There are many known vulnerabilities that remain unpatched. 75% of vulnerabilities targeted in an attack were discovered more than 2 years ago, while 10% of them are exploited by a low-skilled attacker, using a freely available exploit program.
The future doesn’t seem promising either. Cyber insurer Coalition estimates that nearly 2,000 vulnerabilities and exposures will be identified each month in 2023, including 270 high-severity and 155 critical vulnerabilities.
These are frightening numbers for CISOs, but they won’t surprise field teams. They know how tricky it is to define a patch management strategy, let alone apply it, taking into account all their operational constraints and the increasing complexity of IT infrastructure.
But patch management goes beyond security: updating your systems also brings performance improvements and new features.
So, the question is how you define a modern patch management strategy, in light of tighter regulations, contractual constraints and compliance obligations that affect your IT systems. Where do you start? What strategies are out there? And how can you automate them?
Proper patching is paramount
While companies are generally equipped to automate patching campaigns for workstations, the reality is rather different when it comes to servers. In practice, it’s often all or nothing.
Organizations with plenty of resources won’t hesitate to proactively deploy their teams regularly to update their equipment. Others, though, have adopted a more reactive approach – focusing only on the most urgent updates. However, this risks creating a backlog that will be difficult to clear, sometimes you end up with an obsolete OS that no more patches are released for.
What’s more, ISS policies often fail to set the bar high enough when it comes to managing patches and updates. They don’t consider what’s happening to your infrastructure you have in operation: technical debt, a too diverse range of hardware, potential outsourcing constraints and even loss of compliance, to name just a few.
It is only natural to be daunted by the prospect of a proper patching campaign. And the possibility of side effects, incompatibilities or regressions that go with it. But if you don’t have the right strategies and resources (namely time and people), you’ll always be wondering about the security risks that unpatched vulnerabilities could bring – not least having an unstable or unavailable IS.
Also, it is not uncommon to pause updates during busy periods as a precaution, and Third-Party Application Maintenance (TPAM) on some applications might mean you have to stick with a certain version of an OS. As for the vulnerabilities and CVEs, not all are fixed with a patch, which can take several days or weeks to be released and require a reboot, or in other words: downtime. So, then you need to find workarounds: deactivate a feature, reconfigure settings, temporarily isolate the machine… all time-consuming actions that require a thorough knowledge of the IS you are working in.
When you reach a certain scale, tools are essential to automate what can be automated, helping you to make decisions and stay in control. But before we even talk about tools, you first need to know about the strategies you can choose from, which tools will help you to deploy successfully.
Different approaches to define your patch management strategy
Different update strategies are available and can be tailored according to your constraints and especially to your resources. We have grouped them into 3 general types. There are more out there, of course, but this list contains the practices that we have encountered most often and have emerged as the most effective.
Don’t forget: nothing is perfect, and your strategy is no exception. The main thing, in terms of patch management, is to keep up your efforts regularly, which is where automation comes in. The longer you wait, the harder it will be to clear the backlog. Beyond the issues of outdated OS versions, there is also the question of skipping versions, which is not always possible. So, some updates will take time. A lot of time.
Adopting and automating an approach to properly update your systems will therefore result in efficiency gains, while maintaining service continuity.
1. The pragmatic approach
This first approach is about ensuring updates are installed at a regular frequency – usually once a month, unless a critical vulnerability crops up sooner. Security updates are set up to be deployed automatically, which doesn’t affect their functional scope and presents little risk of regression. Minor updates are manually approved after you review their documentation and estimate the risks.
As for major updates, you take some more time to assess the risks and determine whether the update can be rolled out immediately or whether it’s best to wait until resources can be easily freed up to resolve any potential problems.
2. The rolling update approach
Slightly more advanced, this approach requires good knowledge of your infrastructure. It is similar to Information Technology Infrastructure Library (ITIL) processes and continuous deployment methods. It consists of incrementally updating parts of your infrastructure across several batches in increasing order of criticality. Patches and updates are first deployed to your non-critical environment, then to low-risk production areas, then to parts deemed ‘breakable’, before extending the campaign to all equipment.
At each stage, you assess the impact: carry out testing and check the relevance of the documentation provided by the publisher – sometimes the update is enough, other times you also need to modify configurations. The main advantage here is that you ease concerns by limiting the risk and ensuring continuity of service, because you are only dealing with one part of the infrastructure at a time.
3. The blue-green approach
The last approach to consider, which we think is the best, might not be for everyone. It involves having two identical environments that spread the risk and can take over from the other in the event of an incident.
We switch the traffic entirely to the blue environment and install the updates to the green one. Once the update is complete, we gradually redirect traffic back to the green environment. But in case of a regression, we can always revert to the blue environment. If the green environment is still running as it should be after a while, we can simply update the blue environment and put it back into operation.
The right tools to implement your patch management strategy
Once you have set out your strategy, you then need the right tool. If you only have a few machines, and especially if they run on the same operating system, then the update tools from publishers will be more than enough. Windows Server Update Service (WSUS), Intune, Red Hat Satellite, Ubuntu Landscape and SUSE Manager provide the packages and all you need to do is install them. That’s all you need to do to keep your machines up to date.
But if your infrastructure is more complex, whether diverse, multi-environment or hybrid, then you rely on multiple vendors to receive updates. So, you need a tool that can handle the complexity of a multi-OS environment. This will save you time and improve reliability.
With Rudder, you can manage your multi-system and multi-OS infrastructure in one place. The solution adapts to the approach that suits you thanks to its high degree of adaptability: from the most simplistic to the most sophisticated.
How does it work?
Once this information has been compiled, you can make the right decisions, prioritize and automate patch campaigns that fit perfectly with your strategy. These can be simple and apply all available patches at a defined frequency. Or they can be smarter and more selective by only updating certain softwares on specific groups of machines, whether with a reboot or not.