Patching is a critical part of any organization's IT infrastructure. It's important to stay up to date with the latest patches and security updates to protect against malicious attacks and vulnerabilities. However, many organizations struggle with patching due to the complexity of the process and lack of visibility into the applications and devices that need to be patched. Current technology isn't making it any easier. In this blog post, we'll look at the current challenges of patching and risk management, and the advantages of OneSite Patching through a series of questions and answers.
Q1: What makes patching so difficult and why are so many applications out of date?
A: Visibility is a major issue, as most organizations don’t think it’s possible to stay completely patched because they can't efficiently see what applications are installed, on what devices, and if any need to be patched. It’s a difficult task and having a solution that’s able to provide a clear view into risk and compliance makes IT's job much easier as the predominant approaches use Windows Server Update Services (WSUS), open-source, and scripting tools like PowerShell to patch endpoints.
Knowing when a patch is released is also difficult. It starts with having to create a manual list of all applications and individually verifying that each device with that application installed is on the latest version. For Windows devices, IT could use Microsoft Intune to patch endpoints but that comes with limitations, as third-party applications aren't currently supported. To automate patch deployments, IT admins would need to create a PowerShell script for every single application and version, and even then, it doesn't offer assurances that patches have been installed correctly leaving IT with more work to do.
Q2: Patching must involve risk management, particularly from a prioritization point of view. How can organizations maintain a view of risks that determine what patches are highest priority?
A: The risk management lifecycle requires there to be a constant data stream or intelligence to make informed decisions. Adaptiva’s OneSite Patch really excels in risk management, giving administrators the power to create a patching strategy so that patching happens at a consistent pace, based on objective measures of exposure and risk.
Q3: Patching can be disruptive to productivity, how can IT stay patched without slowing down end users?
A: The reality is, patching affects organizations across the board and can impact productivity in particular. What often happens with a lot of patches is that they require a reboot to finish installing, and end users don’t like to reboot machines. Most people like to leave their machines running 24/7, only to close laptops into a sleep or hibernation mode rather than completely shutting down. Having a patching schedule that identifies a patching window where a package of multiple patches can be deployed and installed together, thus minimizing the overall impact on the end user.
OneSite Patch does this remarkably well as IT can queue up patches to roll them out together at times that are less disruptive to employees and end users. Looking beyond devices to servers, IT may have a narrower window to deploy patches, which OneSite Patch can handle as well while other tools like Intune cannot. When IT patches a server it takes down the application it's running until the server is back online. For that designated time no one has access to that application so it’s critical to have full control of the deployment process to pause, stop, rollback, restart or even accelerate the process in real-time to meet service level agreements and compliance requirements.
Q4: What are IT professionals saying about patching?
A: Patching is critical to the business, so IT has always found it important that the latest updates are installed immediately. However, new applications are proliferating bringing with them new vulnerabilities and threats that are discovered every day. Many breaches are occurring because unpatched applications and devices are easily exploited. That’s because there isn't a proper solution in place to provide real-time visibility to IT so they can catch these vulnerabilities in a timely manner. Until then, we'll have bad actors taking advantage of these gaps and exploiting valuable, and crucial business resources.
Q5: If IT has limited visibility into all the applications installed across an organization's devices, how do they keep patches up-to-date, and vulnerabilities mitigated?
A: That’s the problem, generally IT doesn’t know what applications are installed where. For instance, Intune will provide a list of applications it can find, but it’s cumbersome to move around. OneSite Patch on the other hand can provide that comprehensive look, and will give you complete visibility over all the applications installed on the devices you manage, what version is running, and on what device, all in real-time.
Q6: Microsoft has announced that Intune will support third-party applications soon, but until then how can a system administrator use Intune to patch third-party applications?
A: To patch third-party applications with Intune they must first be manually identified. Then a PowerShell script must be written for each application and patch, for Intune to run. IT has had to make this work well enough to get by but it’s a very manual process that doesn't report success or failure. IT will eventually find out if deployments were successful when an inventory report is run. But that can take several days. One of the biggest pain points of Intune is its lack of support for patching servers, leaving IT to use additional tools to keep systems patched.
Q7: Zero-day threats seem to be making headlines every week, how does IT handle these when they occur?
A: Zero-day vulnerabilities are an interesting problem as they’ve been around for a while and when discovered, they need to be patched immediately. Until a fix has been identified and released, devices are at risk of being exploited until it is patched. Identifying which devices are vulnerable requires detection to ensure it’s not going to get breached. Let’s look at the recent Log4J vulnerability as an example. Even though Log4J came out with a patch, it’s an open-source tool that’s used by a lot of applications. As such, Log4J can't be patched all at once, IT needs to understand what applications are using a vulnerable version of Log4J, and then patch that specific application. This might have to be repeated many times over, depending on the number of applications that are vulnerable. This gives hackers a wide window of opportunity to exploit a system.
In conclusion, patching is a critical aspect of IT security that requires continuous attention and monitoring. Without proper solutions in place, organizations are at risk of being exploited by bad actors who take advantage of unpatched vulnerabilities. OneSite Patch offers a comprehensive solution to help IT professionals stay on top of patching needs with minimal disruption to end-users. By automating the patch deployment process and providing real-time visibility over all devices and applications, it allows administrators to create a consistent and effective patching strategy that mitigates risks. With the rise of new vulnerabilities and threats every day, having an efficient patch management solution like OneSite Patch is more important than ever before.
