The need to patch doesn’t go away just because you’re stuck working at home. Without access to your network operations center (NOC) however, patching may be that much more difficult. If a patch causes an application failure, you might find that downtime lasts a lot longer because of how much harder it is to understand what’s got wrong. Here’s how to cope.
Patching was Already a Huge Problem
According to a study by the Ponemon Institute, 57% of all data breaches were preventable via an available patch. What’s more, approximately one-third of those affected by a preventable data breach knew about the vulnerability.
While this is staggering on its face, it doesn’t speak to any systemic incompetence. Rather, it speaks to the fact that patching a vulnerability, even one that you know is there, can be difficult, irritating, and nearly impossible. Barriers to patching include the following:
- There aren’t enough staff in the data center, nor hours in the day, to patch the vast and increasing number of vulnerabilities that show up every year. In 2019, there were 20,365 recorded vulnerabilities to patch, an increase of 17.6% over 2018.
- In order to patch a vulnerability, there needs to be a patch available. Approximately 20% of vulnerabilities do not have a patch available on day one. If a patch is missing on day one, it can mean that the vendor will take months to have a patch available.
- Patch management systems are usually ad-hoc–taking the form of spreadsheets, emails, and other mechanisms that can allow mission-critical patching assignments to fall between the cracks.
Finally, there are broken patches to contend with–patches that either break the application itself or cause dependent applications to break. These can be difficult to deal with because complex breakages may require you to physically visit the data center (that is, unless you have the advanced tools we will be discussing) in order to track them down and fix them.
The Pandemic is Exacerbating the Problems with Patching
Data centers around the world are taking steps to mitigate the public health consequences of the COVID-19 pandemic. You may need to be screened for symptoms before entering a data center, you will need to disinfect high-touch surfaces such as keyboards and mice, and you may need to postpone preventive maintenance. In other words, you have less time in the data center and a backlog of patches to handle.
Having any kind of backlog is bad news when it comes to patching—everyone knows that a backlog of patches can swiftly turn into a list of patches that will never be applied. You have several tasks:
Understand which devices are most out of date and which represent the biggest security risks to your organizations.
- Create a shared task list for you and your co-workers to tackle these patches—without using spreadsheets or email.
- Track down and mitigate any failures caused by patches before customers and users notice the unplanned downtime.
- Do all of this while minimizing in-person visits to your data center or NOC.
Fortunately, you have several tools that will let you perform these tasks without leaving security risks, exposing your workforce to outages, or putting anyone in danger of ill health.
Use Automated Discovery and Application Dependency Mapping to Augment Patch Management
In all likelihood, you’ve been organizing your patch management efforts by using some kind of CMDB. These change management databases often rely on manual data entry, however. This means that you need to pull up information about a server, copy and paste it into the CMDB, and do this again once anything changes.
Auto-discovery dramatically improves this process. With Device42, you can automatically discover every piece of infrastructure in your data center and upload it to your CMDB. When the data center environment changes, the CMDB updates to reflect this. If the version number of an application or operating system doesn’t match the latest edition, Device42 will flag this for your attention. You can also configure alerts to trigger if your application contains known vulnerabilities.
Device42’s application dependency mapping helps your patch management efforts even further. If your patch causes a failure in a dependent application, this feature helps you understand where the failure is and how it started. If your application has been decomposed into microservices, Device42 can help you understand the failure on the service level, within the application itself.
Within Device42, auto-discovery and dependency mapping are agentless processes that don’t add greatly to network load. In other words, you can get started quickly and use these features often in order to get the most accurate picture of your network–and then patch without headaches. For more information about Device42 and how we can help you with patch management, download a free trial today!