Many organizations appreciate the regularity of Patch Tuesday to better prepare and execute patch deployment. However, few organizations use the time prior to Patch Tuesday to efficiently prepare systems and people for rapid deployment. In 2005, the industry average to fully deploy a new critical security patch was a full 30 days. With the rise of zero-day threats and the release of out-of-cycle patches, administrators need a plan for handling emergency policy and patch updates.
Patch Tuesday Preparation
In order to effectively prepare for Patch Tuesday, organizations should start by laying the foundation for an efficient patching process. First, identify all firmware and software on the network and categorize them by platform, department, etc. to ensure all assets are discovered. Determine which systems are most critical to protect based on the assets housed or the function it provides. An organization's level of risk should be defined by criticality of system and how prone it is to attack.
Furthermore, it's important to establish workflow and groups by determining ownership, permissions needed and responsibilities for threat identification, testing and remediation across security, IT and business units. By determining ownership, permissions needed and responsibilities for threat identification, testing and remediation across security, IT and business units, the organization can respond as a whole to threats.
Specific to Patch Tuesday, a good way to prepare is to monitor the outcome of prior patch deployments and use those metrics as a basis for continuous improvement. If ten systems failed to receive the updates last month, the administrator should look for the root cause and fix the issue, thus preparing for future patch deployments.
Once patches are available for deployment, PatchLink encourages companies to study the release and testing notes provided with the patch updates - and to test each patch in a representative sample network of systems prior to deployment en masse.
IT administrators know that it doesn't end on Patch Tuesday, so establishing rules for follow up is essential. Organizations need to maintain an accurate record of patches deployed and should make certain that new or rebuilt systems are "base-lined" for their appropriate systems group and IT administrators need to monitor for removal of patches. If available, organizations should use a network scanner, attack scanner or secondary system to validate their system security from a different perspective. This can help identify any anomalous situations due to malware activity within the network.
Modify system settings and distribution parameters to optimize the system better for next months updates. WAN optimization, polling frequency and minimizing the patches being detected can all help further optimize performance. Look for computers that did not receive updates at all, or that took unusually long to receive updates.
With zero-day exploits increasingly prevalent, organizations must also have a plan for deploying emergency out-of-cycle patches. With an average of 30 days to be fully patched, many organizations are left with a huge window of exposure.
In addition to following the preparation steps mentioned earlier, emergency patches should be tested and deployed by the stakeholder of each system. Too many levels of red tape between the patch and the stakeholder, who needs to deploy the patch, can be counter-productive - so streamline and automate as many processes as possible.
PatchLink recommends setting a 48-hour window goal which allows ample time for testing each patch in the various environments within the corporation, as well as time to get the patches deployed during an operational patching window. Mission critical servers may only be available for patching once a week, once a month or even less frequently, so server administrators need to plan for downtime that can be used in an emergency, as well as the regular "Patch Tuesday" cycle.
Clearly, preparation and best practices for knowing your assets, prioritizing risk and creating an established process are the keys to success for rapidly deploying security patches to protect your network.
Chris Andrew is vice president of security technologies at PatchLink.