Timely tips for non-negotiable patch updates

Print Friendly, PDF & Email

For many software users, updates and patches are at best a nuisance and at worst a drain on productivity. However, deploying regular software patches has become a must in cybersecurity. Neglect patch updates for too long, and the data vulnerabilities rack up quickly.

MSPs have a big role to play in keeping client software updated, particularly as new threat advisories are emerging at a rapid pace. For example, just in June, Barracuda found several threats via its Security Operations Center (SOC), such as:

  • A zero-day exploit in all versions of Atlassian Confluence Server and Data Center products
  • A file version control functionality in Microsoft 365 and Office 365 that enables threat actors to encrypt files stored with ransomware
  • A vulnerability in Microsoft Azure Synapse, dubbed SynLapse, that allows cybercriminals to access significant amounts of sensitive user data

Because MSPs should be alerting clients to these risks, they need to know what software updates and patches are available to fix the problem.

MSPs should be able to download and apply patch updatesß and ensure correct installation. However, clients may push back on this process because of the time required to perform machine reboots. Remote monitoring and management (RMM) tools like those offered by Barracuda can help MSPs streamline and automate patch management while minimizing customer downtime.

An RMM with automated patch management that includes OS and third-party applications can help MSPs accelerate deployment while freeing staff up to focus on other mission-critical tasks. The RMM should be easy to use, fully configurable, and provide endpoint security and visibility into client patch status/compliance. Optimally, the system should help automatically scan systems for needed patches and allow MSPs to prioritize patches based on urgency or criticality.

These systems also help centralize patch management across the client base. As a result, staff can rapidly deploy a patch across clients and systems without manually managing lists, spreadsheets and schedules. The RMM also can enable continuous monitoring for patch status, which helps MSPs be more proactive with updates.

However, RMM is only part of a comprehensive approach to patch management. Other best practices include:

  • Inventory all devices and assets on client IT infrastructures. You cannot patch systems that you don’t know exist. (This can also help make recommendations about system consolidation if the threat surface is particularly sprawling.)
  • Create a comprehensive patch management policy that clients and staff understand. Having these policies in place helps ensure compliance and sets customer expectations.
  • Limit administrative privileges, if possible. Your clients may allow employees admin privileges for work computers, mainly if they take mobile units home or on the road. This can complicate the patch management process, as employees may ignore updates. Limiting those privileges will allow for better, centralized updates.
  • Prioritize patching of systems based on risk level and criticality. Some threats are more serious than others, and some patches address minor issues that don’t require an immediate response. This prioritization will help organize resources around the most critical systems and improve scheduling.
  • Test patches internally to verify they’re working before widespread deployment. Then, if there is a problem or an issue (or an incompatibility based on operating system release), you can work out the bugs before they affect client systems. Be sure to audit those patches to monitor for compatibility problems.
  • MSPs should also have a rollback plan in place if any performance issues are related to a specific update. That means there should be data backup and recovery solutions associated with patch processes.
  • Schedule updates around software patch releases (for example, vendors like Microsoft tend to release patches on a predictable schedule) and client working hours. This can help reduce downtime by keeping regular patching activity limited to, for example, nights or weekends. In addition, emergency patches can be deployed as they’re announced.
  • Thoroughly document all patching activities. This will enable you to more retrace your steps more easily retrace your steps if there’s a problem requiring a rollback or similar adjustment.

Automation removes a lot of the hassle of patch management for both the client and the MSP. More importantly, regular software patching can help ensure that client data remains secure without overtaxing the IT department with an increasingly frequent array of threat-based OS and firmware updates.

 

This article was originally published in Channel Futures.

Scroll to top
Tweet
Share
Share