We have recently concluded the first quarter of 2023, and there have already been over 250 patches for the many components and flavours of Microsoft’s operating systems, as well as a handful of patches for Adobe, Apple, and Android. If you are a computer professional, you have also had to patch various other enterprise-class hardware and software assets in your environment.
With all of the technology we have today, installing software updates has become a near-daily, full-time activity. Patch management for large-scale enterprise IT systems can be one of the most stressful parts of an IT professional’s job.
Understanding the Patch Management Process
Tripwire's Vulnerability and Exposure Research Team (VERT) have tracked patch releases for years, and the magnitude of patches makes it obvious that many organizations are having trouble keeping up. Installing a patch might sound easy. To a casual computer owner, it requires only a simple click of a button. However, in a business environment, patch installation difficulty varies across platforms, ranging from simple, to complex scenarios involving carefully orchestrated sequences of events. Patch installation difficulty is not the only variable in this equation. Patch testing is another critical piece of the puzzle and, along with scale, is one of the more challenging aspects of patch management in the modern world of enterprise IT.
1. Refine Your Pre-Deployment Patch Management Procedures
Enterprises cannot go about installing patches blindly without understanding potential impacts of the change brought about by a patch. Patches have a history of breaking things, and when things break in the enterprise, chaos ensues. With the rapid discovery of vulnerabilities, and the subsequent emergency patch releases, most organizations do not have ample time to fully test patches in their environment before deployment. This is a recipe for trouble.
2. Be Wary of Patch Fatigue
An organization’s ability to thoroughly test patches depends on scale and resources. Virtualization and orchestration technologies, coupled with good patch management and vulnerability management software, can help organizations create environments that enable extensive patch testing. Still, testing every possible configuration is hard for any organization. As you scale, it becomes impossible. More nodes mean an increase in the number of scenarios that need to be tested. Those considerations can quickly spiral out of control. This leads us to the following conclusion: Patch testing is currently done on a best-effort basis, and as with most software-based testing, it only covers a small portion of the overall “state space” of test cases. An important question to ask is, “Will this scenario work in the future as more and more systems become highly interconnected?”
3. Explore Patch Management Best Practices for Emerging IT
Current trends, such as the Internet of Things (IoT), the Industrial IoT, and cyber-physical systems are pushing the envelope of scale with an exponential explosion of devices coming online in the near future. As we recently saw with a faulty update to an airline flight system, the failure of a patch installation can create serious, far-reaching problems. What other questions need to be asked? Technologists should be considering these types of questions. Obviously, new techniques and innovations will surface to help alleviate some of our patch testing problems. Automation can play a huge role to help to assure safe patching, and advanced research in automated testing processes will surely help. Can artificial intelligence also be used to assist in this effort? It will be interesting to see what developments tomorrow will bring.