When it comes to patching vulnerable devices, agility is key, but today’s distributed workforce and a growing number of endpoints are adding to patching complexity, making it harder to keep data safe.
Last year attackers sought to exploit a flaw in on-premises Exchange email servers using the DearCry ransomware. Microsoft issued security fixes but days later many servers remained unpatched. If it takes this long to implement critical patches for operating systems and commonly used applications, then how are increasingly overburdened IT teams supposed to manage the numerous updates they receive on third-party and home-grown applications every year?
Delaying patching is a risky strategy. Cyber criminals work hard to exploit vulnerabilities in software when it’s released. Data leaks can result in huge costs, both in dollars and reputation. Yet a recent survey found some systems can remain unpatched for months.
Growing complexity adds to delays
The growing number of devices and a more dispersed workforce has added to the complexity of patch management programs. With remote workers connecting more sporadically it’s become harder to schedule patches during ‘quiet’ times. And there’s no guarantee that the user will stay connected long enough to the management system to successfully receive the patch.
Companies that use cloud-based management platforms such as Intune can more easily control their endpoints as they can ‘see’ them whenever they connect to the internet rather than the company VPN. But patching is still an onerous task, particularly when trying to understand which devices are vulnerable, selecting user candidates for pilot ring testing, tracking the patches, and communicating with users to follow up on failed patches.
How automation can help
There is some good news. Using a digital platform conductor (DPC) you can simplify patch management. A DPC connects to all your management tools and data sources to pull in information about your applications, hardware, systems, and users. It then aggregates and analyzes this data to identify which systems require patches, orchestrates and automates tasks and system workflows, and provides you with an up-to-date audit trail.
Workflows that can be orchestrated and automated with a DPC include:
Communications with end users and stakeholders
Explain what needs to happen and when it will happen. Provide a link to a self-service portal where they can confirm details that could affect the roll-out (e.g., working from home, bandwidth constraints, etc.).
Testing and deploying the patch
Testing is managed via pilot rings, with first rings comprising IT users, then identified typical ‘friendly’ users. If no issues are reported by these groups, then you can start deploying more widely.
Using a DPC you can automate these activities with relevant machines added automatically to testing and deployment rings. If issues occur during deployment, a DPC can monitor the status of those issues and block deployments of that patch to future deployment rings until the issue is resolved. It can also automatically open a ticket to investigate that issue.
Scheduling
The self-service portal also allows users and stakeholders to select a time that is convenient for them and when they will be connected to the network. Once that date/time is reached, the patch will be pushed out automatically.
Follow-up on failed patches
Get real-time information about patching progression, allowing you to easily see which devices have been patched successfully and where you need focus your effort.
Reporting
Improve program transparency and accountability by sharing auto-generated reports with stakeholders. Maintain up-to-date audit trails for all patching activities.
With an accurate, real-time list, you can now follow-up with users to understand their issues and reschedule a new patch date. Completed manually this could eat up your time but leveraging a DPC you can automate communications to users to understand their issues, using email templates that are triggered when patches are repeatedly pushed back or fail. Their response can then trigger a new patch date or the opening of a ticket to provide additional support.
Learn how you can automate 50% or more of manual tasks associated with patch management. Book a demo Today.
