What is patch management?

In practice, patch management is about balancing cybersecurity with the business's operational needs. Hackers can exploit vulnerabilities in a company's IT environment to launch cyberattacks and spread malware. Vendors release updates, called "patches," to fix these vulnerabilities. However, the patching process can interrupt workflows and create downtime for the business. Patch management aims to minimize that downtime by streamlining patch deployment.

Patch management creates a centralized process for applying new patches to IT assets. These patches can improve security, enhance performance, and boost productivity.

Security patches address specific security risks, often by remediating a particular vulnerability.

Hackers often target unpatched assets, so the failure to apply security updates can expose a company to security breaches. For example, the 2017 WannaCry ransomware spread via a Microsoft Windows vulnerability for which a patch had been issued. Cybercriminals attacked networks where admins had neglected to apply the patch, infecting more than 200,000 computers in 150 countries.

Some patches bring new features to apps and devices. These updates can improve asset performance and user productivity.

Bug fixes address minor issues in hardware or software. Typically, these issues don't cause security problems but do affect asset performance.

Most companies find it impractical to download and apply every patch for every asset as soon as it's available. That's because patching requires downtime. Users must stop work, log out, and reboot key systems to apply patches.

A formal patch management process allows organizations to prioritize critical updates. The company can gain the benefits of these patches with minimal disruption to employee workflows.

Under regulations like the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS), companies must follow certain cybersecurity practices. Patch management can help organizations keep critical systems compliant with these mandates.

Most companies treat patch management as a continuous lifecycle. This is because vendors release new patches regularly. Furthermore, a company's patching needs may change as its IT environment changes.

To outline the patch management best practices that admins and end users should follow throughout the lifecycle, companies draft formal patch management policies.

The stages of the patch management lifecycle include:

To keep tabs on IT resources, IT and security teams create inventories of network assets like third-party applications, operating systems, mobile devices, and remote and on-premises endpoints.

IT teams may also specify which hardware and software versions employees can use. This asset standardization can help simplify the patching process by reducing the number of different asset types on the network. Standardization can also prevent employees from using unsafe, outdated, or incompatible apps and devices.

Once IT and security teams have a complete asset inventory, they can watch for available patches, track the patch status of assets, and identify assets that are missing patches.

Some patches are more important than others, especially when it comes to security patches. According to Gartner, 19,093 new vulnerabilities were reported in 2021, but cybercriminals only exploited 1,554 of these in the wild.

IT and security teams use resources like threat intelligence feeds to pinpoint the most critical vulnerabilities in their systems. Patches for these vulnerabilities are prioritized over less essential updates.

Prioritization is one of the key ways in which patch management policies aim to cut downtime. By rolling out critical patches first, IT and security teams can protect the network while shortening the time resources spend offline for patching.

New patches can occasionally cause problems, break integrations, or fail to address the vulnerabilities they aim to fix. Hackers can even hijack patches in exceptional cases. In 2021, cybercriminals used a flaw in Kaseya's VSA platform to spread ransomware to customers under the guise of a legitimate software update.

By testing patches before installing them, IT and security teams aim to detect and fix these problems before they impact the entire network.

“Patch deployment” refers to both when and how patches are deployed.

Patching windows are usually set for times when few or no employees are working. Vendors' patch releases may also influence patching schedules. For example, Microsoft typically releases patches on Tuesdays, a day known as "Patch Tuesday" among some IT professionals.

IT and security teams may apply patches to batches of assets rather than rolling them out to the entire network at once. That way, some employees can continue working while others log off for patching. Applying patches in groups also provides one last chance to detect problems before they reach the whole network.

Patch deployment may also include plans to monitor assets post-patching and undo any changes that cause unanticipated problems.

To ensure patch compliance, IT and security teams document the patching process, including test results, deployment results, and any assets that still need to be patched. This documentation keeps the asset inventory updated and can prove compliance with cybersecurity regulations in the event of an audit.

Because patch management is a complex lifecycle, organizations often look for ways to streamline patching. Some businesses outsource the process entirely to managed service providers (MSPs). Companies that handle patching in-house use patch management software to automate much of the process.

Most patch management software integrates with common OSs like Windows, Mac, and Linux. The software monitors assets for missing and available patches. If patches are available, patch management solutions can automatically apply them in real-time or on a set schedule. To save bandwidth, many solutions download patches to a central server and distribute them to network assets from there. Some patch management software can also automate testing, documentation, and system rollback if a patch malfunctions.

Patch management tools can be standalone software, but they're often provided as part of a larger cybersecurity solution. Many vulnerability management and attack surface management solutions offer patch management features like asset inventories and automated patch deployment. Many endpoint detection and response (EDR) solutions can also automatically install patches. Some organizations use unified endpoint management (UEM) platforms to patch on-premises and remote devices.

With automated patch management, organizations no longer need to manually monitor, approve, and apply every patch. This can reduce the number of critical patches that go unapplied because users can't find a convenient time to install them.