Patch management vs vulnerability management
What exactly is patch management, and why should IT pros sit up and take notice of doing it properly?
Applying security patches is a constant problem for IT departments; from printers to laptops to servers, every single piece of IT equipment within an organisation could be a potential way for hackers to get into a corporate network, and making sure that they're as locked-down as possible is a full-time job.
The application and coordination of fixes for security vulnerabilities is known as patch management. Vulnerability management is another term that you're likely to hear mentioned in relation to cyber security, but patch management and vulnerability management are not interchangeable, and there are some key distinctions to be made between the two.
Vulnerability management is the process of dealing with security vulnerabilities of all stripes, and is broken up into four main stages: discovery, reporting, prioritisation and response. Patch management focuses on the application of software updates to address specific security flaws, and while it can be part of a vulnerability management strategy, the subject of vulnerability management is actually much broader.
What is patch management?
Perhaps it's important to go back to basics for a moment. Patch management is the process of making sure that every piece of software used within a company is up-to-date with the most current versions (you might think the version you've bought is the latest but bugs are routinely found after GA and rather than just ignoring, vendors have to add a sticking plaster until the next update) released by the manufacturer. This includes enterprise-level products like server operating systems and database products, as well as more basic tools like Internet Explorer and Adobe Flash.
Patch management can be done manually on a machine-by-machine basis, but it's much more commonly performed using centralised management tools. This can involve dedicated patch management software, which allows IT teams to set policy-based rules for the automatic application of patches. These can be scheduled around business hours to ensure that patch application results in minimal downtime and loss of productivity.
Why is patch management important?
Unpatched systems are one of the easiest attack vectors for criminals looking to gain access to corporate networks. Hackers and security researchers are constantly discovering new vulnerabilities, and companies are constantly issuing patches to deal with them. If those patches are not applied, however, cyber criminals have an easy entry point into your networks.
Patch management also ensures that all your enterprise equipment keeps working as it should. Technology is notoriously fickle beast, and even minor software bugs can lead to major headaches and plummetting employee productivity. Timely application of patches ensures that any potential problems can be resolved as soon as possible before your business grinds to a halt.
Knowing when not to apply an update can be just as important for good patch management, however. New software updates can cause compatibility issues between different systems, or can introduce new bugs of their own. Good patch management often involved making a judgement call on whether or not the security benefits of installing a patch which is known to cause issues are worth risking a little potential disruption.
What is vulnerability management?
Vulnerability management is a framework of processes for securing your corporate network. As stated above, it's broken into the discovery, reporting, prioritisation and response phases. These phases are all crucial, and each feeds into the next.
The discovery phase involves taking a complete inventory of every asset within your IT estate. This includes servers, backup appliances, laptops, printers, screens - anything that might be connected to the corporate network. You need to establish what you have, what software its running, whether it's still supported by security patches from the manufacturer and how up-to-date its software is, as well as configuration details.
This can be an incredibly tedious task, but it's an absolutely essential one; if you don't have a complete picture of what you have, unpatched hardware can introduce unseen security holes into your network. Lest we forget, this is how Equifax was caught out. Luckily, there are a range of network monitoring tools to help make this task easier by automatically detecting and querying network devices.
Once you have a complete and up-to-date picture of what's on your network and what state it's in, that raw data needs to be compiled into a report of some kind. This should ideally be an easy-to-read overview of which machines or business areas are most vulnerable, based on criteria such as the severity of any unpatched flaws and its proximity to sensitive information.
This can also be done automatically by software; many enterprise security solutions will enable you to automatically create reports and digests with the results of automatic network scans in order to speed up the process. Reporting feeds into the next step, prioritisation, and some vulnerability management programs class them as part of the same stage.
Arguably the most important stage of the vulnerability management process, prioritisation is where you decide the order in which you're going to address the vulnerabilities within your network. This will be based on a number of factors, but the principal things to consider are: how long it will take to fix, how much it will cost to fix and how much risk it poses. Which factor you give the most priority to will likely depend on the individual circumstances of your business, but it's a good idea to prioritise high impact, low-effort fixes where possible.
In many cases, the likelihood of a flaw being exploited, or the potential impact if it is, will be low enough that you can judge leaving it unpatched to be an acceptable risk. Alternatively, the cost of fixing something may be so high as to make it unfeasible with your current resources. The important thing is to be able to identify these acceptable risks and to be aware of them going forward.
Having established what vulnerabilities your network has and what order you're going to address them in, the final stage is to respond to them. In some cases, this can be as simple as installing any outstanding infrastructure patches or reconfiguring a vulnerable network device. Other measures may be more costly or time-consuming, however, such as creating a patch for your own application or replacing a device that is no longer supported by the manufacturer.
You can also take the decision to mitigate an issue by partly addressing the problems or, as mentioned above, by accepting the risks posed by a particular vulnerability. Once you've completed the response cycle, the process starts again with a fresh round of discovery to see what the state of your network is after your actions to secure it.
Why is vulnerability management important?
Vulnerability management is crucial because it gives you an overview of your security posture as a whole. It gives you a sense of which areas of your infrastructure are most at risk, which allows you to not only prioritise security remediation, but also helps inform future IT investment.
More importantly, vulnerability management gives you insights into potential security holes beyond what you can learn from looking at a list of outstanding patches. There may be a piece of software that is known to be vulnerable, for example, but for which a patch is not yet available. In this case, looking at unapplied patches would not have alerted you to the issue.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now