There was an interesting article in Financial Times this week that explains why it takes companies so long to patch their systems.
It’s a shame to always have to hear from security professionals “if you would have installed this patch, this update, this version you wouldn’t have been compromised”.
So, how can we accelerate patching operations to avoid such damaging attacks that are so successful? Let’s have a look.
You had plenty of time to patch, just do it!
Preventing WCry ransomware is as simple as installing the available Microsoft Windows patch between March and early May. Organizations have patching policies that don’t say “let’s wait 6 months to apply a critical patch”. Obviously not! Their rules are to fix critical vulnerabilities within hours or days, not months!
So what’s not going right here?
The risk to patch is too high, really?
An IT executive from a large organization answers FT in this article stating “we can’t risk business continuity by constantly sending patches out through systems, there is no simple solution to this simple problem”. Another IT professional being interviewed said “it’s difficult to keep software up to date”.
Well understood. You can’t afford to fix something critical on one side (a vulnerability) that breaks something else critical on the other side (the business continuity). But that’s the job of IT operations to deliver services to the business. Services that are enabling productivity, services that are reliable and secure. So, yes you must balance security and continuity, and performance, experience, agility, satisfaction, efficiency, and more! It’s a multi-variable equation to solve almost minute-by-minute. Your business is digitized one way or another, it depends on the way systems and services are performing and how you can maintain high quality and performance as you update, change, add, move and secure them over time.
It’s not a simple problem, but it’s a problem you need an answer for to avoid a similar disaster as WCry in the future.
Stop patching blindly, patch & verify!
Resolving this equation requires operating IT transversely, not in a silo. Today with the silo visibility into what’s going on makes it very hard, complicated, and risky to deploy a patch with all the other variables under control. Security silo writes policies and make recommendations, another silo takes care of patching systems, another one is responsible of service quality, end users are supported yet by another team, etc… all with different tools, KPIs and ways to look at what’s important. In other words, they all have a slice of the equation that they are totally focused on.
Today patches are applied more or less blindly when it comes to the full equation, in the real world of business activity, diversity of systems and configurations. In a lab you can always do all the tests and validations, but the lab is never a copy/paste of the reality of everyday users.
You must have full visibility on every system, computer, and application as they are used and consumed by business users and customers. Before, during and after the patch deployment. Visibility about the patching itself; is it installed, effectively enforced, but also if any experience metrics have been impacted such as network performance, application crashes, longer boot time, slower computer. Achieving this not by waiting for people to call the helpdesk but proactively at the first occurrence or first signs of degradation so you can take actions to fix and avoid spread of business impact.
Think patching experience not process
You need to not only push a patch on the targeted systems where there is a vulnerability, but also verify the impact that patch might have on the reliability and performance of your systems, the applications and services. It’s great to know if the patch is installed everywhere or not, but that’s not sufficient. You need to extend your visibility and analysis to reduce risks. This will make you more confident to patch faster, look for insights about if the patch is causing any side effect or damage that impact business efficiency and user satisfaction and productivity.
Last but not least you need these answers in close to real time. It’s a multi-variable equation that must be continuously solved. Don’t think audit, picture, snapshot — you need a live 3D movie!
Wanna patch now so you don’t have to cry later?
Nexthink streamlines and reduces risk around these patching operations by offering transversal visibility, feedback, insights and intelligence for both compliance and quality of IT systems and services. Want to learn more about how we can help you streamline your approach? Get in touch.