4 patch management best practices to keep your clients secure
Patch management is one of the biggest concerns of IT service providers and their clients. As more vulnerabilities are discovered, patch management begins to feel like a full-time job—especially in larger environments.
Developing a patch management strategy can make the practice of updating your clients’ machines a whole lot easier.
Here are four best practices to consider when developing a patch management strategy.
Develop a policy of who, what, when, why, and how for patching systems
The first step in your patch management strategy is to come up with a policy around the entire patching practice. Planning in advance enables you to go from reactive to proactive—anticipating problems in advance and developing policies to handle them.
The right patch management policy will answer the who, what, when, why, and how for when you receive a notification of a critical vulnerability in a client’s software.
Create a process for patch management
Now that you’ve figured out the overall patch management policy, you need to create a process on how to handle each patch as they’re released.
Your patch management policy should be explicit within your security policy, and you should consider Microsoft’s® six-step process when tailoring your own. The steps include:
Notification: You’re alerted about a new patch to eliminate a vulnerability. How you receive the notification depends on which tools you use to keep systems patched and up to date.
Assessment: Based on the patch rating and configuration of your systems, you need to decide which systems need the patch and how quickly they need to be patched to prevent an exploit.
Obtainment: Like the notification, how you receive the patch will depend on the tools you use. They could either be deployed manually or automatically based on your determined policy.
Testing: Before you deploy a patch, you need to test it on a test bed network that simulates your production network. All networks and configurations are different, and Microsoft can’t test for every combination, so you need to test and make sure all your clients’ networks can properly run the patch.
Deployment: Deployment of a patch should only be done after you’ve thoroughly tested it. Even after testing, be careful and don’t apply the patch to all your systems at once. Incrementally apply patches and test the production server after each one to make sure all applications still function properly.
Validation: This final step is often overlooked. Validating that the patch was applied is necessary so you can report on the status to your client and ensure agreed service levels are met.
Be persistent in applying the best practices
For your patch management policies and processes to be effective, you need to be persistent in applying them consistently. With new vulnerabilities and patches appearing almost daily, you need to be vigilant to keep up with all the changes.
Patch management is an ongoing practice. To ensure you’re consistently applying patches, it’s best to follow a series of repeatable, automated practices. These practices include:
- Regular rediscovery of systems that may potentially be affected
- Scanning those systems for vulnerabilities
- Downloading patches and patch definition databases
- Deploying patches to systems that need them
This process is important if you’re doing it yourself, or you could take advantage of a partnership in which a NOC handles this for you. To take the burden off of your technicians, a tool such as ConnectWise Command®, formerly a Continuum solution, automates the patch management process for you and gives you access to fully-capable NOC services. With Windows patch management and 3rd party patching, ConnectWise Command relieves the headache of manually applying patches and gives you the utmost confidence that you're protecting your clients. Plus, automation saves a whole lot of time that can be spent on other projects and revenue-generating tasks.
Take advantage of patching resources
Since the release of Windows 10, updates to the operating system are on a more fluid schedule. Updates and patches are now being released as needed and not on a consistent schedule. You’ll need to let your team know when an applicable update is released to ensure the patch can be tested and deployed as soon as possible.
As the number of vulnerabilities and patches rise, you’ll need to have as much information about them as you can get. There are a few available resources we recommend to augment your patch management process and keep you informed of updates that may fall outside of the scope of Microsoft updates.
Patch management is a fundamental service provided in most managed service provider (MSP) service plans. With these best practices, you’ll be able to develop a patch management strategy to best serve your clients and their specific needs.