Patch management is a term that’s familiar to all within the depths and boundaries of endpoint security. While the addition of “automation” to this term might make it seem like one among the thousands of other automated tasks, cybersecurity experts have been going gung ho over it in the last few years.
If you’re reading this, it probably doesn’t make sense to explain to you what patch management automation or automated patch management is. What’s actually important for you to understand is how patch management automation impacts your enterprise, and whether it is really worth it.
We’ve come a long way from where we began…
Patch management today is a quintessential prerequisite for combating software vulnerabilities, malware, or ransomware. However, a couple of decades ago patch management was considered to be a task in the IT admin’s portfolio, rather than that of the cybersecurity administrator.
Things changed in 2001, with the discovery of a computer worm called Code Red. This was the first mixed-threat attack that targeted enterprise networks. Within a week it infected 359,000 hosts and had soon spread across the world.
This was the beginning. Since then on, Microsoft started issuing patches to mitigate any vulnerabilities and loopholes in the software.
Fast-forward to the next decade, the cybersecurity domain witnessed an explosion in the prevalence of threat groups, software vulnerabilities, zero-day exploits, and ransomware. Starting from the RSA breach in 2011, to WannaCry and NotPetya in 2017, and eventually Follina last year, network security for enterprises has always been just a patch away.
In addition, with over 100,000 vulnerabilities being discovered within the above-mentioned time frame, patch management soon became a fundamental step in securing enterprise networks from vulnerabilities.
2015: Enter automation
As an enterprise grow, so does its cyber footprint. Unfortunately, the rise in vulnerabilities seems to have outgrown the former’s pace of growth. With thousands of vulnerabilities and hundreds of machines to be patched, it was time to cut out the manual efforts.
On March 28th, 2012, a patent was filed by International Business Machines Corp on End-to-end patch automation and integration. The patent abstract states:
“A method of automating patching of a computer system includes determining whether a computer patch is available for a computer system of a customer, determining a patch management policy of the customer, determining a patch window of the customer based on the determined patch management policy, and directing the application of the computer patch to the computer system at the determined patch window.”
After a few years of incremental updates and research, the patent was finally published on March 3rd, 2015, and has been active since. In the following few years, enterprises specializing in cybersecurity solutions began developing patch management tools that also included the capability to automate the patching process.
Benefits of automating patch management
In most patch management solutions available today, automated patch deployment is a key component. With the widespread use of this functionality worldwide, let’s have a brief look at how organizations are leveraging it:
-
Reducing patching cadence
Patching cadence refers to the time taken by an organization to test the patches and deploy them to the required systems. While stats suggest that the average mean time to remediate critical vulnerabilities takes 60 days, this can further be reduced with automated patching.
The presence of an automated patch testing process will ensure that the patches are safe to be deployed to the systems. As a next step, the automated deployment workflow would seamlessly deploy the patches to the required machines.
This entirely automated workflow would prevent time loss which is crucial in combating critical vulnerabilities and zero-day exploits.
-
PCI DSS 4.0 compliance
Regulatory guidelines such as the PCI DSS require enterprises to achieve a certain level of compliance. Requirement 5 of PCI DSS 4.0 elaborates on how enterprises should Maintain a Vulnerability Management Program.
While most of these requirements can be fulfilled by a solution that specializes in unified endpoint management and security, automation in patching acts as the cherry on top if you are specifically using a patch management solution.
This recursive functionality automatically scans the network to detect any malware and deploys the required patches.
-
Limiting human errors
In an enterprise with a multitude of systems, the sheer number of patches released every month would surely be in the hundreds. From varied operating systems to third-party applications, every system would serve different requirements, and thus different sets of applications installed in them.
Now imagine what happens when a critical patch needs to be applied to eliminate a zero-day or high-severity vulnerability. Testing the patches and then manually applying them on all the systems itself would be a herculean task.
And what if one or a few systems are missed? It goes without saying that this would be a sure-shot way to compromise network security. To that end, another perk of automated patching is that it can limit human errors.
-
Enhanced security
While it’s a universal truth that critical and high-severity vulnerabilities should be patched as soon as possible, vulnerabilities with lower severities can also prove to be a grave threat to a network’s security in the long run.
An automated workflow would ensure that these vulnerabilities are patched based on regular cycles. In addition, automated patching ensures the software would also be up-to-date whenever the latest updates are released.
But is automated patching all about these benefits?
While it’s undeniable that automating the patch management process will provide enterprises with the edge they need to be on top of vulnerabilities, there are also a few prevalent doubts related to its efficacy.
-
End-user disruption: Is this still a thing?
One of the major concerns against automated patching is disruption for the end users. With patches being deployed automatically, the question is, would the users in the enterprise be able to save their work before the system or application gets updated?
While this would have been a genuine concern a few years back, the case isn’t so anymore. Today, patch management solutions provide admins with advanced functionalities that enable them to tailor a patch deployment as per their enterprise’s needs.
This means admins can choose to provide the end users with the option to skip or postpone the patch deployments (in case they are held up with critical tasks). Not just that, the admins are also presented with the capability of deploying these patches to the unpatched systems after a specific number of days from the date of skipping.
-
(Un)Planned downtime
For business-critical machines, planning downtime is difficult, and we can all agree to that. Another prevalent concern is that automated patch deployment can cause unforeseen downtime in certain systems.
But can this be prevented? The answer is yes!
For such critical systems where downtime is hard to pre-plan, admins can deploy the required patches directly using a Self Service Portal. This would enable the admins to install the required patches based on their own schedule, i.e. whenever downtime can be planned without creating a ripple in the business productivity or user experience.
-
What if the patches affect system performance?
Many a time, patches once installed in the systems can lead to anomalies in them, thus affecting productivity. While a patch testing workflow can limit this to a greater extent, uninstallation or rollback of these problematic patches can also arrest the issues immediately.
The verdict?
While automation of the patch management workflow undoubtedly has its benefits, there are also concerns that are quite prevalent regarding its efficacy. However, as we saw above, most modern-day patch management solutions such as Patch Manager Plus have combative mechanisms in place to negate any possible downsides.
Therefore it can be safely concluded that patch management automation is worth the hype provided the patching solution has functionalities to ensure that the productivity of end users is always out of harm’s way.