How do you ensure patches are deployed in a timely fashion to reduce the number of vulnerabilities in your network and software to protect your organisations from ongoing threats?
We see many frameworks recommending a set number of hours or days to implement patches or in some cases see clients request set periods to deploy all patches by a set number of hours or days with no consideration of the usefulness or practicality or even effectiveness of the proposed patch.
Some environments are developed so that a lot of the internal network is not exposed to the internet. In this case the external ring of the network that is exposed to the internet is patched more aggressively than the internal environment.
Deploy patches using a risk-based approach.
As a business agree what an impact is and group them into bands.
Automatically update patches that do not require a reboot or service restart (this can be setup by your IT specialist).
Have the right skills sets in your team and agree how and when patches will be deployed based on your risk model.
· Consider the impact to your business if the vulnerability was exploited. Would it take out your services? Would it expose confidential data?
· What is the impact of the vulnerability the patch addresses in exploited?
· If your business manages photos of cats in a database a patch marked by a global software company as Critical or Extreme would not be critical to you as your information is not of value.
· Consider the likelihood of the threat event occurring.
· What is the likelihood based on the structure of the environment and the resources required and the targets of the threats actors to successfully exploit the vulnerability the patch addresses.
· Using industry scores can give you threat intelligence companies views of how brilliant the potential attack will be.
Every time you delay a patch for business reasons it will be in the queue for later on. Do you have the staff to do this, what will be the priority when they begin implanting these patches?