Krome Cast: TECH-IT-OUT - Patch Management Tips and Best Practices for Patching

Show Notes

In this episode of Krome Cast: Tech-it-out we discuss why patch management is critical to all businesses; the best practices for patching, along with the best patch management tools and vulnerability scanning tools required to maintain an effective security patching strategy for application patching, software patching and hardware patching.

In this easy to consume technology podcast, we also discuss how to manage your patching schedule, based on criticalities and inline with Cyber Essentials Plus recommendations.

This podcast features Krome’s Commercial Director, Sam Mager along with Krome's CTO Rupert Mills, sharing their insights on security patching and automated patching tools.

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

Transcript

Introduction 00:01

Welcome to Krome Cast, Tech-it-out. Hosted by service centric people first UK technology consultancy Krrome Technologies.

Sam Mager 00:12

Welcome to KromeCast, Tech-it-out.  I'm Sam Mager, Commercial Director for Krome Technologies. Today we're talking about Patch Management, automation and best practices.  I'm joined once again,  by my business partner, and co-founder,  Rupert Mills.  Rupert, welcome. Talking about exciting stuff, obviously, today we're talking about Patch Management, which some people may find fairly exciting, some people may find more mundane, but ultimately, completely necessary, a real must-have, a must-do.  So starting with the very basics of this, from your perspective, your mind, what is patching?

Rupert Mills 00:58

Patching would be bringing up to date,  for purposes of either updating  or securing I guess, any application, or piece of hardware, or device within your network, it's bringing things up to date, I guess is probably  the most accurate way of putting it. 

Sam Mager 01:14

So historically, we've had, focusing on Microsoft Patch Tuesday, etc.  How does this now differ?  Because obviously, it's not just Microsoft that we need to patch, you mentioned then, it's multiple different vendors, multiple technologies, this now starts to sprawl into things like mobile devices, etc.  So how do we now manage, I guess the plethora of vendors and different devices into our patching schedule?

Rupert Mills 01:41

There's a whole different bunch of ways to answer that question, to be honest, there are lots of patch management tools out there from various different vendors.  There are lots of different tools to work out whether or not you are patched.  So ultimately, yeah, you're right, originally, it started as Microsoft Patch Tuesday, and everybody rolled out their Windows updates, aging back many, many versions of Windows now. Then people realise that attack vectors start to become things other than Microsoft, so they started to look at that,  but yeah, I would suggest the first thing you need to achieve is defining which tools that you're going to use,  and also defining what you're going to use to test it's been successful.

Sam Mager 02:19

Obviously, that's the interesting part, no point doing it, if it's not been successful.  How do we map this on to tools and what tools potentially would you recommend? Looking at that threat vector, obviously, we have Patch Tuesday, and if there was a bug found, an anomaly whatever it was between Tuesday to Tuesday, there's the threat window. Obviously, nowadays, we have ways of scanning people's networks and looking for holes, insecurities, etc.  So how can we tie into those sorts of technologies?  I guess to eradicate that.

Rupert Mills 02:52

So there's a whole bunch of tools out there, there are things like Tenable, they've got their Nessus product,  that's a really low-cost product for people to have with very little barrier to entry,  that will get in there and do a lot of scanning,  they move up to their Tenable IO or Tenable SC products,  which are both very good at high-end scanning. You've got Qualys,  you've got Rapid7,  you've got Dark Trace, there's a whole bunch of things out there these days and Microsoft's also got the new,  what was ATP,  which then became part of Defender,  which is now part of Endpoint Manager, which is their version of doing the same thing as well but something that actually tells you how up to date your estate is, that is a really useful tool within today's day and age of trying to patch things and make sure you keep things up to date,  because it's not just the how frequently you patch,  it's what the criticality of the patch is and whether or not it's one that needs doing tomorrow, yesterday,  or can actually wait a while. So having something that will tell you that and then being able to react to it with a patching tool.

Sam Mager 03:52

There's timescale considerations with things like Cyber Essentials, Cyber Essentials Plus accreditation.  I think it's a 14-day window that you must patch criticalities in, am I correct?

