Patch management vs vulnerability management

Plasters over a hard disc drive to symbolise patch management
(Image credit: Shutterstock)

Software development is not a one-and-done process, but rather a continuous one. With code and capabilities evolving so often, it’s impossible for any system, no matter how well built, to be left untouched after deployment.

Because of this, IT teams are constantly monitoring and deploying security patches to keep the multiple entry points within any organisation - laptops, printers, servers, and even mobile phones - safe from hackers. While it can be a frustrating job, this process of applying fixes and updates for security vulnerabilities, called patch management, is business-critical and something every IT professional should know about.

Patch management is often used interchangeably with vulnerability management, but the latter is actually a much broader process for risks of all kinds, whereas patch management only focuses on the application of software updates for specific flaws.

With the pandemic and increased remote work contributing to a rise in cyber attacks, it’s more important than ever for IT teams to know what risks their organisations are facing and how to address them correctly.

We explain the difference between vulnerability management and patch management and break down the importance of each.

What is patch management?

Patch management is the process of updating all software within a company with the most current versions released by the manufacturer to fix bugs that have been discovered after release. This includes enterprise-level products like server operating systems and database products, as well as more basic tools like Internet Explorer and Adobe Flash.

Patch management can be done manually on a machine-by-machine basis, but it's much more commonly performed using centralised management tools. This can involve dedicated patch management software, which allows IT teams to set policy-based rules for the automatic application of patches. These can be scheduled around business hours to ensure that patch application results in minimal downtime and loss of productivity.

Why is patch management important?

Unpatched systems are one of the easiest attack vectors for criminals looking to gain access to corporate networks. Hackers and security researchers are constantly discovering new vulnerabilities, and companies are constantly issuing patches to deal with them. If those patches are not applied, however, cyber criminals have an easy entry point into your networks.

Patch management also ensures that all your enterprise equipment keeps working as it should. Technology is a notoriously fickle beast, and even minor software bugs can lead to major headaches and plummeting employee productivity. Timely application of patches ensures that any potential problems can be resolved as soon as possible before your business grinds to a halt.

RELATED RESOURCE

Challenging the rules of security

Protecting data and simplifying IT management with Chrome OS

FREE DOWNLOAD

Knowing when not to apply an update can be just as important for good patch management, however. New software updates can cause compatibility issues between different systems or can introduce new bugs of their own. Good patch management often involved making a judgement call on whether or not the security benefits of installing a patch which is known to cause issues are worth risking a little potential disruption.

Update button about to be pressed

What is vulnerability management?

Vulnerability management is a set of processes designed to secure corporate networks, divided into discovery, reporting, prioritisation and responses phases with regards to pitfalls – each following sequentially one after the other.

Discovery

The first phase, discovery, involves assessing all assets across the breadth of your IT infrastructure, including servers, laptops, printers, screens, and backup appliances. Essentially all devices that may be connected to a corporate network count, as well as software that’s running. The discovery process must ascertain whether the developer still supports the software with security patches, and how up-to-date the software is.

This process may be arduous and lengthy, but putting in the hard work at this stage is crucial. It’s essential to ascertain a complete picture of the systems the business relies on, with unpatched hardware introducing needless gaps into the setup. This lack of oversight was essentially the reason why Equifax suffered in the infamous cyber attack of 2017. There are a host of network monitoring tools at disposal, thankfully, that can lighten the burden slightly by detecting and querying network devices.

Reporting

The reporting phase follows on once you’ve established a full and up-to-date understanding of the IT estate, and what hardware devices and software is connected to the corporate network. This information should be compiled into a report that can be easy to read, accessible and referencable, detailing the systems that are most vulnerable. This assessment would be based on various criteria such as the severity of unpatched flaws, and how close the systems and applications are to sensitive data.

It's possible to do this automatically using software, with many security platforms allowing you to create reports and 'digests' based on the results of autonomous network scans. Reporting feeds into the next step, prioritisation, and some vulnerability management programmes class them as part of the same stage.

Prioritisation

Arguably the most important stage of the vulnerability management process, prioritisation is where you decide the order in which you're going to address the vulnerabilities within your network. This will be based on a number of factors, but the principal things to consider are: how long it will take to fix, how much it will cost to fix and how much risk it poses. Which factor you give the most priority to will likely depend on the individual circumstances of your business, but it's a good idea to prioritise high impact, low-effort fixes where possible.

In many cases, the likelihood of a flaw being exploited, or the potential impact if it is, will be low enough that you can judge leaving it unpatched to be an acceptable risk. Alternatively, the cost of fixing something may be so high as to make it unfeasible with your current resources. The important thing is to be able to identify these acceptable risks and to be aware of them going forward.

Response

Having established what vulnerabilities your network has and what order you're going to address them in, the final stage is to respond to them. In some cases, this can be as simple as installing any outstanding infrastructure patches or reconfiguring a vulnerable network device. Other measures may be more costly or time-consuming, however, such as creating a patch for your own application or replacing a device that is no longer supported by the manufacturer.

You can also take the decision to mitigate an issue by partly addressing the problems or, as mentioned above, by accepting the risks posed by a particular vulnerability. Once you've completed the response cycle, the process starts again with a fresh round of discovery to see what the state of your network is after your actions to secure it.

Why is vulnerability management important?

Vulnerability management is crucial because it gives you an overview of your security posture as a whole. It gives you a sense of which areas of your infrastructure are most at risk, which allows you to not only prioritise security remediation but also helps inform future IT investment.

More importantly, vulnerability management gives you insights into potential security holes beyond what you can learn from looking at a list of outstanding patches. There may be a piece of software that is known to be vulnerable, for example, but for which a patch is not yet available. In this case, looking at unapplied patches would not have alerted you to the issue.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.