While patch management and vulnerability management seem synonymous, there are some key differences:
- Patch management. The updates that software vendors provide to fix security issues or other bugs are called patches. Patch management is the process of managing all the patches in your environment, from all vendors. A good patch management system tests and implements new patches immediately upon release to minimize exposure. Many security organizations have released studies claiming that the single most important part of securing an environment is having a robust patch management process that moves swiftly. A patch management system should include the following processes:
- Automatic detection and download of new patches. Detection and downloading should occur at least once per day. You should monitor the detection of patches so that you are notified if detection or downloading is not functional.
- Automatic distribution of patches. Initially, deploy patches to a few computers in a lab environment and run them through system testing. Then expand the distribution to a larger number of non-production computers. If everything is functional and no issues are found, distribute the patches to the rest of the non-production environment and then move to production. It is a good practice to patch your production systems within 7 days of a patch release. In critical scenarios where there is known exploit code for a remote code execution vulnerability, you should deploy patches to your production systems the day of the patch release to maximize security.
- Reporting on patch compliance. Even if you might have an automatic patch distribution method, you need a way to assess your overall compliance. Do 100% of your computers have the patch? Or 90%? Which specific computers are missing a specific patch? Reporting can be used by the management team to evaluate the effectiveness of a patch management system.
- Automatic rollback capabilities. Sometimes, vendors release patches that create problems or have incompatibilities. Those issues might not be evident immediately but instead show up days later. Ensure you have an automated way of rolling back or removing the patch across all computers. You don’t want to figure that out a few minutes before you need to do it.
- Vulnerability management. A vulnerability is a way in which your environment is at risk of being compromised or degraded. The vulnerability can be due to a missing patch. But it can also be due to a mis-configuration or other factors. For example, when SHA-1 certificates were recently found to be vulnerable to attack, many companies suddenly found themselves vulnerable and needed to take action (by replacing the certificates). Many vulnerability management solutions can scan the environment looking for vulnerabilities. Such solutions complement, but do not replace, patch management systems and other security systems (such as anti-virus or anti-malware systems).
- Be aware of the following definitions:
- Zero-day vulnerability. A vulnerability is sometimes known about before a patch is available. Such zero-day vulnerabilities can sometimes be mitigated with an updated configuration or other temporary workaround until a patch is available. Other times, no mitigations are available and you have to be especially vigilant with logging and monitoring until the patch is available.
- Zero-day exploit. Attackers can release code to exploit a vulnerability for which no patch is available. These zero-day exploits represent one of the toughest challenges for organizations trying to protect their environments.
For solution, online support and query.