Rupert Mills 04:05

yeah, criticals and highs, Cyber Essentials say. So obviously that's a really good one to base your patching on,  because it's what the Government are recommending.  But the criticals and highs have to be patched within 14 days,  is their recommendation there.  So it's a really good example,  you might find that there's,  you might find you've got hundreds and hundreds of devices in your network,  but it's focusing on the criticals and the highs first of all,  and getting those patched,  and then you might actually roll out patching on a slightly different schedule, for example, we have a view of patching Windows and applications monthly unless there's criticals or highs that bring it up more regularly than that.  Security devices and security systems monthly unless scanning brings something back more regularly than that. Then we'll roll into various different pieces of hardware, maybe quarterly,  all the way down to something like network switches that tend to be very stable, and provided there's nothing critical in terms of an update or security fix that needs to be applied will tend to patch those annually because they have sort of a low change rate in what they're doing and can potentially impact your network quite severely if they're not right.  So they are a thing to patch less frequently unless there's something critical there.

Sam Mager 05:17

So that's a, if it's not broken, don't fix it option.

Rupert Mills 05:22

Exactly that.  That's a good mentality to put to it, but I think that is why you need a tool that's going to scan and tell you what the vulnerabilities look like because that  "if it's not broken, don't fix it" approach definitely doesn't apply to IT, in general, these days,  because a lot of stuff's broken and you don't realise it so, and being able to tell you if something's broken,  i.e. it has a critical or high or medium-level CVSS score, then you basically can take it from there and,  and apply a strategy that's appropriate to fix that.

Sam Mager 05:51

This is where I'm going to highlight that I'm more sales than technical,  but you're talking about patching schedules,  a different cadence for different applications,  Operating Systems, hardware, etc, etc.  Things like firmware’s, they're obviously, different than the patching that we're doing,  but use a similar sort of timescale,  or my am I completely off the reservation in my line of thinking there?

Rupert Mills 06:13

No, no, you're absolutely right. So firmware’s are a hardware level, what can something be connected to, communicated with, attacked by etc.  So firmware’s are a really common one for people to miss out altogether, That's just as important.  So take, let's at a low level, something like a server where you might have  HP with iLO or Dell with iDRAC or something similar,  you've got a management card in there that allows you base-level access into your server.  If you don't patch the firmware on that, you could find that it's got some serious vulnerabilities in it,  and some will be able to get into the very base of your system.

Sam Mager 06:45

Okay, so it's pretty core.  You're talking about, obviously, different toolsets then for doing the SIEM stuff, the vulnerability, assessments, and management, etc.  What different toolsets are available?  And I guess,  in your opinion,  you've been doing this a while, is there a best toolset, or again,  how do we analyse and advise what the best toolset is to use, for our customers for their patch management?

Rupert Mills 07:10

So you need a mix of tools, ideally. As I say, the vulnerability scanning piece to tell you where you need to patch,  then if you move into the standard Windows estate,  you've had things like  WSUS or SCCM, around for ages,  Microsoft have brought in recently that as I was referencing earlier,  their ATP toolset, that gives you a scoring mechanism,  so you can look at how at-risk your network is,  will actually allow you to see what patches have and haven't been deployed,  and then they've recently rolled that up with elements of SCCM  into their Cloud-based Microsoft Endpoint Manager,  which takes in Intune,  for which also manage other devices.  So Intune will manage your various other sort of iOS,  Android and moving into MacOS ever more regularly,  devices and allow you to bring them under a single pane of glass in the Microsoft Endpoint Manager.  So from a device basis, using something like that to patch estate, your Operating Systems,  your devices is a great idea.  You can use it natively to patch all the Microsoft applications,  you can also use it to deploy patches to other applications,  so for example, Adobe Reader is a common one,  you could redeploy the latest version of Adobe Reader using the same tool,  which allows you to effectively patch that and bring it under that patching regime.  It won't patch, things like the hardware devices.  So down to your iLO's and iDRAC's, again, that sort of stuff or your firewalls etc.  So for example, we do a lot of work with  Palo Alto Network Firewalls,  using those, we use Panorama to patch the Palo Alto Firewalls,  because that allows us to push out updates centrally to a number of devices,  for those we have on a managed service,  or for clients that have a Panorama deployment.  So it's kind of having the right tools in place to patch the various different bits of your environment.  Manufacturers like Dell, HP, etc, have all got their patching tools as well,  that will patch their hardware.  Whether or not they're worth deploying really depends on how much hardware you have in your environment from that manufacturer.

