A patch is a software update released by developers to fix bugs, address security vulnerabilities, or improve the performance and functionality of existing software applications or operating systems. Patches can be applied to various types of software, including operating systems, applications, and firmware. Most compliance frameworks including GDPR, HITRUST, HIPAA, and PCI require adherence to a patch management program.
When an organization discovers a security gap, its IT team makes every effort to deploy a patch before an attacker can exploit it. However, in the case of a zero-day vulnerability, a patch has not yet been released, which significantly heightens the risk. As vendors race to develop, test, and release a patch to resolve the issue, malicious actors are simultaneously rushing to exploit the vulnerability. During this critical period, companies must act quickly, deploying mitigating controls to safeguard their infrastructure and data.
While patches are essential for security, they also present challenges. Vendors do not always provide detailed information about the security improvements included in a patch. After updating your system, you may encounter unexpected issues—such as discovering that certain customized applications, especially those that rely on older versions of Java or .NET, no longer function correctly. Even when the vendor labels the priority and issues a list of all changes with every patch, many businesses won’t have the resources necessary to read each one carefully and understand its impact. It can be difficult to read and understand advisories and CVE records, which tend to obfuscate bugs to protect the reputation of the vendor.
This past summer, the industry faced significant disruption when a patch from CrowdStrike contained a glitch, causing millions of computers worldwide to crash. For many companies, it took several days to recover from the incident, resulting in substantial financial losses.
To avoid such issues, a successful patching strategy requires organizations to establish a clear patch management policy, including Service Level Agreements (SLAs) that define patch-response times. Patches should be prioritized based on their risk level (e.g., CVE score) and the potential exposure the vulnerability presents within the organization's environment. Before a patch is widely deployed, it should be pilot tested with a small group of users to identify and resolve any potential incompatibilities, ensuring a smoother release for the general population.
Aligning your patching strategy with frameworks like NIST can provide a solid foundation, offering a structured approach to prioritizing and addressing vulnerabilities. At Access Point, our standard is to patch critical vulnerabilities within 14 days and high-severity vulnerabilities within 30 days. Additionally, we prioritize more frequent patching for web browsers due to their widespread use and heightened exposure to attacks.
Patch management is a complex endeavor that needs to flex around a company’s resources, compliance requirements, industry, and threat landscape. No one size fits all, but by adopting best practices, you can find a patch strategy that effectively reduces the risk in your organization. If your business does not have the IT or security resources to evaluate and prioritize patches, Access Point can help. We specialize in delivering turnkey solutions and security expertise to address these problems for you.
About the Author
Anthony Rivera is the Chief Information Officer at Access Point Consulting. With more than 20 years of experience in information technology and cybersecurity, Anthony leads the company's efforts in developing innovative strategies to protect organizational assets and data. He is passionate about fostering a culture of security awareness and is committed to educating others on best practices in the field.