What is Patch Management
Overview of PalisadeSECURE Patching as a Service Service (Patch Management) to typical client
This post describes the activities PalisadeSECURE undertakes on behalf of a client to support their security deliverables.
PalisadeSECURE (PS) provides a set of services to each client to enable them to maintain a level of system security commiserate to their risk appetite (Server operating system, Commercial off the shelf Software or COTS, network equipment, printers etc). Normally the client does not abdicate responsibility or ownership of said deliverables through using this service, but uses PS’s resource and systems to ensure compliance. (As a Service model)
High level the main service components are: –
- Identification and grouping of assets
- Scheduling each group based on compliance requirements normally Cyber Security Essentials compliant or 4, 12 week, bespoke schedule
- Notification and agreement
- Patching activities inc pre and post patching requirements
- In addition, PS also provide emergency support when requested such as the recent WannaCrypt challenge
Identification and Grouping
Fundamental to ensuring minimal and controlled disruption whilst delivering security updates, PS spend a great deal of effort ensuring that the service impact of updating assets within our clients are understood. As new assets are added or subtracted they are added to appropriate groups to ensure that unexpected outages do not occur. Server and service owners are also identified (although it is recognised that this information can reside within the clients configuration management system, in which case we will use this as the master). PS form part of the new build process to ensure that when assets are added to our clients estate they do not introduce an unacceptable level of risk.
This can be as simple as understanding how an application patch will behave with other applications and services running within the environment or ensuring that the communication plan includes all stakeholder, including development and support teams so they have an oversight upon potential issues that may occur.
Apart from propriety applications such as Adobe Suite, Microsoft Office and Java, PalisadeSECURE are experienced in patching bespoke or complex applications such as SWIFT, Oracle, Microsoft SQL and Exchange.
Based on each clients risk appetite each asset will require security updates on a regular basis. PS ensure that each asset is scheduled so that it maintains compliance, to enable scheduling, relationships with owners and major meeting attendance occurs to ensure that the patching takes place at a time that is suitable for both the support teams and business activity, PS also consider separate scheduled client business or technical activity such as business events, change freezes, Quarterly maintenance weekends or Power downs. On average PS schedules, around 120,000 events per year delivering around 24 million patches. PS also raises and completes all relevant change control procedures following our clients agreed authorisation and audit processes.
To minimise impact to shifting business requirements, in practice PS regularly reschedules patching activities where needed.
PS provides asset owners with regular communication on upcoming planned updates & obtains positive responses that the planned activities can take place, together with, where necessary, suitable support arrangements. PS will where required attend major meetings to ensure that unexpected outages risks are minimised. Pre and post notification notices are sent together with raising appropriate client support tickets if problems occur.
Out of hours, normally overnight or late Saturday/Sunday working, PS perform a number of pre patch activities which can include a health check, software scanning, backup, stopping services etc. on each scheduled asset. Once these pre-reqs have been successfully completed PS will apply security patches as required to the assets. The number of patches required can be as small as 1 to around 350 separate patches per asset, once the security patches have been applied the asset is restarted (if necessary) and then rescanned to ensure that all patches have been successfully recognised and are functioning as expected, if required services are then restarted and the relevant support teams engaged. Post activity notification is then distributed.
Each day the entire estate is reconciled to ensure that accurate compliancy figures are available, this activity form part of PS’s planning and scheduling activities as well as providing the basic information for reporting activities, real time statistics are then available from PS’s application.
Central to PS’s offering is our reporting function, using a single system all of PSs activities, client assets, support calls, scheduling information & compliance requirements are entered. This allows for all reporting activities to use a single data source ensuring accuracy. Reporting covers:
Activity past, present and future, Assets under management, compliance levels per asset, compliance levels per operating system, compliance levels per software, what if scenario planning, retrospective security levels for forensic analysis, monthly reporting packs, individual asset history, patch level reporting including which assets have certain patches and visa versa, ticket aging, automatic notifications, real time graphical visualisation of compliance for desktop, mobile & wall board displays.
As mentioned in previous service description paragraphs – PS using a single database driven system to fulfil our requirements – this is a proprietary system developed and maintained by PS. It covers asset management, scheduling, compliance statistics, reporting and wall board/mobile visualisation. It is integrated with client systems where possible and agreed – to reduce errors due to re-keying, importantly, for added security this system can be hosted within the client’s data centres if so desired.
Click for more information about PalisadeSECURE’s patch management services