WIXLIB

Closing the Door on CybercriminalsBest Practices for Patch Management

Closing the Door on CybercriminalsBest Practices for Patch ManagementSimply put, the bad guysare constantly searchingfor any possible pointof entry that can beexploited by viruses andmalware.It’s no secret that today’s securityenvironment is more dangerous and dynamicthan ever before. The sheer quantity andfrequency of new threats that confronts ITprofessionals is daunting, as cybercriminalsrelentlessly probe for weaknesses andvulnerabilities in an organization’s network.What’s more, the rising number of end userswho work remotely and/or use mobile devicesmakes cyberattacks on endpoints outsideof the network increasingly attractive tocriminals.Simply put, the bad guys are constantlysearching for any possible point of entry thatcan be exploited by viruses and malware. Theease and speed with which criminals nowdevelop new threats means that virtually anyapplication can be quickly targeted. It isn’tjust widely-used software solutions underattack anymore, as even relatively obscureapplications and vulnerabilities are beingpursued.This heightened threat environment putsadditional pressure on you to implement acomprehensive security strategy that ensuresservers and endpoints don’t present windowsof opportunity for a security breach, no matterhow temporary or seemingly innocuousthose opportunities maybe. Deploying a superiorendpoint protection solutionis obviously key, but oneof the most overlookedcomponents of an effectivesecurity strategy is patchmanagement.patches that remove those vulnerabilities. Themore quickly and efficiently you can deploythose patches, the sooner you will neutralizesignificant security threats.As such, it’s useful for you to review thefollowing list of patch management bestpractices, which will help you formulate acohesive patch management strategy thatcan maximize network security and preventdisruptions to operational efficiency andproductivity.Patch management hasbecome increasinglyimportant becausecybercriminals areconstantly discoveringnew vulnerabilities, whichforces software vendors tothen respond with frequentand irregularly-scheduledClosing the Door on Cybercriminals: Best Practices for Patch ManagementVIPRE SECURITY / 2

The fundamental objective of any patchmanagement policy is to quickly identifyand eliminate vulnerabilities. As soon asnotification is received of a new patch tocorrect a critical weakness, the IT teamshould clearly understand: Who is responsible for administeringthe patch How the patch will deployed (e.g.,manually, via automation) When the patch will be fullyimplemented How the patch deployment will beverified In what priority multiple patches will beappliedAn obvious example of prioritization is toapply the most critical or important patchesfirst. Beyond that, determining the relativeurgency of deploying any given patchinvolves a number of factors (e.g., nature ofthreat a particular patch addresses, specificsystems at risk for threat, etc.).Step 1: Develop Clearly-DefinedPoliciesEstablishing the details of patchmanagement policies first is crucial. Thistype of proactive approach enables you toevaluate potential challenges in advanceand methodically determine guidelinesfor addressing them. By contrast, areactive management approach is oftencharacterized by hastily-created and poorlycoordinated ad hoc processes that lackconsistency and long-term efficacy.Step 2: Follow Consistent ProcessesThere are several ways that you can receiveinformation about newly-released patchesthat address product flaws or vulnerabilities.These notifications may originate fromMicrosoft Windows Automatic Updates,the Microsoft Security Notification Service,Remote Monitoring and Management (RMM)software, a third-party client managementproduct, or an endpoint protection solutionthat incorporates patch managementcapabilities.Closing the Door on Cybercriminals: Best Practices for Patch ManagementWhile IT professionalsuniversally appreciate theneed to prevent securityholes from opening inthe Windows operatingsystem, they shouldnot underestimate theimportance of patchmanagement for theextensive range of thirdparty software.While IT professionals universally appreciatethe need to prevent security holes fromopening in the Windows operating system,they should not underestimate theimportance of patch management for theextensive range of third-party softwaresolutions that are deployed on desktops andservers.Regardless of the specific tools you useto receive notifications, it is vital that youestablish and follow consistent processeswhen implementing new patches. This willensure you derive maximum benefit fromthem while minimizing any potential forconflicts or downtime. Such processesshould include:VIPRE SECURITY / 3

