Effective Patch Management

We all know or guess what software patches or updates are. Some of us may have had nightmares in which an infamous blue screen appeared or we saw ourselves running in front of a Kernel Panic, after updating or meddling with something that did work. We all know the saying “if it works, don’t touch it”. It is something that is said a lot in our sector, but we cannot or, rather, we should not apply it to all areas.

Definition and scope of patch management

A software patch is a piece of code that is used to update programs, operating systems, or the firmware of a device. Its fundamental purpose lies in:

• Software error patching, in order to reduce vulnerabilities and prevent their exploitation.
• Correcting functional aspects of a program or system.

Based on their function, we may distinguish different types of patches:

1. Debug patches: Debug patches are managed to correct problems detected in the software. These types of patches help to polish and ensure that our environment works properly.

2. Security patches: Security patches are applied to software to make it safer by fixing any known software vulnerabilities.

3. Update Patches: Upgrade patches provide the software with new capabilities or features.

Relationship with the improvement and correction of system functions

Software patches are usually required to troubleshoot existing problems with the software that are detected after the initial release. Many of these patches have to do with security. Others may have to do with specific program features. Patches are also applied to make updates without which it would not be possible to obtain new features in an operating system, program or application.

Importance in the software life cycle

Patch management is not only used to solve problems with the versions of software programs or operating systems, but there are also patches that analyze existing programs for possible malfunctions in features, security or other updates. Patch management programs can scan systems to ensure baseline data, identify available patches and known vulnerabilities, review patches for applicability and OEM approval, design deployment or risk mitigation strategies, execute patch deployment and confirmation, and finally restore baselines for software development.

The main stages of the patch management process are based on:

• Inventorying devices, operating systems and applications.
• Deciding which software versions to standardize.
• Categorizing IT assets and patches by risk and priority.
• Test patches in a representative laboratory or testing environment.
• Running a pilot on a device sample (an optional step).
• Validating patches to verify what was installed and detect systems that are missing patches.
• Planning the deployment, including who is responsible for it and which patches should be installed and on which devices.
• Documenting patches, vulnerabilities, test results, and deployments, which helps analyze and implement improvements.

Advantages of Patch Management Modern Strategies

By adopting a proactive strategy with patch and update management, you may strengthen security, improve operational efficiency, and meet regulatory requirements in an ever-evolving digital environment. Currently there are IT trends that help manage patches and vulnerabilites such as automation (relying on Artificial Intelligence), Service Level Agreements (SLA), programmed patches and development, security and operations integrations (DevSecOps) along the whole lifecycle of the software development (design, development, testing, deployment and production):

• Regulatory and legal compliance: Patch management is essential to ensure and document compliance with security and privacy regulations.
• Functional improvement and error correction: Patching helps fix design errors, improve software stability, and get rid of issues related to bugs.
• Customer satisfaction and updated products: Patching can improve performance and is sometimes used to update software so that it works with the latest hardware. This also allows integration with cutting-edge technologies (Artificial Intelligence, Machine Learning, Advanced Analytics, Big Data, etc.)
• Strengthening security and protection against cyberattacks: Patch management helps keep computers and networks secure, reliable, and up-to-date with features that the organization deems important.

Security patches

A high-profile security case is the Heartbleed bug that resulted in a security vulnerability in April 2014 that allowed hackers to gain access to passwords and personal information. Currently, Heartbleed can still bypass some of the common security protocols for sensitive information in order to collect passwords that may be used to unlock personal resources or trick users into working on fake websites. According to Techopedia, Heartbleed risk is based on the Secure Sockets Layer/Transport Layer Security (SSL/TLS) system commonly used for Internet sites, where sites use digital certificates to prove authenticity. An open source tool called OpenSSL is part of the encryption security for these protocols. The Heartbleed error is due to an OpenSSL issue that allows outsiders to read the memory of the host computer. They may also get encryption keys, which can be used to cause even more damage to companies that didn’t apply the patch.

Once the bug was discovered, companies took steps to cover the vulnerability. However, all websites are required to remove the keys before using them to encrypt data, meaning that hackers who gained access could use them repeatedly until the website revokes them.

With this example, we see that patch management is on the minds of cybersecurity experts to keep systems safe. Basically, patch management is an important part of vulnerability management and a much broader strategy for discovering, prioritizing, and remediating security vulnerabilities of network assets. Patch management corrects identified risks by upgrading the software to the latest version or temporarily patching it to remove a vulnerability until the software vendor releases an update containing the fix.
Undoubtedly, patches play a very specific role in cybersecurity.

Four steps to effective patch management

To achieve effective patch management (also taking recommendations from the National Institute of Standards and Technology, NIST) there are four essential steps:

1. System Inventory

Up-to-date software inventories must be established and maintained constantly for:
Physical and virtual computing assets, including devices in Edge Computing, Internet of Things. While a complete inventory of all assets (including operating systems, versions, and IP addresses) is ideal, it may be impossible to achieve due to the dynamics of the assets and software, a realistic goal is to maintain an almost complete inventory by relying on automation to constantly discover new assets and gather up-to-date information on all assets.
Without constant updates, inventories will quickly become obsolete and increasingly provide inaccurate and incomplete information for patching efforts. In inventories, it is recommended to consider:

• Asset platform type: Operational/Information Technology, IoT, mobile, cloud, Edge Computing.
• Who manages the asset: IT department, a third party, an end user, a supplier/manufacturer, a shared responsibility model).
• The applications, services, or other mechanisms used to manage the asset: endpoint management, management software, virtual machine administrator, container management software.
• The asset’s network connectivity in terms of protocols, frequency/duration and broadband.
• The technical security controls already in place to safeguard the asset.
• The primary users of the interconnected asset or services and their privileges.

