By: Russ Hensley, CEO CISSP
Lexington, KY
Day in and day out we’re asked about operating system patching and it’s role in managed services or managed cybersecurity.
What is patching? What happens to cause patching? Do I need patching? Why is patching important to cybersecurity or normal operations? Why did the patch break my computer? Who’s fault is it when the patch break the machine?
How did it start?
Starting in 2003 Microsoft started to get structured about patching because honestly, it broke a lot of things and random sporadic chaotic patching was not efficient to say the least. Since then the patching process has evolved into a tier of patching from security, critical, emergency and application, workstation and server patching to name a common groups.
Cybersecurity firms and software developers produce a list of “holes” in software called vulnerabilities through intentional or unintentional discovery. The process of the vulnerability identification is a double edged sword. Once confirmed, it can alert the developer, Microsoft or Adobe for example, that there is in fact a confirmed hole, the nature of the hole and give it an entry in a database for identification. The downside, is well now not only does the developer know and the user, but also the threat actor who might look it over and choose to figure out how to exploit this vulnerability to use it for a hack.
Now a days with ransomware and the internet, these patches are often and plentiful and come very fast some times when there are really bad vulnerabilities. Just last week patch Tuesday alone (May 11 2021) contained 55 vulnerability patches, 4 were Critical and 50 Important and 1 Moderate just from Microsoft’s resources. The break down is here from the CompTIA ISAO weekly update video.
Surface devices get firmware updates for example now on the the Third Tuesday and non-security patches for Office are on the First Tuesday.
Patching in general is developed with the white box and tested as best as it can to not nuke your machine and create Crash Wednesday when the patch actually might get applied to your system and a reboot if you’re not on a managed patch plan. Sometimes, the patches are just not compatible or fail and if you’re in a patch management system then you might see a scenario where bad patches are Blacklisted and will not get applied to other machines once they fail in either testing or deployment. Microsoft delivers the best product they can but the customers environment can vary dramatically from a testing scenario.
How much is enough?
I personally believe in aggressive patching where they’re downloaded and workstations are rebooted frequently and servers as needed based on the patch level no less than once a week in some cases. When businesses have users with internet access and email access involved it patching is critical to address security issues and in fact in environments where consumer data is held should be taken very seriously but anywhere that production is based around technology working should be managed. These environments are typically the best suited for managed services and managed cybersecurity services.
What drives cost?
Some customers opt to not patch or be on a patch management process for various reasons. Perhaps conflicts with software applications, or budgetary constraints. However, with the interconnected tissues of virtual machines, hardware firmware levels and so on it’s almost impossible to not have to catch up patching at some point for security reasons. All of this of course is not talking about software versions that have been end-of-support marked and not receiving any patches, but current production operating systems. Even the End-point-detection and response engines require the operating systems to be patched in order to provide the security levels necessary for them to operate successfully. Otherwise, it’s like sailing a leaking boat.
Our clients who aren’t in a patch management or managed services process opt to pay for exorbitant service fees for patching rather than our fixed managed services fees. Our NOC team tests, blacklists, deploys and remediates any server operating system patches and some applications in our fixed fees in the long run saving thousands of dollars through continuously patching and keeping the operating systems up to date.
It is a complex discussion and some times there are complex answers, but for the most part, managed services addresses the huge amount of patching that is going on for the best value.