What is patch management?
Explore IBM's patch management solution Subscribe to Security Topic Updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is patch management?

Patch management is the process of applying vendor-issued updates to close security vulnerabilities and optimize the performance of software and devices. Patch management is sometimes considered a part of vulnerability management.

In practice, patch management is about balancing cybersecurity with the business's operational needs. Hackers can exploit vulnerabilities in a company's IT environment to launch cyberattacks and spread malware. Vendors release updates, called "patches," to fix these vulnerabilities. However, the patching process can interrupt workflows and create downtime for the business. Patch management aims to minimize that downtime by streamlining patch deployment. 
IBM Security X-Force Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Related content

Register for the Cost of a Data Breach report
Why the patch management process matters

Patch management creates a centralized process for applying new patches to IT assets. These patches can improve security, enhance performance, and boost productivity.

Security updates


Security patches address specific security risks, often by remediating a particular vulnerability.

Hackers often target unpatched assets, so the failure to apply security updates can expose a company to security breaches. For example, the 2017 WannaCry ransomware spread via a Microsoft Windows vulnerability for which a patch had been issued. Cybercriminals attacked networks where admins had neglected to apply the patch, infecting more than 200,000 computers in 150 countries. 

Feature updates


Some patches bring new features to apps and devices. These updates can improve asset performance and user productivity. 

Bug fixes


Bug fixes address minor issues in hardware or software. Typically, these issues don't cause security problems but do affect asset performance.

Minimizing downtime


Most companies find it impractical to download and apply every patch for every asset as soon as it's available. That's because patching requires downtime. Users must stop work, log out, and reboot key systems to apply patches.

A formal patch management process allows organizations to prioritize critical updates. The company can gain the benefits of these patches with minimal disruption to employee workflows.

Regulatory compliance


Under regulations like the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS), companies must follow certain cybersecurity practices. Patch management can help organizations keep critical systems compliant with these mandates.

 
The patch management lifecycle

Most companies treat patch management as a continuous lifecycle. This is because vendors release new patches regularly. Furthermore, a company's patching needs may change as its IT environment changes.

To outline the patch management best practices that admins and end users should follow throughout the lifecycle, companies draft formal patch management policies.

The stages of the patch management lifecycle include:

1. Asset management


To keep tabs on IT resources, IT and security teams create inventories of network assets like third-party applications, operating systems, mobile devices, and remote and on-premises endpoints.

IT teams may also specify which hardware and software versions employees can use. This asset standardization can help simplify the patching process by reducing the number of different asset types on the network. Standardization can also prevent employees from using unsafe, outdated, or incompatible apps and devices.

2. Patch monitoring


Once IT and security teams have a complete asset inventory, they can watch for available patches, track the patch status of assets, and identify assets that are missing patches.

3. Patch prioritization


Some patches are more important than others, especially when it comes to security patches. According to Gartner, 19,093 new vulnerabilities were reported in 2021, but cybercriminals only exploited 1,554 of these in the wild (link resides outside ibm.com). 

IT and security teams use resources like threat intelligence feeds to pinpoint the most critical vulnerabilities in their systems. Patches for these vulnerabilities are prioritized over less essential updates.

Prioritization is one of the key ways in which patch management policies aim to cut downtime. By rolling out critical patches first, IT and security teams can protect the network while shortening the time resources spend offline for patching.

4. Patch testing


New patches can occasionally cause problems, break integrations, or fail to address the vulnerabilities they aim to fix. Hackers can even hijack patches in exceptional cases. In 2021, cybercriminals used a flaw in Kaseya's VSA platform (link resides outside ibm.com) to spread ransomware to customers under the guise of a legitimate software update. 

By testing patches before installing them, IT and security teams aim to detect and fix these problems before they impact the entire network.

5. Patch deployment


"Patch deployment" refers to both when and how patches are deployed.

Patching windows are usually set for times when few or no employees are working. Vendors' patch releases may also influence patching schedules. For example, Microsoft typically releases patches on Tuesdays, a day known as "Patch Tuesday" among some IT professionals. 

IT and security teams may apply patches to batches of assets rather than rolling them out to the entire network at once. That way, some employees can continue working while others log off for patching. Applying patches in groups also provides one last chance to detect problems before they reach the whole network. 

Patch deployment may also include plans to monitor assets post-patching and undo any changes that cause unanticipated problems. 

6. Patch documentation


To ensure patch compliance, IT and security teams document the patching process, including test results, deployment results, and any assets that still need to be patched. This documentation keeps the asset inventory updated and can prove compliance with cybersecurity regulations in the event of an audit.    

 
Patch management solutions

Because patch management is a complex lifecycle, organizations often look for ways to streamline patching. Some businesses outsource the process entirely to managed service providers (MSPs). Companies that handle patching in-house use patch management software to automate much of the process.

Most patch management software integrates with common OSs like Windows, Mac, and Linux. The software monitors assets for missing and available patches. If patches are available, patch management solutions can automatically apply them in real-time or on a set schedule. To save bandwidth, many solutions download patches to a central server and distribute them to network assets from there. Some patch management software can also automate testing, documentation, and system rollback if a patch malfunctions.

Patch management tools can be standalone software, but they're often provided as part of a larger cybersecurity solution. Many vulnerability management and attack surface management solutions offer patch management features like asset inventories and automated patch deployment. Many endpoint detection and response (EDR) solutions can also automatically install patches. Some organizations use unified endpoint management (UEM) platforms to patch on-premises and remote devices.

With automated patch management, organizations no longer need to manually monitor, approve, and apply every patch. This can reduce the number of critical patches that go unapplied because users can't find a convenient time to install them.

 
Related solutions
IBM X-Force Red Vulnerability Management Services

Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws that could expose your most critical assets.

Explore vulnerability management services
IBM Security QRadar EDR

IBM Security QRadar EDR leverages exceptional levels of intelligent automation and AI to help detect and remediate known and unknown threats in near real time.

 Explore IBM Security QRadar EDR
Unified Endpoint Management (UEM) platform

Enable and secure all your mobile devices, apps and content with IBM Security MaaS360 with Watson UEM platform.

Explore Unified Endpoint Management (UEM)
Resources What is threat hunting?

Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated, threats within an organization's network.

 What is incident response?

A formal incident response plan enables cybersecurity teams to limit or prevent damage from cyberattacks or security breaches.

 What is threat management?

Threat management is a process used by cybersecurity professionals to prevent cyberattacks, detect cyber threats and respond to security incidents.
Take the next step

IBM Security QRadar EDR, formerly ReaQta, remediates known and unknown endpoint threats in near real time with easy-to-use intelligent automation that requires little-to-no human interaction. Make quick and informed decisions with attack visualization storyboards. Use automated alert management to focus on threats that matter. And safeguard business continuity with advanced, continously-learning AI capabilities.

 Explore QRadar EDR Book a live demo