Security and vulnerability patching has become one of the top concerns for IT managers, but has also left many IT teams fighting a losing battle as the job of patching competes with daily system maintenance and security tasks.
The patching issue became a more prominent problem for businesses worldwide in 2003 when the Slammer worm was unleashed on the internet. In the first minute after it started spreading, Slammer doubled the number of web servers it infected every eight seconds. Within 10 minutes, 90 percent of all vulnerable machines had been infected – leaving businesses with a $1 billion bill to fix the havoc Slammer created. Yet the patch to fix the vulnerability that Slammer exploited had been available for six months. If the majority of those infected had patched their systems, Slammer would have been a minor blip.
So why aren't businesses catching on to patching? The bottom line is that many IT teams simply do not have the resources or time. Just researching the 4,000+ vulnerabilities published by security monitoring body CERT in the last year would demand hundreds of work hours. And although an IT staff may be online regularly to see what patches are released, they cannot be 100 percent sure that all systems are properly patched.
Then there's the cost issue. Recent research from analysts at The Yankee Group found that it can cost as much as $1 million to manually deploy a single patch in a 1,000-node network environment. The costs include the manual labor involved in fixing problems and system downtime while patches are being applied.
But as the interval between a vulnerability being discovered and exploited shortens, patching is now a necessity. The 2004 Blaster worm was released just 18 days after the vulnerability it exploited was discovered, and the pace is stepping up. So how do businesses respond effectively to this challenge?
Introducing the five Ps
Proper planning prevents poor performance – we all know the 'Five Ps' business maxim. When it comes to patch and vulnerability management, there's another set of 'five Ps' which hold true if the job is to be done effectively.
By putting these five Ps into action, together with a patch management solution that centralizes and automates the task of distribution and application, IT teams can make patching an integral part of their overall security management strategy, instead of a panicked, reactive and time-consuming scramble to address the latest vulnerability or piece of malware.
The first step is to risk-assess the business. The IT team should know what the potential vulnerabilities are, where those vulnerabilities are, and how important it is to the business that they are fixed. This means an in-depth study of all of a company's IT assets. When the company knows what it has and where, it can then check the vulnerability status in each piece of firmware and software.
It's also important to establish which systems are critical, which should be patched first and which need constant patch maintenance. As an example, some retailers may not apply patches in November and December because these are the busiest times of the year, and the risk of downtime caused by new software is unacceptable. This leads to the second 'P'.
For most companies, even those with security patch management solutions in place, patching everything straight away is not an option. The IT team has to be able to cope with the work in progress, and to have the capacity to address any issues which arise during the patching process. New patches have been known to induce instability in software, so the maintenance should be bite-size so that IT staff doesn't get swamped.
The most direct approach is to deal first with the systems that are most prone to attack or hacking – such as ecommerce systems, mail systems and critical business applications. Then move down the food chain to non-critical systems. It's important to factor in timing of maintenance too – for example, those systems used by office staff should ideally be patched out-of-hours.
Based on the findings of the risk assessment and the patching priorities, the IT manager or CSO should develop a patching policy – specifying what patches should be applied, to which systems, and in which order.
Ideally, the policy should have two elements – one to deal with routine, non-critical patching issues in a regular, repeatable maintenance cycle, and a second for serious patches that have to be installed quickly. The policy should also have a procedure for assessing and distinguishing the severity of new alerts. This maps onto the features that should be considered essential when evaluating security patch and vulnerability management solutions – see the 5th 'P' later in this article.
Now we come to actually working with and deploying the patches themselves. In each case, how big is the hole to be patched? How severe is the risk to systems? Does the patch require other system upgrades first?
It's wise to test any patch first before applying it. Even the best patches from the most reputable vendors have not been tested in every possible environment. Using tools such as VMware is valuable here, enabling a patch to be tested in virtual environments first. Following a successful test, if a patch is to be applied to a particularly business-critical system, do a trial roll-out of the patch first if possible, to ring-fence any risk from the new patch.
Note that some patch and vulnerability management solution vendors will also test and authenticate patches before making them available, which helps reduce an IT team's workload.
Dedicated patch and vulnerability management software and services can take away the burden of patch deployment and management – if you choose the right solution. The key points to check in any patch and vulnerability management solution are:
Are the patches secure and signed for authenticity?
Is the solution scalable, to grow as your needs grow?
Does the vendor test patches for you before shipping them, to ensure an additional level of reliability and stability?
Is there a patch library or repository?
Does it offer multi-platform support?
How granular is the management? Can it group users, and prioritize patch deployment?
Does the solution offer rollback capability, if a patch causes any issues?
Patching is, of course, only one element of an overall security strategy. However, it also makes pivotal contributions to reducing a myriad of vulnerabilities resulting from hacking to helping resolve issues arising from spyware and malware. By following the five Ps of patch management, companies can ensure they are less likely to fall victim to attacks of any kind.
The author is vice president of Product Management for PatchLink