Our communications team recently sat down with Aidan Daly, Business Improvement Manager at Area9 to discuss everything patch management related.
Enjoy!
Q. Hey Aidan, could you please introduce yourself and elaborate on what your role at Area9 entails?
Aidan: In my role, I oversee the business improvement activities at Area9. That includes everything from managing our quality system management to monitoring customer service. I assess where the opportunities for improvement are and coordinate with the respective Area9 business units to enact a process change or develop a new process to enable better service delivery for our customers.
Additionally, I am heavily involved in the design, implementation and improvement of Area9’s services and related processes. This means we are constantly adapting our services and business to meet our customer's needs.
When we make big changes to our systems, our processes, our business model or something else, I’m the person responsible for ensuring it runs smoothly without causing issues for our customer base. It’s an incredibly interesting role.
Q. Today, you want to discuss patch management, would you care to explain what patch management is?
Aidan: When we refer to patching, in a nutshell, we are referring to a software update, and these updates are usually done to address a known vulnerability, bug issue in the software or to introduce new features or improvements. From a customer standpoint, this could relate to a particular performance issue, or to bolster security measures.
The term patch management refers to a structured approach to software patching. What I mean by that is it’s not wise or considered best-practice to simply go in and update everything and hope for the best. Patch management is a structured process that involves the research and testing of any update before it’s rolled out across the customer’s environment.
Here at Area9 for example, our team is always on the lookout for updates and emerging vulnerabilities that may require a product update. We also assess the customer’s existing environments, looking for any gaps or areas for improvement. When we identify a patch is required, we assess the likelihood of an adverse impact to the customer’s environment, test it, and then if everything works fine, develop a staged approach for rollout to avoid any business downtime on the customer’s end.
Q. Why is correct patch management so important?
Aidan: Correct patch management is absolutely critical for two reasons.
- The majority of patches exist to address known security vulnerabilities or known issues, so businesses running software and apps need those patches applied to mitigate against the known exploit running rampant across the threat landscape or to address known issues that could be causing problems for our customers.
- As I’ve discussed, it’s not wise to simply rollout patches and hope for the best. Research needs to be done prior to rollout to avoid any adverse effects from the update. Which is why patch management is so critical. Yes, patches need to be made, but they must be made in a structured and informed manner to avoid mistakes and business downtime.
Q. Do you have any examples where correct patch management could have been leveraged to avoid a certain situation?
Aidan: I recall an instance in which a customer came to us after experiencing two separate attacks that brought down their environment and ultimately their business operations. On investigation, we found they had not had a patch applied to their server environment in literally years. Had they been routinely patching the servers, it is highly likely they would not have been so easily compromised and caused such damage to their systems. Additionally, they had significant ongoing performance issues with their mail server, which would have been addressed in various cumulative updates.
When we took over the management of the environment, getting the systems up to date was at the top of our priority list. However, because nothing has been updated for so long, it was a timeconsuming process to get up to date, simply because some of the updates had dependencies on other updates being applied.
That process made for multiple outages across a period of time which unfortunately cost them money and downtime. Had they had a solid patch management routine it would have ensured the updates were happening at regular intervals, out of hours with minimal impact to the business.
Q. What are the dos and don’ts of patching?
Aidan: We’ve covered a lot of the dos already, so I’ll elaborate a little on the don’ts. Don’t implement an update to all your endpoints the same day it comes out unless it is a critical or security update. You really should test them before applying them and look for any adverse / unexpected results before you roll out. If you apply changes to every single endpoint and server overnight, you may very well come into work the next day and be presented with an issue. All it takes is one premature patch to bring down every department and business unit in your organisation. Testing patches on a small-scale before the business-wide rollout is paramount.
My second point would be stick to a regular patching regime. It’s important to not fall into the habit of patching one month and then forgetting to do it the next month. Stay abreast of known exploits and vulnerabilities in the market because sometimes they need to be actioned almost immediately, but not before testing.
Q. What would you say are the three key benefits to a good patching regime that Australian businesses should be aware of?
Aidan: Absolutely. When I think about it, there’s three key benefits to a good patching regime.
- Security, security, security! Good patch management greatly reduces your risk of falling victim to a security attack. By regularly patching known exploits, you’re making the attackers’ jobs a lot harder.
- Less downtime. Regular patching avoids the pitfalls of having to catch up with cumulative patches. A good patch management regime reduces downtime and increases productivity across your business.
- Increased performance and added features. Leveraging an up to date and patched environment enhances your ability to produce quality products and services. Don’t underestimate it.
Q. How can Area9 help with what we’ve been discussing today?
Aidan: At Area9, we use a remote monitoring and management tool that enables us to monitor and manage our customers’ environments as well as deploy updates when necessary. The big thing that we can help with is orchestrating patch management policies in a structured manner. The beauty of doing patch management in such a way lies in our ability to roll back updates from a central location if need be. If an update doesn’t work accordingly, at the click of a button we can roll back that update on every device.
Another key element is our deep knowledge and expertise of the software landscape. Our experts research patches at length before running a pool of tests internally to ascertain how it will perform on a larger scale. They’re constantly trawling the internet for information that will aid any patch, and if they feel the risk to the customer is too great to update, they will delay implementing the patch until they know how to address any issues it will cause or until any identified bugs have been addressed which is often very quickly.
We also have capability to roll out updates at any scale, whether it’s ten devices or two thousand.
If you’d like to learn more about how Area9 can help you achieve more structured processes for your patch management, speak with one of our experts.