Maksim Kabakou - Fotolia

Security Think Tank: Focus on high risk by automating low-risk patching

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?

Many organisations are facing the challenge of how to keep software up to date with security patches in the wake of the WannaCry attacks.

What if I told you there was a simple answer to this question – one that would improve the security of a vast number of organisations in the UK? Simply let your operating systems keep their default settings, apply patches, and proceed. That’s right, auto-patch. It is more efficient in Windows 10 than ever before.

That’s a bad answer, make no mistake. It leads to unplanned outages. It leaves gaps in critical software like Flash, Java and the like. You do not want to rely on native auto-patching. So why would I mention it? Because, as recently demonstrated, managed patching is difficult.

Two, three or four-month patching cycles are common if patches are applied at all. Organisations that can’t get it right are wasting more resources trying to manage their backlog than they are spending testing new patches to add to said backlog. This advice may be for them.

If you find yourself in that situation, best to think about how to get out of it. Consider investing in a cheap, lightweight patching tool, even if it only ticks 6 out of 10 boxes. As long as the solution applies critical patches globally in a good modicum of time, even if you can’t control when or what.

Use it to patch assets where a little bit of patching downtime might be ok, such as user workstations and support services. You can then focus your patch management regime on your business-critical assets, leaving the tool to do the labour-intensive work. There will be gaps, but it is probably miles better than where you were.

Once you’ve done that, you’ve completed the first step. Now continue. Segment your assets, ideally using established risk sensitivity profiles, to identify what is most critical to the business. Focus on those critical assets you could never patch before. Refine your patch management process around those assets and let lower priority assets get auto-patched.

Read more from Computer Weekly’s Security Think Tank about patching strategies

  • Ad hoc patching is inadequate.
  • Strategise, prioritise, automate and use cloud to improve patching.
  • Apply risk-based approach to patch management.
  • Key coping strategies for effective patch management.
  • Can low-cost security defeat malware?
  • Patching is vital and essentially a risk management exercise.

Once you have patched your core services reliably for the first time in years, expand the program based on business input. Continue expanding, reducing overhead as asset sensitivity decreases. In the end, you may not have resources to patch everything in a managed, multi-stage rollout process.

You will, however, have focused your efforts on your critical assets and ensured your general purpose assets have a more consistent patching level than they ever had before. The only way from there is up.

Read more on Hackers and cybercrime prevention