a result, rollback capabilities and test management are often key features valued in patch management solutions.

Whatever solution you choose, automation is central to the benefits it can bring. This is because manual patching typically takes 10x more resource than using a patching tool. Understanding your unique IT landscape—its scale and complexity— is fundamental to choosing the right tool to help your organization manage patching. Modern solutions can juggle multiple operating systems from one console, so if your infrastructure is diverse this type of solution will make the process smoother and potentially cut costs.

Patch management tools can help improve security as well as reducing overall costs and risk, but they may not be right for every organization. Your IT and security function exists to support the business meet its objectives – if this means fast adoption of new technologies, your teams could run the risk of holding the business back if they can’t onboard new software in a safe and timely way. The main advantage of adopting a managed service a faster onramp to new services and types of devices. And, this can outweigh the additional cost.

Every organization is different. The number and types of devices supported, as well as the applications you use, form a unique digital footprint. This footprint, combined with risk will dictate how important patch management to your business and justify the cost of any tool employed.

In a word: yes! As our guide to endpoint security shows, there are standalone patch management tools, but the capability can be included in a broader solution or platform.

Common terms for solutions that can include patch management include Unified Endpoint Management (UEM), Remote Monitoring and Management (RMM), Endpoint Detection and Response (EDR), Mobile Device Management (MDM), and Automated Moving Target Defense (AMTD). Solutions that have RMM capabilities are tailored to the needs of managed service providers.

If you are already using a tool that has overlapping functionality, for example – vulnerability management, you can choose whether to opt for a point solution, live with the overlap or move to a broader solution and retire the existing. There are pros and cons for each option, including the effort of migration, cost and performance impact on the endpoint. Whilst having multiple vulnerability management solutions could be viewed as beneficial – having multiple agents on a device with competing patching regimes can introduce conflict.

There distinct advantages with combined vulnerability and patching management, a single solution helps to coordinate security and IT operations and give clearer insight into compliance. That said, IT and security operations teams that work independently, may prefer tools that are specifically designed for their needs.

In addition to MDM solutions, that are restricted to managing patches for mobile devices there are also tools which specialize in a single type of device or operating system. This includes proprietary systems like VMware vSphere and Azure Update Manager and specialist tools that manage updates for Apple devices or Internet of Things (IoT) endpoints.

If you manage a diverse environment – using a tool with comprehensive coverage can make your life easier and ensure your policies are applied consistently.

In general, most patching tools are priced on the number of endpoints managed. The price will vary based on the range of functionality included, for example, a Unified Endpoint Management solution – that includes vulnerability management – will cost more than one that only offers patch management. You can expect pay around $3 per endpoint for a low-end product. A comprehensive solution could cost more than twice as much, but it may allow you to consolidate your stack and reduce costs in other areas. Organizations with many devices can often take advantage of volume discounts, and subscriptions paid in advance may be more cost effective than a monthly billed one.

Regardless of the type of solution you select, your chosen vendor should provide you with a business case proposal that includes all the costs associated with the product (including training, support, and deployment if appropriate) and savings you can expect to achieve.

Another way to ensure you always have sufficient resources available for patch management is to include these as part of your software and device maintenance costs. This has the advantage of helping you to understand the true cost of adding an application or rolling out an equipment refresh.

When evaluating patch management solutions, it’s crucial to consider whether the system is cloud-based or on-premise. On-premise systems require significant upfront investment and ongoing maintenance, while cloud-based systems offer ease of deployment and maintenance, often through a SaaS subscription model. Key features include agent-based or agentless options, remote endpoint support, and comprehensive device and operating system support. Additionally, these solutions should provide automated patch deployment, detailed reporting, and compliance tracking to ensure all devices are up-to-date and secure. Integration with existing IT infrastructure and scalability to accommodate growing networks are also important factors to consider.

Advanced patch management tools offer features like mobile device management (MDM), zero trust policies, and remote troubleshooting tools. These solutions can enforce security policies, remotely manage devices, and automate complex workflows. Integration with service desk tools and software distribution support further enhance their capabilities, making them indispensable for modern IT environments. Other advanced features may include vulnerability scanning, patch testing in sandbox environments, and rollback options to revert patches if issues arise. These tools often come with dashboards and analytics to provide insights into patch compliance and security posture.

When selecting a patch management solution, consider the licensing model, customer support, and additional costs. On-premise tools often use a perpetual licensing model with annual maintenance fees, while cloud-based solutions typically offer subscription-based pricing. Excellent customer support, including training and onboarding services, is essential for maximizing the tool’s effectiveness. It’s also important to evaluate the total cost of ownership, which includes not only the initial purchase price but also ongoing maintenance, updates, and potential downtime costs. Look for vendors that offer flexible pricing plans and robust support options to ensure a smooth implementation and ongoing operation.

If you have assessed your requirements in terms of the number and types of endpoints you want to manage, you are already half-way to choosing the best solution for your organization. But selecting a vendor (or managed service provider) is more than a simple box ticking exercise. If you’re committing the security of your endpoints and, consequently your data, to a 3^rd party – your trust in their product and their business is paramount. There are multiple ways you can do this, here are five examples:

1. Research vendors thoroughly – look for case studies and detailed product information. Make sure you know all the questions you want to ask their sales team in advance. Involving other stakeholders in this exercise will spread the workload and ensure buy-in to the selected product.
2. Some technology research analysts publish reports on patch management solutions – find out which vendors are highly regarded.
3. Look for positive testimonials on review sites, even better if their business is like yours.
4. Try before you buy – most vendors offer a free trial or proof of concept (POC) option – but check if you will be using a fully-featured version of the product.

Request a reference call with a customer – this is a great way to discover how the product works in the real world and can give you insights into the quality of the vendor’s support. If this is a critical part of your selection process, you may be required to provide occasional reference calls when you are customer.