How to Do Patch Management with Best Practices in Mind

Staying on top of today’s cybersecurity threats is an important part of being a managed service provider (MSP). Today, as the number of unique applications used by businesses rises around 30% year on year, one of the cornerstones of good cybersecurity posture is a solid patch management plan. Here’s how to do patch management right. 

 

What is Patch Management?

 

Patch management is the process of making small changes to the code of various programs or software applications to fix known vulnerabilities and bugs that open users up to risk. As an MSP, you should be aware of what software updates or patches are available, and have a process in place for downloading these patches, deploying them for the relevant clients and the right specific machines, and checking that they have been installed and updated correctly. For example, certain patches will be incompatible with specific operating systems or applications, so will need their own process in place, or a discussion with the client in question. 

 

The Truth Is, Patch Management is Getting Harder

 

The scope of this issue is only getting larger. Today, organizations are not only using more applications than ever before, but the organizational landscape is getting more complicated. Traditionally, businesses may have all worked from a single office, all with the same type of machine. This is no longer the case, with the rise in BYOD (Bring Your Own Device), work from home and choice or remote-first policies, and even the fact that there is a more relaxed approach to allowing employees preference over their equipment and software. 

 

On the other side of the attack surface, attackers are also getting smarter, automating elements of their attacks, and managing to hide under the radar for longer. Patching is one of the key vulnerabilities for today’s organizations, because businesses need to react to the information and shore up defenses quicker than the attacker can act upon the same intelligence themselves. After all, the bad guys have access to the same list of vulnerabilities as your business does. MSPs need to be lightning fast in closing any gaps, putting patches in place, and staying two steps ahead. However, in 2019 alone there were 12,000 CVE’s published, so it’s no wonder that Ponemon says the average time frame for patching is 102 days.

 

What’s Under your Client’s Roof? Time for Network Discovery

 

Your first step needs to be an accurate list of everything that your clients use, including software, hardware, and all devices connected to the network. It’s not enough to simply ask your clients what they use, because often they won’t think of everything, or even be aware of certain machines that are connected to the network. These are the exact issues that lead to a breach, so all the more essential to be part of a patch management plan. 

 

Automation is important here. Some MSPs only run this kind of scan when they first sign on with a new customer, but this isn’t enough. Ideally you need to run regular or even continuous scans to keep you up to date. A robust Network Discovery solution can make this a lot easier, immediately adding new connected systems and tools to a comprehensive list for each client. 

 

Prioritize Intelligently for Urgent Patches

 

Not all patches are created equally, and fixing certain issues could cause business disruption, so it’s important to think through your process before putting it into place. A traffic light system is one example of a process that could help you with this, to decide the severity of the vulnerability, and create a smart patch management plan. For example, if an application has sensitive customer information inside, you might mark it as red, and in need of urgent and immediate patching. 

 

On the other hand, you may have yellow or green items that can wait a week or more before they are patched on a regular schedule along with other scheduled maintenance. As an MSP, you can establish this color-coded process within your SLA, so that customers can choose what risks should be considered ‘red’ and know that vital patching is done immediately. 

 

Consult Regularly on Architectural and Environment Changes

 

The best way to protect your client’s from a cyber-attack is to speak openly with them regularly about their security posture. Do they have risky access permissions, duplicate software solutions, or an overly complex application or IT topology? If you can simplify their existing architecture, that means less to patch, and less changes of vulnerabilities. 

 

This is especially true with third-party software and products, which are becoming more common each year, and may be installed by employees without executive oversight. Encourage your clients to have an open ‘no-risk’ process in place for admitting to installing new software locally, to make sure that you’re aware of all the third-party vendors you should have on your radar. 

 

Set up Individual Customer Profiles

 

As we said earlier, not all patches will work equally on all machines, and it’s easy to see how these can fall through the gaps or get pushed off until someone has more time to manually handle a customer or an instance that doesn’t fit the norm. This is exactly how cyber-attacks occur, and you need to have a process in place for these situations ahead of time. At Atera, we use IT automation profiles, allowing you to plan tasks for specific servers or workstations in granular detail, such as installing Java updates, OS updates, or Office updates, and not on others. 

 

You can also utilize robust reporting capabilities that show you the success rate of your automation profiles, which patches didn’t make it to completion, and separates information out by specific customer, application, patch type and more. This allows you to audit for any unexpected problems, and also set up automation to stop delays in patching happening next time.

 

Automate Automate Automate

 

We’ve said it before and we’re sure we’ll say it again – automation is the smartest route to being a successful MSP. After all, the more you can take off the list of manual tasks, the more profitable you can make your business. At Atera, we’re always looking for more opportunities to integrate with smart automation, such as our Chocolatey and Homebrew integrations for Windows and Mac respectively, that handle software patch management, and can also be included in IT automation profiles.

 

This integration allows our MSP customers to update a wide range of software with a single click, or set up this automatic patch management as part of an IT automation profile. For Chocolatey, this includes Chrome, Adobe, Teams, Zoom, Dropbox, Firefox, Java and more. For HomeBrew, many of the same software is included, as well as Skype, Dashlane, Evernote, VLC Media Player, and more. 

 

As an MSP, patch management is an essential part of the toolkit. Your customers are relying on you to keep track of patches, fix vulnerabilities fast, and take the operational responsibility off their own business so they can focus on adding core value. 

Would IT Automation Profiles make your patch management processes easier and more streamlined as an MSP? Start your free trial and give it a go.