Patch management

Last updated September 15, 2024

Patch management is concerned with the identification, acquisition, distribution, and installation of patches to systems. Proper patch management can be a net productivity boost for the organization. Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them. Problems that can arise during patch management, including buggy patches that either fail to fix their problem or introduce new issues. Patch management tools can help orchestrate all of the procedures involved in patch management.

Description

Patch management is defined as a sub-practice of various disciplines including vulnerability management (part of security management), lifecycle management (with further possible sub-classification into application lifecycle management and release management), change management, and systems management. The practice is broadly concerned with the identification, acquisition, distribution, and installation of patches to systems. Some definitions of patch management are as a software-level practice,^[1] while others are as a systems-level process: software, drivers, and firmware.^[2]^[3]^[4]

Cost–benefit analysis

While reserving time for patching takes up enterprise resources, there are balancing factors which can make proper patch management into a net productivity boost for the organization. Up-to-date systems often perform more efficiently, less expensively, with less errors, less security risks, and better user workflow. Additionally, compliance with changing local and federal regulations are more likely to be satisfied.^[1]^[2]^[3]^[4]

Relation to security management

Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may exploit them; therefore, patch management can be considered a sub-discipline of vulnerability management. Every patchable device in a system presents an attack surface that must be secured.^[4]

Challenges

There are a multitude of problems that can arise during patch management. A common issue is buggy patches, which either fail to fix their problem or introduce new issues. Another issue is deployment synchronization, since various subsystems may receive instructions to update at different times. Similarly, the difficulty of patch management across many devices may grow at an uncontrollable rate depending on organizational size.^[3]

One prominent demonstration of the challenges facing proper patch management was the buggy Falcon Sensor patch by CrowdStrike which caused one of the worst IT outages of all time.^[5]

Implementations

A patch management tool (alternatively patch manager, patch management system, patch management software, or centralized patch management) help orchestrate all of the procedures involved in patch management. Tools can be in-house (applied locally by local administrators), or external, as with managed service providers (applied externally by a provider).

Patch management software

Intel Active Management Technology, used with Intel vPro technologies, has features like scheduling, upgrade verification, and remote management; implementing patches along with unified endpoint management.^[2]
Windows Update for Business, System Center Configuration Manager, and Windows Server Update Services offer control over patch deployment, with features enabling testing, scheduling updates, and setting custom configurations on Windows platforms.^[3]^[6]

Managed service providers

ManageEngine Patch Manager
SolarWinds Patch Manager
Automox
Atera
Kaseya VSA

Related Research Articles

A software bug is a bug in computer software.

Software configuration management (SCM), a.k.a. software change and configuration management (SCCM), is the software engineering practice of tracking and controlling changes to a software system; part of the larger cross-disciplinary field of configuration management (CM). SCM includes version control and the establishment of baselines.

Windows Update is a Microsoft service for the Windows 9x and Windows NT families of the Microsoft Windows operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Windows, as well as the various Microsoft antivirus products, including Windows Defender and Microsoft Security Essentials. Since its inception, Microsoft has introduced two extensions of the service: Microsoft Update and Windows Update for Business. The former expands the core service to include other Microsoft products, such as Microsoft Office and Microsoft Expression Studio. The latter is available to business editions of Windows 10 and permits postponing updates or receiving updates only after they have undergone rigorous testing.

Windows 9x is a generic term referring to a line of discontinued Microsoft Windows operating systems from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subsequent versions. The first version in the 9x series was Windows 95, which was succeeded by Windows 98 and then Windows Me, which was the third and last version of Windows on the 9x line, until the series was superseded by Windows XP.

A patch is data that is intended to be used to modify an existing software resource such as a program or a file, often to fix bugs and security vulnerabilities. A patch may be created to improve functionality, usability, or performance. A patch is typically provided by a vendor for updating the software that they provide.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

Microsoft Servers is a discontinued brand that encompasses Microsoft software products for server computers. This includes the Windows Server editions of the Microsoft Windows operating system, as well as products targeted at the wider business market. Microsoft has since replaced this brand with Microsoft Azure, Microsoft 365 and Windows 365.

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively.

Advanced Configuration and Power Interface (ACPI) is an open standard that operating systems can use to discover and configure computer hardware components, to perform power management, auto configuration, and status monitoring. It was first released in December 1996. ACPI aims to replace Advanced Power Management (APM), the MultiProcessor Specification, and the Plug and Play BIOS (PnP) Specification. ACPI brings power management under the control of the operating system, as opposed to the previous BIOS-centric system that relied on platform-specific firmware to determine power management and configuration policies. The specification is central to the Operating System-directed configuration and Power Management (OSPM) system. ACPI defines hardware abstraction interfaces between the device's firmware, the computer hardware components, and the operating systems.