Sam Mager 09:05

Which actually kind of brings me nicely onto this, I suppose.  What you're talking about there to me as again, as a non-technical person, but it sounds like an awful lot of work.  We've got to understand what criticalities are out there, the level they're at, how quickly we need to resolve them, then what toolset we're going to do it with, what manufacturers etc, etc.  It's a lot of work and I guess how easy is that for our clients to automate?  And I guess conversely, I guess that's the reason why we offer this as a service.  How easy can we make it for them by bringing that into us and delivering it back to them as a  managed service and taking the headache away?

Rupert Mills 09:42

Yeah, automating it can be done. It's not certainly not too difficult on the Operating System level and things like that these days. So from a lot of people's perspective, they can roll out  patch updates within any one of the Microsoft tools I just mentioned,  or something similar, that will automatically approve those updates,  or you can have a  number of different policies.  Alot of people, including us will deploy policies within their network that allow the automatic rollout of updates,  they may stage them in groups,  so you have sort of a test group they'll run through, and then the main group that will run through thereafter, or a number of subgroups,  but will do automatic rollout of updates,  because it used to be that you'd carefully test each individual update from the manufacturer before you rolled it out into your network.  Nowadays, unless you have a very large estate that tends to be less so. Small to medium estates tend to automate the rollout of patches,   and then very, very large estates will probably still do patch management authorisation,  we tend to adopt depending on which of those it is  the corresponding approach,  depending on which of those we're doing.  But yeah, so in terms of what we do,  we'll bring it in inhouse,  and we have a team of people,  as I said, for example, who use  Panorama to patch Palo's,  or the Dell or HP tools to patch that hardware, and because we're patching a number of them,  we tend to patch our own environment first. We've always believed in using the hardware that we deploy to customers patch that up,  and then roll the patch out to customers, unless they're critical updates. Obviously, if it's a critical security update, we tend to attack those head-on fairly straight away.  We've had a few recently with Citrix.  They've had a few vulnerabilities, so we've been rolling out, rapidly patching the client's Citrix environments to avoid any potential threats as one example,  but yeah, we tend to roll out the updates and test them in house ourselves,  then roll them on to client estates and we use depending on the client,  and what they have, a number of different tools to do that, but we can take that entirely as a managed service, so the customer can rest assured,  what we would encourage them to do is then use the vulnerability scanning tool,  whichever the one that they choose to basically check our homework.  So they can use that vulnerability scanning tool, see what the vulnerabilities within their environment are and from there should be able to check that our patching is rolling out regularly.

Sam Mager 12:00

Obviously, for our customers to take both from us the scanning for vulnerabilities and then the managed service to run out patches and firmware upgrades and so on, they'll get the monthly report to essentially, it is a bit marking our own homework,  but we can't lie against what the tool is saying.  So the tool will obviously, always be the single source of truth for what needs to be done and then what has been done.

Rupert Mills 12:21

Yeah, absolutely. And the customer will have a login to the tool as well so you can spot-check at any point in time.

Sam Mager 12:27

Thanks, Rupert, it's been really interesting.  Thank you for joining us on Krome Cast, Tech-it-out.  Please remember to like, subscribe, and share and do leave anything you would like us to discuss in the comments.  It does help to shape the content.  Thank you.

Out 12:41

We hope you have enjoyed this episode. For more information or to speak to Krome visit www dot Krome dot co dot uk, spelled KROME, that's Krome.co uk.