Building a Patch and Vulnerability Management Program
By: Omer Kaan Aslim
August 13, 2020
A patch and vulnerability management program is one of the most important parts of any cybersecurity program. In this post I explain how to build one.
Assembling a Patch and Vulnerability Group
The first step is to put together your team that will be responsible for patching your organization’s systems. Team members should include folks from your security team, system administrators, and relevant business operations personnel. You should also collect the contact information for key system stakeholders in case you need to inform them of patch deployments.
System Inventory Management
To have an effective patch and vulnerability management program you need to have an accurate inventory of your systems. This includes laptops, servers, printers, scanners, network devices, and any software installed on your systems. How can you patch something if you don’t know that you have it? I would recommend using a dedicated inventory management tool to track your systems instead of excel spreadsheets. Inventory management tools can provide detailed information about most of your systems.
Continuous Vulnerability Monitoring
In an ideal world you would patch or remediate every vulnerability as soon as you detect it. In the real world however IT teams can be short of staff and may not be able to patch every vulnerability in a timely manner. This is why you want to prioritize high risk vulnerabilities before addressing lower risk vulnerabilities. Thankfully tools like Nessus categorize vulnerabilities for you, making it easy to determine which ones you should address first.
You need to be tracking the vulnerabilities detected by your vulnerability scanner and the actions you have taken or plan to take to remediate them. You can document these in what is known as a remediation database. You can use an excel sheet to accomplish this.
Patch and Remediation Testing
Before deploying any patches or remediations you need to test them in a test environment. Deploying patches or vulnerability remediations directly to your production environment without any testing may result in unexpected downtime that can impact business operations.
Informing Administrators of Remediations
After testing your patches and remediations you need to inform the point of contact and any administrators who manage the system you seek to patch. That way if something goes wrong after the deployment they know what the likely cause was.
After deploying patches and remediations you need to verify that they were applied. This can be accomplished by rescanning your systems with your vulnerability scanner.
With the information I provided in this post you should be able to put together a nice patch management program to help keep the bad guys.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance