Patching different releases on your systems is a lot of work. Discover how patch management will facilitate your work.
There is a solution, but it takes time...
As we all know, patching the different releases on all your systems, is a lot of work, besides if you want to do it correctly, the patches must be tested on a test environment before deploying them in production. But today, a lot of cyberattacks are targeting unpatched systems.
There are a lot of known vulnerabilities on different systems and applications. Different attacks will use these vulnerabilities to infect your systems with; for example; a ransomware.
Imagine your production environment gets infected with a cryptolocker (type of ransomware used to encrypt your files) and that you can't deliver services or supply goods during several days.... This will cost you a lot of money, not even considering your reputational loss...
There is only one solution
=> Patch your environment correctly! Patching all the systems demands indeed a lot of effort.
First
You need to check which patches are released, this can be done by checking the vendor websites, RSS feeds, twitter, mailing lists, ...
Secondly
Not all systems can be updated at the same moment
Thirdly
Some systems can't be patched during the business hours and eventually, if you use a test environment, the work must be done twice.
Imagine doing this on a recurring basis...
OR NOT...
What if there is a system that all of this would do for you?!
Imagine a system where you can schedule all patches, deploy them with minimal (to no) interaction and roll-back functionalities with an integrated compatibility check and reporting. What more to ask?!
Now let's see how this works...
First you need to know your infrastructure:
- What is your bandwith?
- How many sites do you have?
- Where is your internet break-out?
Based on the answers to questions above, you will be able to define if you will use a central repository or not.
Secondly, you will need to define when the updates may be deployed.
With this information, you will be able to choose what tool you will use to manage the patching automation.
Some tools that can be used:
- WSUS (Microsoft - Free)
- SCCM (Microsoft - licensed)
- xClarity (IBM)
- Puppet
- Ansible Scripting
Most common tools used are WSUS (Windows Server Update Services) & SCCM (System Center Configuration Manager).
The big difference between both is that WSUS is used to manage Microsoft products and SCCM is used to manage a large group of systems running on various operating systems.
With WSUS, you will be able to manage and distribute automatic updates and hotfixes released for Microsoft products .
By using SCCM, you will also be able to distribute automatic updates, hotfixes and manage systems like Windows, Linux, MacOS, etc. You will also be able to perform patch management, deployment of software, remote control, inventory, ...
When all this automation is in place, it's also important to get a status of your environment.
It's an added value to proof (to auditors, management, ...) that your environment is up-to-date and that security is important for you.
Besides, it can also be important to know if the patch management is correctly configured:
Is the patching frequency correctly configured?
Are all systems patched? (Human errors may occur (you may wrongly disable an important system update, ... )
Therefore, it's important to perform regular vulnerability scans on your complete environment to score the health of your infrastructure.
With the use of a correctly configured patch management, together with vulnerability scanning services, you can ensure yourself - and the management (!) - that your infrastructure is correctly patched for the various known vulnerabilities.... and this can save you a lot of money! And between us, that's what we do it for, isn't it? ;)
