Patch management is as important as it is challenging to keep running up-to-date at all times.

Here is your checklist of five patch management best practices that will keep your processes running efficiently without disruption, and secure.

5 Patch Management Best Practices

1- Get On the Right Frequency

The frequency for which you should be performing patches varies depending on the following:

  • The criticality of the system
  • The level of data being processed
  • The impact of the patches

In general, though, here is the frequency you should pursue:

  1. Windows security patches should be installed immediately.
  2. Antivirus patches should be installed weekly.
  3. Database patches should be installed quarterly.

2- Inventory Your Network Regularly

If one computer in the environment misses a patch, the stability of them all is at risk. Develop a current inventory of production systems (including IP addresses, OS types, versions, and physical locations) to help manage your patching efforts and keep everything secure.

3- Automate Everything

Relying on identifying, evaluating, and deploying patches manually is a time suck. Transitioning to a cloud-based automated patch management solution that will schedule regular update scans and ensure patches are applied automatically will make you wonder how you ever got it done before. Additionally, automating patch management audit reports will make both you and your clients happy.

4- Perform Comprehensive Application and OS Coverage

Many vulnerabilities you’ll encounter come from third-party applications (Adobe, Mozilla, etc.) and alternative operating systems (Linux, Unix, etc.). Relying solely on auto patch updates is not a viable option. Make sure you have comprehensive coverage to account for any potential exploitations.

5- Mitigate the Exception

There is always an exception to the rule. If a patch breaks or for any number of other scenarios, you will likely find yourself needing to make an exception in the security environment. However, always include a mitigation to combat potential threats.

With these 5 patch management best practices, you’ll find it much easier to stay on top of updates, ultimately safeguarding your virtual data environments.

Patch Management Challenges

Many IT professionals have lost a lot of hair over the common problems we all face in patch management. Below are just a few of them. (Don’t worry—we’ll offer some solutions in the next section.)

  1. Deciding on Patch Priority: Some applications are more important and vulnerable than others. You have to decide which to work on first, but did you make the right choice?
  2. Using Limited, Valuable Time: You might need hundreds of hours per month to patch every endpoint in your organization. You might even need to restart machines, causing business downtime.
  3. Patching Multiple Types of Software: We don’t just have to patch major, commercial operating systems. We also have to patch Flash, Java, WordPress, and many other applications.

Those are just a few of many problems. We’re not going to pretend that patch management is easy. But you can use the patch management best practices we detailed earlier, along with the strategies below, to improve your process—and lower your blood pressure a bit.

Patch Management Process and Strategy

The only way to stay sane about patch management is to go into battle wielding a process and a strategy. It might not always work perfectly, but keep tweaking it, like you’re sharpening a sword, and you’ll win more and more often. 

Here’s how to decide on your process and strategy: 

  1. List the main problems you’ve had with patch management in the past
  2. Create a process that will solve those problems using as much automation as possible

A good process can be described simply and followed easily. When you add automation to it, there should be very few (or zero) mistakes in executing it. You won’t have to stress about issues of patch frequency or timing.

What features should your automation software have? It should at least be able to:

  • Occasionally perform some patching when machines are not being used
  • Help to patch third-party applications
  • Keep track of what software is on which devices
  • Be programmable for custom schedules and exceptions to rules
  • Prioritize patching critical or vulnerable systems and devices first

Your automated system should make your life easier and protect your peers and your organization from out-of-date software. Add it to your patch management process to practically eliminate your stress!

Can the Patch Management Process Run Smoothly?

Without question, patch management is essential to reducing your attack surface and keeping your endpoints and business running smoothly. However, it’s also a process that must be repeated weekly, monthly, quarterly—and whenever critical fixes have been identified for your environment.

But there’s good news. With the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.

IT can be a real ditch

if there’s a patching glitch.

Down in the trenches

amid all the stenches?

Consider Ivanti’s pitch.

Patch Management Best Practices Webinar

Looking for a clear, well-structured overview of best practices and trends in patch management? Then this Ivanti security webinar is for you.

Watch The Patch Management Webinar>>

First presented at Interchange 2018 in Dallas the week of May 13th and subsequently online, it’s one of our most popular sessions and is ready when you are.

As part of your malware protection strategy , you may also want to look more closely at specific Ivanti patch solutions: Patch for SCCM; Patch for Windows; Patch for Linux, UNIX, Mac; and Patch for Endpoint Manager.

This webinar is presented by Ivanti security product management gurus, Chris Goettl (You Gotta Getta Goettl) and Todd Schell (One Schell of a Guy)—the same experts who host our popular monthly “Patch Tuesday” webinars.

As Chris explains, Ivanti’s security strategy is based on three principles:

Discover: Easily find and quantify the assets you need secured

Provide insight: Clearly identify risk

Take action: Use best-in-breed tools to act swiftly

Here’s an outline of what Chris and Todd cover:

discovery and planning - configuring your systems. blog notes

Webinar Recap Patch Management FAQs:

One of best portions of the webinar is the Q & A session towards the end. One attendee commented via chat about

"Why Microsoft continues to refer to Patch Tuesday as such when Microsoft has two or three releases of updates each month."

Chris Goettl replied that Microsoft still considers Patch Tuesday as the security-focused event, but they may have additional security fixes that follow the next week and a half or two weeks. “Maybe a version of a patch had to be re-released or they didn't include a certain platform update on Patch Tuesday so it came a few days later. This happens a lot,” Chris said.

He continued, “And then there are the non-security updates that happen at the end of the month as well. It’s hard to keep in a consistent maintenance window when you’ve got all these additional updates constantly coming out. One of the things we often suggest is getting to a point where you classify your assets. If it’s a server, that’s gotta go into a more consistent maintenance window once a month—once a quarter if there are extenuating circumstances, but once a month is preferable.”

And referring to end-user machines, Chris said, “It’s much more critical to try to get those into a more frequent cadence—especially getting laptop users into a weekly or twice-a-week cadence. And maybe you set up a policy that only does things like Flash Player, Office, and browsers, you know, once a week, but everything else such as the OS updates will just be once a month. So, there are different ways you could strategize and do that based on your risk tolerance.”