Patching strategies in corporate infrastructure

How to distribute patches on company computers without causing disruptions.

Microsoft has repeatedly had to publish patches for bugs that cropped up in previous fixes, which has hardly helped to mitigate (already considerable) distrust in updates. Among the findings of our recent survey “Device updates: What’s stopping people from making the change?” was that 51% of respondents, business and consumer, put off updates, waiting to see if others experience problems.

On the one hand, that’s understandable; no one wants an update to tank their corporate network, and business downtime can result in significant damage. On the other hand, keep in mind that attacks can quickly follow patch releases because cybercriminals know all about update reluctance. The safer path lies somewhere in between: You need to install patches in a timely manner, but you also must check them for compatibility with infrastructure.

Windows updates are just a part of the problem; other software needs patches and other updates as well. Other software developers may not notify users of updates and fixes as regularly and actively as Microsoft does, however. How can administrators learn about updates and prioritize their installation?

 

Device updates webinar

Device updates webinar

 

Updating software in a test environment

Unfortunately, it is impossible to automate the updating process fully in a corporate environment. Because each company’s combination of hardware and software is unique, there is always a danger that the next update will cause errors or incompatibility. Only a system administrator deeply familiar with a company can make an informed decision about each patch. A test environment can provide a safe space in which to install updates without risking other company systems.

Test environment

In large companies, especially ones that use specialized software, the infosec department usually has a test subnet with computers (or at least several virtual machines) for checking new updates before rolling them out throughout the company. Smaller businesses more commonly use just one computer for tests. Administrators install fresh patches on the test machines, which simulate a typical work environment for the company, and then monitor.

The method is neither cheap nor completely reliable. It is rather difficult to recreate a real-life person and their real-life work on a test machine, especially a virtual one. Problems may crop up in certain features rather than immediately upon installation, for example.

Gradual installation method

Some IT departments employ an alternative method and install updates in batches, ensuring everything is running smoothly before proceeding with more.

Of course, leaving a portion of the infrastructure unprotected is risky, but the benefits of real-world patch testing may outweigh the risk.

Prioritizing updates with a patch-management system

Using an update-management system makes finding relevant updates and prioritizing their installation much easier by alerting administrators to relevant updates and providing context for the vulnerabilities they address.

Kaspersky Systems Management solution handles that task, simplifying system administration by centralizing and automating software and hardware inventory, assessing vulnerabilities, and distributing patches and updates. Kaspersky Systems Management is part of Kaspersky Endpoint Security for Business.

Tips