Microsoft Visual SourceSafe (VSS) is a discontinued source control program oriented towards small software development projects. Like most source control systems, SourceSafe creates a virtual library of computer files. While most commonly used for source code, SourceSafe can handle any type of file in its database, but older versions were shown to be unstable when used to store large amounts of non-textual data, such as images and compiled executables.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

The term downtime is used to refer to periods when a system is unavailable. The unavailability is the proportion of a time-span that a system is unavailable or offline. This is usually a result of the system failing to function because of an unplanned event, or because of routine maintenance.

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Radia Client Automation software is an end-user device lifecycle management tool for automating routine client-management tasks such as operating system deployments and upgrades, patch management, application software deployment, application use monitoring, security, compliance, and remote system management.

HP Business Service Automation was a collection of software products for data center automation from the HP Software Division of Hewlett-Packard Company. The products could help Information Technology departments create a common, enterprise-wide view of each business service; enable the automation of change and compliance across all devices that make up a business service; connect IT processes and coordinate teams via common workflows; and integrate with monitoring and ticketing tools to form a complete, integrated business service management solution. HP now provides many of these capabilities as part of HP Business Service Management software and solutions.

HP Network Management Center (NMC) is a suite of integrated HP software used by network managers in information technology departments. The suite allows network operators to see, catalog and monitor the routers, switches, and other devices on their network. IT staff is alerted when a network device fails, and it predicts when a network node or connection point may go down. The suite was designed to address operational efficiency.

HP CloudSystem is a cloud infrastructure from Hewlett Packard Enterprise (HPE) that combines storage, servers, networking and software.

Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it describes a software edition that is supported for months or years longer than the software's standard edition.

BOSH is an open-source software project that offers a toolchain for release engineering, software deployment and application lifecycle management of large-scale distributed services. The toolchain is made up of a server and a command line tool. BOSH is typically used to package, deploy and manage cloud software. While BOSH was initially developed by VMware in 2010 to deploy Cloud Foundry PaaS, it can be used to deploy other software. BOSH is designed to manage the whole lifecycle of large distributed systems.

<span class="mw-page-title-main">DevOps toolchain</span> DevOps toolchain release package.

A DevOps toolchain is a set or combination of tools that aid in the delivery, development, and management of software applications throughout the systems development life cycle, as coordinated by an organisation that uses DevOps practices.

References

1 2 "Patch Management: Definition & Best Practices". Rapid7. Retrieved 15 July 2024.
1 2 3 "What Is Patch Management?". Intel. Retrieved 15 July 2024.
1 2 3 4 David Essex; Brien Posey. "What is patch management? Lifecycle, benefits and best practices". TechTarget. Retrieved 15 July 2024.
1 2 3 "What is patch management?". IBM. 20 December 2022. Retrieved 15 July 2024.
↑ Milmo, Dan; Kollewe, Julia; Quinn, Ben; Taylor, Josh; Ibrahim, Mimi (19 July 2024). "'Largest IT outage in history' hits Microsoft Windows and causes global chaos". The Guardian. Retrieved 19 July 2024.
↑ Firch, Jason (30 March 2023). "Windows Patch Management Best Practices For 2023". PurpleSec. Retrieved 15 July 2024.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[rapid7-1] 1 2 "Patch Management: Definition & Best Practices". Rapid7. Retrieved 15 July 2024.

[intel-2] 1 2 3 "What Is Patch Management?". Intel. Retrieved 15 July 2024.

[techtarget-3] 1 2 3 4 David Essex; Brien Posey. "What is patch management? Lifecycle, benefits and best practices". TechTarget. Retrieved 15 July 2024.

[ibm-4] 1 2 3 "What is patch management?". IBM. 20 December 2022. Retrieved 15 July 2024.

[5] Milmo, Dan; Kollewe, Julia; Quinn, Ben; Taylor, Josh; Ibrahim, Mimi (19 July 2024). "'Largest IT outage in history' hits Microsoft Windows and causes global chaos". The Guardian. Retrieved 19 July 2024.

[purplesec-6] Firch, Jason (30 March 2023). "Windows Patch Management Best Practices For 2023". PurpleSec. Retrieved 15 July 2024.

[1]

[2]

[3]

[4]

[5]

[6]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation