Patch management—the process of planning and applying updates across systems—is one of the most important aspects of preventing a security breach. In fact, a Ponemon Institute report found that 60% of breach victims were compromised due to missing patches.
In this post, we’ll take a look at the what, why, and how of patch management from an MSP’s perspective, including what not to do and key MSP patch management best practices.
What is patch management?
Fundamentally, patch management is everything involved with keeping your systems updated. That includes identifying what systems need updates, deciding what updates to apply, scheduling updates, running updates, and testing.
Patch management applies to all the assets in an environment. PCs, servers, IoT devices, smartphones, network gear, software applications, and even drivers are all in scope. Common examples of patches include operating system (OS) updates, application upgrades, and firmware updates.
There are three main categories of “patches” you can apply to a system:
- Security patches: Address security flaws on a system.
- Bug fixes: Address bugs from a previous release.
- Feature updates: Add new features and functionality to a system.
Note that these categories aren’t necessarily mutually exclusive. Often a single update will cover all three categories at once. For example, a Windows service pack (SP) is an update that rolls up a variety of fixes in a single release.
Patch management vs. vulnerability management
You might hear the terms “patch management” and “vulnerability management” used interchangeably. While understandable, that’s technically incorrect. Patch management processes are specifically focused on updates. Vulnerability management has a broader scope.
Vulnerability management is the continuous process of discovering, prioritizing, and addressing security vulnerabilities. In many cases, vulnerability management and patch management will overlap. For example, as part of your vulnerability management processes, you may discover a security issue that you can remediate by applying a patch.
Benefits of good patch management
We’ve covered the what, but why should you have an MSP patch management process? The three main benefits of patch management are:
- Security: Keeping your client’s systems up to date is one of the single most impactful things you can do to improve their security posture. Not patching makes it significantly easier for threat actors to compromise those systems. Case-in-point: the WannaCry and ExternalBlue had patches available for over a year and were still being actively attempted and exploited on a large scale in the wild.
- Compliance: In some cases, you need a patch management process to remain compliant with relevant standards and regulations. For example, PCI DSS requirements call out the need to apply critical or high security patches within a month (requirement 6.3.3 of PCI DSS 4.0).
- Productivity: Upgrades can add new features and improve application performance. As a result, they can lead to productivity boosts that improve business workflows.
How NOT to handle MSP patch management
Sometimes the easiest way to get started with a plan is to identify what not to do. To that end, here’s an MSP patch management checklist of things to avoid.
- Don’t depend on manual patch processes: This one is simple: Manual processes take time, and time is money for an MSP. Make manual patching the exception, not the rule.
- Don’t forget about third-party software: Insecure third-party software can make an otherwise secure system vulnerable. For example, consider the Zoom vulnerabilities from earlier this year that could lead to malicious code execution. Make sure your patch management strategy goes beyond the OS and covers third-party software too.
- Don’t unnecessarily sacrifice productivity: Patching is important but context matters. Forcing a user to reboot during the workday to install a patch for a vulnerability with a low severity isn’t generally a good idea. Similarly, some business workflows may depend on outdated and insecure software. Upgrading it without enabling an alternative and breaking the workflow is effectively the same as a DoS (denial of service) attack.
- Don’t neglect testing: Not every update is a net positive. If you’ve been in IT long enough, you know updates come with some risk. If you’re new to IT, here’s some foreshadowing:
Testing helps you avoid falling victim to “bad updates”.
- Don’t reinvent the wheel: You should have a patch management process that meets your customer’s business needs. However, you don’t have to start from scratch. There are multiple frameworks and reference implementations you can borrow from. NIST 800-40 is a great example that tackles a lot of the nuance of patch management.
MSP patch management best practices
With what not to do out of the way, we can jump into our patch management best practices for MSPs. There’s never a one-size-fits-all answer in IT, but these best practices can help you jumpstart and optimize your patch management workflows.
Establish and document a patch management policy
It’s important to be purposeful about patch management. That starts with creating and documenting an MSP patch management policy. NIST 800-40 can help with guidance, but for smaller MSPs that can be a lot to take in. If you’re looking for a simpler place to start, I recommend using UC Berkeley’s Patching and Updates Guidelines as a reference.
TIP! Have a plan for end of life hardware and software. In many cases, there’s no patch for a vulnerable device or application. Make sure your policy addresses this scenario.
From an operations standpoint, you should use tools that automatically enforce your patch policies. For example, Syncro allows you to assign specific update policies for different IT assets. By codifying granular policies in the tools you use to maintain your systems you can avoid documentation drift and ensure they’re enforced in production.
Think about patching during procurement
The software and hardware you buy today is what you’ll have to patch tomorrow. If you’re responsible for procuring IT assets for your clients, consider patch management during the buying process. Key questions to answer include:
- Does the vendor release patches for their products? How often?
- Is there an easy way to apply updates once they’re released?
- Do updates require the product to reboot or be taken offline?
- How can you be notified of updates?
- Does the vendor disclose vulnerabilities publicly?
Centralize asset management
Centralizing IT assets in a single system makes it easier to understand and report on upgrade status, enforce patch policies, and improve overall infrastructure visibility. For MSPs, RMM software is typically the right solution. In addition to centralizing assets from multiple clients and sites in a single system, an RMM can help you deploy patches and define security policies.
Track patch statuses
It’s one thing to schedule patches, it’s another to know if patches were applied successfully and what still needs to be done. As an MSP, you should ensure you can easily and reliably determine the patch status of your client’s systems.
Prioritize patches by severity
Just because something can be done now doesn’t mean it should be done now, or even at all. For example, in most cases, it makes sense to apply a critical security hotfix as soon as practical. But it doesn’t make sense to force a midday update that reboots your client’s PC to push a patch for a minor issue. Use CVSS scores and business context to make an informed decision about when and how to apply patches.
Syncro can help simplify your MSP patch management
Without the right tools, managing patches across different customers and sites can become time-consuming and inefficient. Syncro is all-in-one cloud-based MSP software that helps you scale and automate patch management.
With Syncro’s RMM agent installed on customer PCs, you can:
- Run reports to quantify what assets are missing patches
- Create policies that automate how Windows patches are installed based on patch type and severity
- Create policies for third-party app patches
- Schedule updates and required reboots
With Syncro you have the control and visibility needed to patch the systems you’re responsible for, and the flexibility to choose the right balance of security and usability.
For example, you can define patch exclusions for specific apps and Windows update KB numbers and decide whether to force users to reboot or prompt them.
And because Syncro is an all-in-one solution that supports a wide range of integrations and includes PSA features like billing and ticketing, you can limit tool sprawl and operational complexity for your staff.
Take Syncro for a test drive in your environment. Sign up for a free trial today.