If your organization's patch validation environment is called production, you're going to have a bad time.
The quickly changing, data-rich corporate IT landscape demands a reliable security patch validation methodology before patches reach the live production systems. A security patch is a software package used to fix a known vulnerability. IT operations administrators who don't keep software updates current will inevitably find systems' security compromised -- and it's not a matter of if, but when.
Improve patch management with a multipronged attack: Establish processes for patch management within an IT service management (ITSM) strategy, create a realistic mirror of production in a staging or test area, and jump on updates quickly.
Get a process in place
Patch management is part of change management within ITSM. Businesses can choose from, or intermingle, ITSM standards such as ITIL, or IT Infrastructure Library; and COBIT, or control objectives for information and related technologies; among many others. Each framework presents processes and documentation to plan for and control changes to the IT department's hardware and software assets.
Patch validation verifies that a security patch resolves a potential exposure to exploitation. Organizations should conduct a regression test after installing the patch to check that it doesn't break any other functionality in line-of-business servers and services. Untested patches potentially do more harm than the danger they're designed to keep out.
If your company doesn't have serviceable change and patch management strategies in place, start by researching the major ITSM frameworks to determine the best fit for your needs. Without solid patch management, organizations leave valuable data in the sights of ransomware, a malware infection that either prevents access to data or threatens to publish sensitive information unless the attacker receives money, usually in an anonymous cryptocurrency.
The danger of lackadaisical security patching
The 2017 WannaCry ransomware attack exploited a vulnerability called EternalBlue in Server Message Block version 1, a legacy Microsoft file-sharing protocol. Microsoft confirmed the vulnerability and released a patch in March to supported Windows desktop and Windows Server versions, then later added unsupported Windows versions to the patch coverage due to the devastation WannaCry wrought.
So many line-of-business systems were hit by WannaCry, despite Microsoft's patch releases, because IT departments either intentionally lag behind Microsoft's patch cycles or do not patch systems frequently at all. It's a decade-old habit that has no place in modern IT systems management.
Admins must patch systems proactively. Speed is crucial; zero-day exploits -- attacks on unintentionally vulnerable spots in commercial or open source software -- and malicious software wait for no one. Organizations must abide by the concept of continuous integration and continuous deployment for patches, just as they do for new code delivery.
A good patch validation environment
IT shops that validate updates often use a test environment prior to deployment to production systems. A realistic test environment setup will facilitate more rapid patch deployment.
To protect live services as much as possible, the test environment should mirror, and be updated parallel to, production. This practice guarantees if patch validation is successful in a test environment, it will work identically in real life. This doesn't mean the patch validation environment must run on all the same hardware as production, however.
Most businesses cannot afford to replicate production hardware. Instead, perform a physical-to-virtual conversion of the most important servers and mount the copies as VMs. This mirrored setup should not be arduous to achieve if production servers already run as VMs.
Make use of software tools that aid in patch validation. Microsoft offers System Center Configuration Manager and Windows Server Update Services, for example, so admins can approve or deny Microsoft updates based on test results.
Make a pitch to your supervisor to hire a full-time patch validation and management specialist. This addition is justifiable by the array of bad news related to security breaches, detailing lost revenue and public confidence for ransomware victims. These exploits happened via vulnerabilities that had already been patched by the system's vendor.
If a dedicated patch validation specialist is not an option, consider a consultant who will guide the organization through revisions to security patch validation and deployment. Look into patch management as a service (PMaaS) providers, which manage an existing patch validation infrastructure or implement their own tools and processes in a customer's server environment.
PMaaS providers, such as Orb Data, Datapipe and Fordway, construct a centralized web console for customers, through which they can inspect asset inventories, schedule automated patch validation tests and deployments, and set up notifications.