Maintaining robustnetwork securityrequires constantvigilance becausenew vulnerabilitiesand patches areemerging withrelentless frequency.Testing First, Then Deployingin StagesEvaluating Need for PatchingEven after testing has been successfullycompleted, it is still advisable to refrainfrom simultaneously applying a patchsystem-wide, as the testing processmay have failed to identify a potentialflaw or conflict. Applying patches toindividual workgroups or departmentsenables you to closely monitor themand ensure users have retained fullfunctionality of their machines andapplications.Periodically performing discovery togenerate an accurate inventory of systemsand applications running on the networkswill greatly strengthen the ability to protectagainst security threats. You can usethese reports to quickly map new patchnotification information (including thepatch type, rating and potentially-impactedsystems) to the IT environment anddetermine which systems require the patch(and how quickly) to prevent a breach.Once you’ve established that a patch isrequired, there are a number of methods toobtain the patch. Patch management toolscan range from completely manual (e.g.,downloading patches from the WindowsUpdate website) to almost entirely automatic(e.g., utilizing client management softwareor the built-in patch automation capabilitiesincluded in some endpoint securitysolutions).While it may be tempting to rush thedeployment of a critically-needed patchonto the networks, it’s important tonote that a flawed patch can potentiallywreak as much damage as the threatit seeks to prevent. Thus, testingshould always be conducted beforepatches are widely applied across the ITenvironment. This caveat is particularlyrelevant if the network employs customcode or proprietary software to supportbusiness operations.Verifying Installations WerePerformedDepending on the scale of a patchdeployment and the degree to which it’sperformed manually or via automation, it’spossible that the patch failed to be actuallyinstalled on some of the deployment’stargeted systems. As such you shouldinclude a reporting and validation processto ensure that all of the designated systemshave been successfully patched.Closing the Door on Cybercriminals: Best Practices for Patch ManagementStep 3: Implement AutomationAs noted earlier, maintaining robust networksecurity requires constant vigilancebecause new vulnerabilities and patchesare emerging with relentless frequency.Fortunately, solution providers aredeveloping new processes and tools to helpease the complex challenge of keeping patchmanagement up-to-date.and automation isone of the most powerful ways to meet thatchallenge.VIPRE SECURITY / 4

This latter approach is especially valuableto managed service providers (MSPs), whoare typically responsible for maintainingsecurity across hundreds or eventhousands of endpoints spread throughoutmultiple clients. The ability to control bothendpoint security and patch managementfunctionality from a single pane offers MSPsa tremendous boost in efficiency, withoutthe significant cost or added complexity ofdeploying a separate third-party patchingsolution.By its very nature, patch management isan ongoing and repetitive process thatlends itself particularly well to automation.Consider these essential steps thatcharacterize patch management, eachamenable to the benefits of automation: Periodic discovery of systemspotentially at risk Evaluating those systems forvulnerabilities Downloading patches deemednecessary Deploying patches to systems requiringthemAs a network grows, the efficiencies ofautomating patch management will becomeeven more apparent as technicians arefreed from performing the increasinglytime-consuming (and thus increasinglycostly) task of manually patching individualmachines.There are several different ways to introduceautomated patch management into an ITenvironment: Client management platform withbuilt-in patch management capabilities(either as a standalone product or partof an RMM solution) Third-party patching tool (e.g., Ninite,ManageEngine, etc.) to download,test and deploy updates to third-partyapplications Endpoint security solution withintegrated patch managementcapabilitiesClosing the Door on Cybercriminals: Best Practices for Patch ManagementVIPRE Advanced Security withIntegrated Patch ManagementRecognizing that patch management isan essential component of any effectiveendpoint security strategy, VIPRE makesit far easier and more economical for ITprofessionals to actively combat virusesand other cyberthreats while minimizingvulnerability to those threats due to out-ofdate third-party software.VIPRE Advanced Security is specificallydesigned to meet the security needs ofsmall-to-medium size businesses (SMBs),combining a comprehensive range ofendpoint protection capabilities withexceptional ease of use via its centralizedmanagement console. Included at no chargeand integrated within that console, the VIPREPatch Management tool automatically scanseach endpoint for all of the applicationsinstalled, and then collects details on theVIPRE SECURITY / 5

.patch management toolsincluded with VIPRE AdvancedSecurity are not only vital forreducing vulnerabilities tosecurity threats, they also boostend user productivity.currently-installed version to see if there is a newer versionavailable (see Figure 1).Figure 2: Patches can be individually approved for granular control.Figure 3: Patch Management is seamlessly integrated with VIPRE’s management console.If a new version is available, VIPRE will then locate theavailable version and (depending on the policy designated bythe administrator) either notify the admin of this availabilitythrough the VIPRE console or automatically install the newversion on the endpoint (see Figure 2).As can be seen in Figure 3, the Patch Managementfunctionality is easily accessible directly within VIPRE’s PolicyProperties pane.It’s worth noting that the patch management tools includedwith VIPRE Advanced Security are not only vital for reducingvulnerabilities to security threats, they also boost end userproductivity by resolving software bugs and increasingapplication performance.Figure 1: VIPRE automatically scans endpoint to discover all applications eligible for patching.Closing the Door on Cybercriminals: Best Practices for Patch ManagementVIPRE SECURITY / 6