Patch Management

Patching is central to maintain a good cyber posture for your organisation. NCSC Cyber Essentials mandate monthly patching at the very least in order to ensure that as new bugs and vulnerabilities are found they can be protected or mitigated against.

Patching is defined by the NCSC as: applying updates to devices or software to improve security and/or enhance functionality. Read our blog on CVEs for more details.

Gartner believes that 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.

https://www.gartner.com/smarterwithgartner/focus-on-the-biggest-security-threats-not-the-most-publicized/, accessed on 17/09/2020.

Manual Patching Versus Automated Patching

Is it worthwhile investing in automated Patch Management tools, and while it is ‘automated’ are these tools plug-and-play? The answer is a ‘yes but, no but’ situation.

Patching encompasses all your information systems, it will necessarily reflect the complexity of your organisation. The more complex, the less likely you will be to have a plug-and-play system.

The main costs of Patching are as in order as follows:

  • Time (BAU hours or Overtime out of hours, more commonly the latter)
  • License (where you need to pay for to be able to access their updates, e.g. Accounting software)
  • Expertise (where the patching is so materially complex that consultants are needed to manage it)

N.B. Expertise is counted last because it can be trained or documented; while expensive in the short-term it is not as though it is a major barrier to good Patching providing an organisation can afford an expert’s time.

Putting this caveat aside how can we make this easier and cheaper for organisations of all sizes?

SMEs

Small and Medium Size organisations with limited budgets have a range of tools available to help simplify routine patching. We recommend automating where you can for consistency, and saving time and money.

As such here is a list of vendors that offer automation tooling:

We are very fond of Panda Security, needless to say many vendors in friendly competition to Panda will also have Patch Management tools available. Their add-on can be integrated with your existing antivirus so it is a one-click add-on which can Patch: Operating Systems (e.g. Windows) and Applications from more than 170 software vendors.

Ansible is an Open Source automation tool which can automate everything in an organisation’s information systems, from firewalls and network switches to application updates on practically any system. It does take expertise to configure, but is an excellent toolset nonetheless with no upfront cost.

Ansible does run on Windows and Linux systems exceptionally well and can be used to deploy entire datacentres in minutes/hours – not months, weeks, or days.

Even if an organisation does not wish to purchase Ansible Tower from Red Hat, investing in ‘vanilla’ Ansible or AWX (in terms of Time) is highly recommended.

Medium and Large Organisations

When running systems that are increasingly critical, both in your office (on-premise) and in the ‘Cloud’ Red Hat Ansible Tower is a good choice because Red Hat are:

  • Used to deploying mission critical systems such as with the British Army
  • Vendor Neutral – so whether you use AWS, IBM, Google, Dell, or any Cloud as you grow you can do so without having to think about unexpected costs borne from vendor lock-in

Does Patching really matter?

As an IT Consultancy that specialises in working with Legal, Professional Services, and Creative organisations we would of course say yes.

Yes it does cost money to keep Patching consistently, but Gartner believe that 99% of security breaches are as a result of KNOWN vulnerabilities.

Cyberattacks are not ‘targeted’ very much in the sense that when one walks into a pond by mistake, the pond hasn’t targeted you in particular – nor has the rain, or the planet. But it does happen. When a cyberattack happens it costs money.

We hope this has helped to illustrate the importance of good Patch Management on your information systems, and if you have questions, queries or simply wish to talk-tech you can always Chat with us to find out more.