Social:Patch management
Patch management is concerned with the identification, acquisition, distribution, and installation of patches to systems. Proper patch management can be a net productivity boost for an organization. Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them. Problems can arise during patch management, including buggy patches that either fail to fix their problem or introduce new issues. Patch management tools help orchestrate all of the procedures involved in patch management.
Description
Patch management is defined as a sub-practice of various disciplines including vulnerability management (part of security management), lifecycle management (with further possible sub-classification into application lifecycle management and release management), change management, and systems management. The practice is broadly concerned with the identification, acquisition, distribution, and installation of patches to systems. Some definitions of patch management are as a software-level practice,[1] while others are as a systems-level process: software, drivers, and firmware.[2][3][4]
Cost–benefit analysis
While reserving time for patching takes up enterprise resources, there are balancing factors which can make proper patch management into a net productivity boost for an organization. Up-to-date systems often perform more efficiently, less costly, with less errors, less security risks, and better user workflow. Additionally, compliance with changing local and federal regulations are more likely to be satisfied.[1][2][3][4]
Relation to security management
Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them; therefore, patch management can be considered a sub-discipline of vulnerability management. Every patchable device in a system presents an attack surface that must be secured.[4]
Challenges
There are a multitude of problems that can arise during patch management. A common issue is buggy patches, which either fail to fix their problem or introduce new issues. Another issue is deployment synchronization, since various subsystems may receive instructions to update at different times. Similarly, the difficulty of patch management across many devices may grow at an uncontrollable rate depending on organizational size.[3]
One prominent demonstration of the challenges facing proper patch management was the buggy Falcon Sensor patch by CrowdStrike which caused one of the worst IT outages of all time.[5]
Implementations
A patch management tool (alternatively patch manager, patch management system, patch management software, or centralized patch management) help orchestrate all of the procedures involved in patch management. Tools can be in-house (applied locally by local administrators), or external, as with managed service providers (applied externally by a provider).
Patch management software
- Intel Active Management Technology, used with Intel vPro technologies, has features like scheduling, upgrade verification, and remote management; implementing patches along with unified endpoint management.[2]
- Windows Update for Business, System Center Configuration Manager, and Windows Server Update Services offer control over patch deployment, with features enabling testing, scheduling updates, and setting custom configurations on Windows platforms.[3][6]
Managed service providers
Regulatory requirements
Timely patching of software vulnerabilities is a requirement under multiple regulatory frameworks.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to protect electronic protected health information by implementing security measures sufficient to reduce risks to a reasonable and appropriate level, which industry guidance has long interpreted to include timely patch management.[7] The December 2024 Notice of proposed rulemaking (NPRM) to overhaul the HIPAA Security Rule would make patch management requirements explicit, mandating that covered entities and business associates deploy security patches and updates within a defined risk-based timeline and maintain written procedures for prioritizing, testing, and applying patches to systems that store, process, or transmit ePHI.[8]
The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to protect system components from known vulnerabilities by installing applicable security patches within one month of release for critical patches (Requirement 6.3.3).[9] The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities catalog that compels U.S. federal agencies to remediate listed vulnerabilities within specified timelines under Binding Operational Directive 22-01.[10]
References
- ↑ 1.0 1.1 "Patch Management: Definition & Best Practices". Rapid7. https://www.rapid7.com/fundamentals/patch-management/.
- ↑ 2.0 2.1 2.2 "What Is Patch Management?". Intel. https://www.intel.com/content/www/us/en/business/enterprise-computers/resources/patch-management.html.
- ↑ 3.0 3.1 3.2 3.3 "What is patch management? Lifecycle, benefits and best practices". TechTarget. https://www.techtarget.com/searchenterprisedesktop/definition/patch-management.
- ↑ 4.0 4.1 4.2 "What is patch management?". IBM. 20 December 2022. https://www.ibm.com/topics/patch-management.
- ↑ Milmo, Dan; Kollewe, Julia; Quinn, Ben; Taylor, Josh; Ibrahim, Mimi (19 July 2024). "'Largest IT outage in history' hits Microsoft Windows and causes global chaos". https://www.theguardian.com/australia-news/article/2024/jul/19/microsoft-windows-pcs-outage-blue-screen-of-death.
- ↑ Firch, Jason (30 March 2023). "Windows Patch Management Best Practices For 2023". PurpleSec. https://purplesec.us/learn/windows-patch-management.
- ↑ "Security Standards: Administrative Safeguards". U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/security/guidance/administrative-safeguards/index.html.
- ↑ "HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information". Federal Register. 2025-01-06. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information.
- ↑ "PCI DSS v4.0". PCI Security Standards Council. https://www.pcisecuritystandards.org/document_library/.
- ↑ "Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities". Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
| This article is part of a series on |
| Information security |
|---|
| Related security categories |
| Threats |
| Defenses |
 |  |
