An Eye on the Patch

Security patch and vulnerability management part of necessary response times for secure enterprise networks

With the ever-closing window between security vulnerability discovery and exploits in the wild, most organizations are poorly prepared for rapid response times needed to secure enterprise networks. In 2005, the industry average was 30 days for IT administrators to fully deploy a new critical security patch. Reaching every single system in the network with a scheduled update is hard enough -- now zero-day exploits are becoming increasingly more prevalent making out-of-cycle patching an imperative for most organizations. While the WMF vulnerability was the first time that Microsoft broke the "Patch Tuesday" cycle, given that there was a similar issue in November 2005, it is clear that the industry can expect to see more zero-day security threats, which will be nearly impossible to mitigate unless a clearly defined process has been implemented correctly.

While the WMF vulnerability was the first time that Microsoft broke the "Patch Tuesday" cycle, given that there was a similar issue in November 2005, it is clear that the industry can expect to see more zero-day security threats, which will be nearly impossible to mitigate unless a clearly defined process has been implemented correctly.

So why aren't businesses catching onto security patch and vulnerability management best practices? The bottom line is that many IT teams do not have the resources or time to implement the relevant patches and assess that each one has been deployed across an entire network successfully.

Best Practices Approach
In order for businesses to fully understand patching, it is essential that they must first assess the possible risk areas of the network. The IT team should know what the potential vulnerabilities are, where those vulnerabilities are and how important it is to the business that the vulnerabilities are fixed. This means an in depth study of all of a company's IT assets. When the company knows what systems it has and where these are situated within the network, it can check the vulnerability status in each piece of firmware and software.

It also is important to establish which network systems are mission-critical, which should be patched first and which need constant patch maintenance. As an example, some retailers may not apply patches in November and December because these are the busiest times of the year, and the risk of downtime caused by new software is unacceptable. Applying patches carries a risk, and if the patch has not been tested effectively, this can cause a disruption to business services. Applying a patch that does not suit the environment can result in a critical server failure, or at a minimum, possible loss of critical data.

For most businesses, even those with security patch management solutions in place, patching everything right away is not an option. New vendor patches have been known to induce instability in software and operating systems, so the maintenance should be bite-sized. That way IT staff do not get overwhelmed with the task of deploying monthly updates. The IT team has to be able to cope with the work in progress and have the capacity to address any issues that arise during the patching process.

Companies will need to prioritize the deployment of patches across the network. The most-direct approach is to deal first with the systems that are most prone to attack or hacking -- such as e-commerce systems, e-mail systems and critical business applications. Then move down the food chain to non-critical systems. It's important to factor in timing of maintenance, too. For example, those systems used by office staff should ideally be patched after hours.

Patch Deployment
The best practices-based approach employs a test-then-deploy cycle that is executed against increasing large or critical sets of servers or desktops. A manual approach to deploying patches can be more costly and can more likely fail to properly mitigate the risk of unpatched systems.

Staged deployments are essentially, based on the user-defined groups versus other technologies that require an all-or-nothing approach. This allows businesses to implement testing and take full advantage of accelerated and automated deployments.

However, testing of each patch is absolutely vital. Automatically triggered security patches are not desirable or even recommended. Products that offer an all-or-nothing approach are very risky and should be avoided. Even the best patches from the most reputable vendors have not been tested in every possible environment. The only time where automatic patch enforcement can be used is when an organization maintains a security baseline of known working patches.

Relying on any sort of tool that automates business decisions is risky. However, relying on manual testing and patching processes represents a much greater level of risk. Staged testing can mitigate the risks of automated patching. There are almost no options to mitigate the risks associated with not patching. A best practices approach aligns with the use of automated tools. However, the owner of the systems is the one who ultimately makes the final decision on when and how patches are deployed. Temporary isolation may be the only effective mitigation technique if a mission-critical system is not able to accept the new patches to be deployed.

Integrated Strategy
A patch management solution that centralizes and automates the task of distribution and application allows IT teams to make patching an integral part of their overall security management strategy. This alleviates the need for a management-initiated, panic reaction to address the latest vulnerabilities or piece of malware, which can lead to a time consuming and ineffective scramble for a solution.

Providing a unified view for managing all products in an integrated security console will enhance administrative productivity for IT teams, as well as lessening the overall complexity and costs associated with the task of patch remediation.

Dedicated patch and vulnerability management software and services can take away the burden of patch deployment and management -- if the right solution has been chosen. Some patch and vulnerability management solution vendors also will test and authenticate patches before making them available, which help reduce an IT workload even more.

Effective Management
Organizations that invest in complex and expensive network systems can find that these systems are rendered useless if something as simple as patching is not managed effectively. Hackers continue to use worms, viruses and spyware to exploit known vulnerabilities on unpatched systems, resulting in costly network downtime and considerable administrative resource and expense to repair.

Moreover, as the trend continues in enterprise networking for the convergence of voice, video and data onto a single network, the implications of downtime due to a compromised network become more far-reaching. Unpatched critical applications, such as telephony, are now vulnerable to malicious attack with potentially disastrous consequences for an organization's data. This is in addition to having a negative affect on the productivity of staff.

Patching is only one element of an overall security program. However, it does make a pivotal contribution to reducing the myriad of vulnerabilities and their resulting exploits. It also helps to resolve issues arising from spyware and malware. By establishing the correct procedures and process for patch management, companies can ensure they are less likely to fall victim to network attacks.

Featured

  • The Business Case for Video Analytics: Understanding the Real ROI

    For security professionals who may be hesitant to invest in video analytics, now's the time to reconsider. In a newly released Omdia report commissioned by BriefCam (now Milestone Systems), the research firm uncovered a compelling story: more than 85% of North American and European organizations that use video analytics achieve a return on investment within just one year. The study, which surveyed 140 end users across multiple industries, demonstrates that security technology is no longer just for security — it's a cross-organizational tool that delivers measurable business value far beyond traditional safety applications. Read Now

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Only 35 Percent of Companies Include Cybersecurity Teams When Implementing AI

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3