What’s a company to do?
By taking an enterprise-wide approach to security assessment, companies need to evaluate internal patch management processes, understanding the potential risk to network systems and data and ultimately adopting a proactive approach to patch management. New tools are available to help companies of all sizes eliminate many of the manual aspects of security patch management, allowing IT professionals to automate time-consuming aspects of patch management, while also accessing key features designed to help workers better understand, test, deploy and validate the right patches, in the amount of time required.
The most effective patch management software should provide a straightforward approach to patch scanning and remediation, ensuring accurate, secure processes that can protect every computer within the enterprise. Important features to look for include: automatic or scheduled installation of missing patches, the ability to rollback or uninstall patches, knowledge about the patches including the vulnerability severity and links to third party information about the issue, and summary reports for executive reporting.
A good patch management software package should also include a shared back-end database to facilitate collaboration and patch management tracking to compare progress against existing enterprise-security initiatives. Such features are important because the first step in the patch process often requires wading through ad-hoc releases, service packs and temporary fixes, to determine what patches are applicable to the enterprise.
After needed patches are identified, a relatively easy set of steps helps ensure that the patch process benefits the enterprise, and doesn’t cause more harm than good:
1. Patch Testing – Once a patch is identified, it must be tested to evaluate the potential impact on a particular computing environment. Installing the patches to a control group and subjecting them to normal use prior to deployment is one option.
2. Scan and Assess – Because computing environments are complex and dynamic, simply knowing that a patch is likely needed somewhere in the enterprise provides little conclusive evidence as to exactly where holes still remain. To identify such holes, systems need to be scanned and assessed, identifying all systems that require patches while accepting systems that need to be left alone.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.