Enterprises of all sizes are facing increased pressure to protect their information and close the software vulnerability gap due to mounting cybersecurity attacks. Unfortunately, many companies still grapple with getting patch management right. A recent Ponemon Institute study reported that 42% of organizations that suffered a data breach knew patches were available but struggled to deploy them. Having a solid patch management playbook on hand can help protect assets, employees, partners, and your business at large. Let's review six steps you should take to create your playbook.

Step One: Determine which updates to install first

Rank updates with the highest severity of non-superseded vulnerabilities and the highest exposure in each environment. For instance, deprioritize updates affecting a single device and work on patching a vulnerability impacting thousands of devices instead. Tackle critical updates first as they often impact security and the reliability of key systems most. Once the high-priority updates are out of the way, look for important updates that address non-critical problems or help improve the computing experience. Next, move on to optional updates, which may include patching drivers or new software to enhance your current system. While these updates are recommended, chances are they don't need to be addressed in the next 24 hours.

Leverage benchmarks like Common Vulnerability Scoring System (CVSS) to help prioritize updates. CVSS reports the severity level of a vulnerability from 0 to 10. Vulnerabilities with a base score ranging from 7.0-10.0 are high (critical), those ranging from 4.0-6.9 are medium (important), and a range of 0-3.9 is low (optional).

Step Two: Test the updates before they go into production

Thorough testing prior to deploying new patches help ensure your system remains intact. Simply install each missing update on at least five devices and test them against documented success criteria. Record the evidence and have it independently reviewed and approved by someone other than an internal tester - never use in-house or on-network tools to test updates. If the update has an uninstaller, use it to guarantee the completeness and safe removal of old, outdated programs. It's best to take this process in stages by first researching each update's prospective criteria, then identifying which parts require testing, and finally comparing that against your predetermined success criteria.

Step Three: Decide how many updates to install at once

The more updates installed at once, the more likely the risk for end-user disruption. If a systems has a lot of updates, expect a large amount of data to be downloaded to the device. This will also take a longer time to install. Also note that updates will occasionally require rebooting for updates to be finalized. When multiple updates are downloaded at once as part of a patch, it could trigger a number of independent reboots, increasing the likelihood of end user disruption. To determine a system's bandwidth for updates, evaluate the total number and size of missing updates against the total number of devices by device type. This will prevent system overloads and unwanted interruptions. The rule of thumb is to start with five updates and then reassess bandwidth.

Step Four: Make change management simple

No matter which best practices you follow, change management typically calls for documentation which highlights the necessary updates, potential impact on the user, evidence of testing, and go-live schedules. Without these details, an official approval process cannot be followed. In large organizations especially, change management is the single source of truth for approved changes, which means keeping updated reports on said changes makes the entire process easier and auditable. 

Step Five: Deploy your updates safely

Creating a patch management calendar is an essential step in building a thorough playbook. It should be utilized when making change requests or when scheduling and reviewing new patch updates. Next, work to define baselines for the number of updates that need to be deployed at a certain time and in which order. Always be sure to verify these actions by referencing the details within your change management process. This should be based on answers from the previous questions about severity and bandwidth and reflect new activity for each month. Once that baseline is set, schedule the deployment and automate where necessary.

Step Six: Measure your playbook's success

Like all things, success is measured in many ways. For example, by the ease at which the process can be followed or repeated, by the number of incidents raised to the help desk after deployment, or by the number of positive reports generated. Ultimately, the main benchmark for success is the swift deployment and updating of patches across the environment, followed by a streamlined process that reduces the manual requirements to keep a company safe and secure.  

While patch management continues to be a challenge for organizations, IT and security teams can set themselves up for success reduce their company's attack surface by implementing strong, thorough patch management playbooks. These six steps will likely get you the additional layer of protection that you need.

##

ABOUT THE AUTHOR

Rob Brown, Chief Customer Success Officer

During his 17 years at Syxsense, Rob’s role has evolved from onsite technical consultant to the Chief Customer Success Officer. He leads the technical account management and security content teams and is responsible for ensuring customers have the best patch and vulnerability management strategies while implementing critical security best practices. His team has deployed over 200M patches to Syxsense customers around the globe over the last decade, and he has deep insight into what works, where the visibility and security gaps usually are, and what to do to fix them.