December 11, 2020
What is Patch Management? Best Practices & Benefits
What is Patch Management Software?
Patch management is the updating of an application to fix, or “patch”, a bug or weakness in an IT network. Patch management tools allow for a controlled and automated deployment of patches to systems. As a result it creates an environment that is secure against known weaknesses.
A patch is a change to a computer program that is designed to update, fix, or improve it. Patches are aimed to:
- Fix security vulnerabilities
- Implement bug fixes
- Improve the performance of applications and programs
- Improve the usability of applications or programs
Without patches, a network’s software and operating systems become vulnerable and are at risk of security breaches. To ensure patches are deployed as needed, many companies turn to automation tools or MSPs for help. Therefore, the practice of managing a network of computers by regularly implementing patches, to ensure computers within a network are up to date.
Why is Patch Management Important?
In one short story, we can summarize the importance.
Do you recall the 2017 Equifax data breach? More than 143 million U.S. consumers were affected by the breach, and personally, identifiable information was stolen in troves. This included:
- Credit card numbers
- Driver’s license number
- Social Security numbers
- Date of birth
- Phone numbers
- Email addresses
As a result of the breach, Equifax paid roughly $1 billion in legal fees, criminal charges were levied, and the reputation of the organization has been tarnished.
As it turns out, the attack was a result of an unpatched web application that acted as a backdoor for hackers.
A patch for the hole was available for a full two months before the breach occurred, but due to cybersecurity mismanagement, Equifax failed to detect, identify, or update the software.
Lessons learned from the incident
As soon as a security update is released, especially for widely-used computer programs, cybercriminals are ready to move in and take advantage of vulnerabilities. Therefore, the most important reason to implement or pitch a patch management process to your clients is to protect them from the latest cyber threats that can terrorize critical business data.
What is a Patch Management Process?
MSPs have a unique opportunity to bundle patch assessment and management services into their comprehensive security strategy.
A patch management process may look something like the following:
- Set your parameters: Define a baseline of compliance for a network, gaps in the existing strategy, and blueprint a path to a cure.
- Identify risks and define a contingency plan: If a patch is unable to be deployed or causes a software regression, how will you respond?
- Test your patches: Do so in a controlled environment, and confirm your targets have backups, especially for vital devices like servers.
- Get your team onboard: Loop in key stakeholders to primary and contingency plans so they can help respond in the event of deployment failure.
- Deploy and assess: Once a patch is deployed, evaluate the environment and confirm compliance. If you find non-compliant anomalies learn from the issues, and build a corrective plan
Finally, report the results and continue to fine-tune your patch management process for stronger, continued success. Above all, remember that patching is an on-going process, not a single project. This is why one aspect of Datto's RMM solution is automating patch updating.
How can Application Patching Reduce your Security Risk?
One in three security breaches are caused by unpatched weaknesses. As the number of applications being used grows, so does the challenge for managed services providers (MSPs) to keep them protected. Cyber attackers are always looking for new weaknesses within those applications, so having a reliable patch management system is a must.
With patches being written regularly, staying on top of which ones need to be deployed can be a daunting task. A complete patching tool allows IT service providers to gain efficiency through automation and mitigating risks. Build both value and trust for end users.
A patch management solution provides MSPs detailed insights into apps and devices that are potentially at risk. By using an automated system, admins are able to patch multiple systems simultaneously, reducing the time needed to patch large fleets. Additionally, it enables patching to be automated by policy, reducing the need for manual intervention. Datto RMM, is a remote monitoring and management platform that eases patching for MSPs.
Our built-in patch management makes life for MSPs and clients alike. With Datto RMM’s powerful policy based patching and automation you can schedule patches to ensure minimal disruption to business operations. The robust reporting and search capabilities supply a comprehensive view of changes made to the environment. These include patches that have been applied, those missing in the network, and those which failed to deploy.
Benefits of a Built-In Patch Management Software
Datto RMM’s built-in patch management software increases MSP efficiency with automated patching. MSPs can develop custom policies to deploy patches for business applications on a scheduled basis. This reduces the need to manually update systems, and keeps them secure from the latest threats and zero-day vulnerabilities.
Patching tools help MSPs deliver on the promise of providing a secure and reliable IT environment. Datto RMM can automate the delivery of updates for both operating systems and the most common software applications by:
- Automated patching capabilities for Microsoft and third-party software
- Providing flexible parameters deliver patching to meet the needs of the environment.
- Support for large and complex networks with policy based patch approvals, local caching, and device level compliance reporting.
- Automated responses to monitoring alerts
- Extensive library of pre-built scripts, policies, and extensions supported by Datto
- Configure and schedule reports
Additionally, Datto RMM can provide easy to understand reports that provide visibility to the sites and devices with the highest risk. This enables managed service providers to make data-backed decisions and enhance their reputation as a strategic partner who acts proactively.
Get started with Datto RMM Patch Management Software
At Datto, we strive to deliver products that increase MSP efficiency. Datto RMM’s native patching capabilities are one example of our commitment to enabling MSPs to deliver profitable managed services.
Automating patch management with RMM
RMM tools enable IT providers to automate much of the patching process. Let’s take a look at an example workflow using Datto RMM:
- Disable Automatic Windows Update: To use Datto patch management you first need to disable Automatic Windows Update on your devices.
- Set up a patching policy: A patching policy allows you to pre-approve patches to be installed on your Windows devices on an ongoing basis, based on conditions you define. You can set up account-level or site-level policies that target multiple devices, define when patching occurs, set automatic approval rules, and define reboot behavior.
- Device audit and patch installations: Once an active the policy is in place, devices submit their Windows audit data to the platform on a set schedule. Datto RMM runs the Windows update against your predefined policy filters. Patches are approved or denied and a final approval list is sent back to the devices. The approved updates are automatically downloaded and installed.
Patch Management Best Practices
Obviously, every client has unique needs that you’ll need to account for and this is by no means an exhaustive list of what should be included in your patching strategy.
However, the following five items are a good place to start:
- Create patching and reboot strategy that suits your client’s requirements. For example, you might patch workstations during lunch hours and allow end users to defer updates for a specified time period (e.g., until tomorrow) to avoid impacting productivity.
- Create separate policies for workstations and servers. For example, you might patch desktops and laptops during the day when you know they are likely to be powered up, while patching servers at night since they are typically on 24x7.
- Approve/deny by update type. For example, automatically denying patches that include the word “Preview” (see above).
- Identify and exclude patches that should not be installed to avoid possible hardware or software issues. For example, many IT providers choose to exclude driver software from automated updates.
- Identify devices that cannot be automatically rebooted and create reboot tickets that ensure that those patches will be installed manually.
So, yes, patch management can be challenging. However, there are tools available that enable IT providers to deliver this as an effective and profitable service. To learn more about how Datto RMM fits into your patch management strategy, schedule a demo today.
Which systems does Datto RMM Support?
Datto RMM empowers managed service providers to automate the installation of patches. It’s supported by many commonly used versions of Windows and Windows Server. Business applications such as Adobe Acrobat, Oracle Java, and Google Chrome are also supported.