Skip to main content

Why is patch management still so hard to get right?

woman leading an office meeting
(Image credit: Getty)

Every year, there are thousands of new updates released for operating systems and applications. All these updates must be applied in a timely manner to avoid potential security incidents. 

Unfortunately, they are not. Many smaller businesses don’t see the risks as readily, while some don’t have the tools to track how well they are doing over time or push their users to take action. To improve this situation, we have to look at what holds up the patching process, and how can we streamline this in future?

Currently, even when patching is something that teams take seriously, getting updates out can be difficult. Currently patching takes about 28 days for software, based on research by the Ponemon Institute

The United States Department for Homeland Security stated that critical vulnerabilities must be remediated within 15 calendar days of initial detection, while vulnerabilities rated as high severity should be fixed within 30 calendar days of initial detection. Similarly in the UK, the Cyber Essentials security compliance program asks for all critical and high severity vulnerabilities to be patched within 14 days.

However, meeting these targets will be an uphill battle. Companies face challenges in getting patches out so they can secure their IT assets and applications against attack. New approaches to automation, managing deployments and tracking compliance are needed.

What are the hold-ups?

So we know the risks, and we know the timescales that we are being asked to meet. What stops us from meeting those deadlines?

The first hurdle to overcome is that there are limited IT resources internally - in other words, people - overseeing multiple technology systems and tools. Smaller companies tend to have smaller staff or part time resources to call on, while they may have limited domain expertise.

Rather than the homogenous IT estates of yesteryear, IT teams now normally have a mix of systems to take care of today including Mac and Windows desktops, cloud services and other assets.

macbook pro with macos monterrey

Patch management on Mac can be tricky: users decide when updates are deployed (Image credit: Apple)

This makes patch management more difficult as there are more platforms to take care of. Employees are often distributed or working from anywhere, which can affect the success of rollouts. For Apple macOS, users are in control over when they approve patches for deployment too. This can make it harder to manage deployments, as users may not want to download large patches or feel comfortable being responsible for making an update.

Alongside this, it’s important to recognise that patches are not always perfect. IT teams don’t like to automatically push patches without checking them. This usually involves looking at the patch on a few systems and carrying out their own regressions before manually compiling a patch status report. 

This can take some time, particularly if there are lots of updates to look at simultaneously. Once those patches are tested and any incompatibility issues are ruled out, then those updates can be deployed. This process can take days to complete.

Another hold-up to fast patching can be policy. Patching is complex to manage and involves a lot of manual steps. For instance, security updates may have required additional time to carry out or needed more support from the technology team to put in place. Over time, the reasons for those rules may no longer be in place, but the rules will still require specific steps to be followed.

Speeding up patching

To improve patching efficiency, looking at automation can help. This should involve creating groups of users that can be brought together that have similar requirements or experience levels. 

For instance, you can have one group for machines that will have patches deployed for testing, then a second group for early adopters that are familiar with their applications. Alongside these groups, you can then define a general adoption group that makes up the majority of your users for widespread deployment and a group that may need later deployment for security or compliance reasons. 

By carrying out patching in waves for different user groups, you can make the process easier and more automated.

For base operating system and security features, carry out your patching quickly. This should be done fast to reduce the risk of attacks affecting users, rather than being held up for applications to be tested. If the threat is large enough, then don’t hold back.  

Similarly, you should look at your overall application estate and use modern apps wherever possible. This will involve a measure of trust with those leading vendors, relying on them to do their job around patching. With those applications that are trusted, those can be listed for automatic updating. This can also help your team focus on those legacy apps and carry out more testing around them. Applications like these, particularly ones outside support, are the most at risk so you can phase them out over time if possible.

Lastly, you can improve efficiency by consolidating patch data for reporting across multiple services and platforms. This can help remove some of the manual work that currently is needed in many teams when dealing with multiple platforms like Windows and macOS devices alongside each other. Automating this process around patch rollout can show which ones have completed successfully, so you can direct any follow up efforts to have the most impact, and troubleshoot any problems that come up during deployment.

One approach to help here is integrating patch management with other approaches like device management and authentication. User identity is used to manage which applications users can have access to, so it complements patch management around which services users have deployed. This can help simplify things for sysadmins, particularly around remote work scenarios where users are at home or work in a hybrid fashion, as patching can be managed as part of an integrated access policy.

In the next month, there will be dozens of new patches made available by the likes of Microsoft and Adobe for their applications. Other software providers will release their own updates to deal with security issues. Building on your existing patch process can help take some of the pain out of these releases and help reduce risk. At the same time, this frees up your team to provide better service to the business.

Greg Armanini
Greg Armanini

Greg Armanini is Senior Director Product Management at cloud directory platform company JumpCloud, where he is responsible for product development around identity management, device management and security. He has more than twenty years’ experience of product management and development at companies including VMware, Yahoo and Zimbra.