This tells us that constantly updating inventories for all technologies and environments used today requires a combination of automation techniques and tools.

2. Systems Standardization

Patching all your inventory at once comes with risks. For example, to apply a patch, you may need to restart servers that host critical applications, which could lead to downtimes. That’s why it’s good practice to determine the risk level of your inventory, categorize patches into groups (by operating systems, versions, etc.), and prioritize each group. This allows you to identify which patches are the most critical to apply, to which systems such patches should be applied, and which patches and systems you may expect. It also makes automated patching and prioritizing order by prioritizing the most vulnerable systems.

3. Register of security measures and risk assessment

The response scenarios to the vulnerability risk of the software they need must be defined, preparing for scenarios such as:

• Routine patches. This is the standard procedure for patches that are in a regular cycle and have not been escalated to a state of emergency. However, routine patch installation can disrupt operations (e.g. device restarts), often being postponed and neglected. This represents opportunities for cybercrime. Also, delaying the application of routine patches makes it difficult to apply emergency patches, time-consuming and harmful due to the need to first install previous patches, on which new patches depend, as happens with firewalls or antivirus.
• Emergency patches. Emergency patches. This is the procedure for addressing patching emergencies in a critical situation, such as a severe vulnerability or a vulnerability that is being actively exploited. If one or more of the organization’s vulnerable assets have already been compromised, emergency patching may be part of incident response efforts. Pop-up patching needs to be handled as efficiently as possible to prevent the imminent exploitation of vulnerable assets.
• Emergency Mitigation. This is the emergency procedure in a crisis situation, not as described above, but to temporarily mitigate vulnerabilities before a patch is available. Mitigation may vary and may or may not need to be reversed later. Sometimes a patch can have flaws and actually fails to correct a vulnerability problem, and even a single patch could be compromised.
• Assets that cannot be patched. This is the implementation of isolation or other methods to mitigate the risk of systems that cannot be patched easily. This is usually necessary if the patching routine cannot be adapted to these systems within a reasonable timeframe. As examples there is an asset that cannot be patched because the provider does not have it available, or the asset is at the end of its useful life, does not support updates or is mission critical that prevents interruptions for an extended time.

Also patch application to the firewall (firmware update) and antivirus, as the first and last frontier between the organization and the outside, is one of the most prudent aspects of security management. All businesses, large or small, must have consistent patching in the face of increasing ransomware attacks. Many companies are at risk of being compromised due to a lack of up-to-date patch installations. Keep in mind that around the world there are people who scan Internet IP addresses 24 hours a day, 7 days a week, trying to identify which IPs belong to which companies and what security measures they have in place. And those people can go so far as to identify which firewall is installed in a company in order to defeat them.

And another very important aspect is that security regulators require updated patches to maintain compliance. If firewall patches are not updated, the organization could face financial penalties from security regulators.

4. Patching

Patch application is done based on the specific tasks and day-to-day of the organization, based on this, it evaluates when is the best time to update the software. Organizations should define a risk assessment process to determine which plan should be used at any given time and to decide when to switch from one plan to another based on understanding risk changes. It is also recommended to communicate to employees about patch application, their importance and priority. For medium-sized and large companies, it is recommended to rely on automation through a patch manager.
Keep in mind that updating patches minimizes risks by correcting software and performance errors. So, by maintaining the latest firewall software, your firewall will always have the best and latest security and management tools.

Pandora FMS solution for effective patch management

Pandora FMS can help implement and make patching easier, through:

• Regular Rolling Releases (RRR): With an approximate periodicity of two months. Most of the new features are published in RRRs.
• LTS Versiones: They comprise RRR versions, their Q/A process and an exhaustive final product checklist of several weeks duration. They are ones recommended for production environments.
• LTS Patches : Security patches are developed as soon as possible after the vulnerability is detected. Patches for LTS versions usually include critical-bug troubleshooting and solutions to security problems.

Also, on Pandora FMS there is detailed information about patches and posting updates.

Updates can be performed both manually and through Warp Update and in large integrated environments with a PandoraFMS Metaconsole. The Metaconsole is responsible for updating all our nodes integrated into it.

More support resources:

• Pandora FMS may help keep track of IT environments and support upgrades. Contact an expert.
• Pandora FMS helps maintain an inventory of monitored devices from which you may obtain:
  • Firmware version (network hardware).
  • Applications installed on the computer (MS Windows®, Android Linux®, GNU/Linux®).

With this information you may obtain and plan the necessary updates on the devices or applications in your environment.

Conclusions

As we have seen, Patch Management is part of the efforts to keep the organization’s systems and programs up to date and to reinforce the security and actions needed to protect against cyberattacks. Patches also contribute to software stability, enable better features and allow new technologies to be integrated. All of this has a direct impact on organization user experience.

It is also of utmost importance that patches are part of IT tasks that help comply with regulations and legal provisions. Failure to do so may expose the organization to quite onerous penalties.

To realize these benefits, IT strategists must take into account considerations about managing constantly updated inventories, standardization that helps leverage the automation of updates that lighten the workload of the IT team in charge of patching. The correct planning of when and how to apply the patches so that they do not impact business operation is also required, together with a definition of vulnerability risk response scenarios (routine, emergency, mitigation… or when not to apply them). To do this, it is recommended to rely on experts in best practices in patch management and system monitoring.