For many businesses, the discipline of patching only extends to operating system-level patching. Thanks to Microsoft’s “Patch Tuesday,” IT teams diligently push the latest critical Windows patches monthly and confidently say there’s a well-thought-out and executed plan for managing Microsoft patching.
Good for you! But... what about all those third-party applications running on your Windows machines?
Here’s a dirty little secret – many organisations don’t bother patching these third-party applications, leaving you wide open to hackers. Software vulnerability research also shows that unpatched software remains one of the most common reasons your business is open to cyberattacks.
Is Third-Party Patching Too Difficult?
Because hundreds of third-party (non-Microsoft) applications are used across organisations, patching them appears more challenging. This can be the case, as third-party patches have individual priority and release cycles.
This makes it arduous for IT Operations to monitor all vendor notifications about a new patch release and manually ensure deployment to all the endpoints on the network. This is complicated, time-consuming and error-prone. All too easily, users disable or ignore them.
But it doesn’t have to be like this.
Let’s take a look at some of the strategies to put you back in control of your critical vulnerabilities to keep pace with the constant stream of security threats and several patches out there:
1. Don’t Overlook 3rd Party Applications - Better Yet, Prioritise Them
This may come as a surprise - according to Flexera’s Vulnerability Review, ‘Top Desktop Apps 2018’, 33 % of the most popular non-Microsoft applications account for 65 % of the vulnerabilities. Tools like Adobe Flash Player, Google Chrome, Acrobat Reader, QuickTime, iTunes, Mozilla Firefox and Oracle Java JRE are your key culprits – and at least some (if not all) are installed on every laptop and desktop in your company.
2. Develop an Up-To-Date Inventory of 3rd Party Software
All installed software and versions should be documented with the business need. You cannot patch applications without visibility of what applications are in use. One of the reasons third-party software is left unpatched is the lack of visibility around which applications are present within a larger network. This risk is made even greater when:
- Applications are installed without the authorisation and approval of the IT department
- Employees are frequently accessing corporate networks remotely
- A BYOD policy is in place, complicating the picture with users bringing different applications running on operating systems that aren’t owned or controlled by IT.
The discipline to account for the inventory across your network should occur periodically and apply to your software applications, devices, and operating systems. It only takes one computer in an environment to miss a patch, to threaten the security of an entire network.
3. Use a Broad Vulnerability Discovery Service
The only way to know if a breach or vulnerability exists is to employ broad discovery capabilities to scan your network and identify missing patches comprehensively. A solution such as Flexera’s Software Vulnerability Manager has proprietary non-intrusive scanning technology to discover and track more than 20,000 applications across Windows, Mac and Linux platforms. By collecting intelligence across all systems that access your network, the system can validate, prioritise and determine the correct version of the patch or whether a patch was replaced or updated.
4. Create a Regular Patching Schedule - And Automate Where Possible
If patching is completed irregularly there is a stronger likelihood that patches will be inadvertently skipped. Manual 3rd party patching is an extremely time-consuming task, which is often put off due to other priorities. Automation removes the risk of human error or oversight, enabling you to prioritise tasks based on vulnerability level, speeding up the remediation process and reducing overall risk.
5. Create Dashboards and Report Regularly
Readily available data on patch status is almost as important as patching itself. When malware such as WannaCry or Petya/NotPetya is released, an IT team must be able to assess the potential impact across their network immediately. Customised dashboards allow you a clear understanding of the vulnerability status of your environment to focus on the data that matters - improving response time and reducing your attack surface. Regular reporting also ensures that you can keep your team and organisation well informed of policy and regulation compliance status.
So, What’s the Simple Answer?
Ultimately, the answer lies in taking a holistic approach and deploying a management tool across all work streams to provide comprehensive visibility of multiple interfaces and automation that provides IT professionals with critical control via profiles and policies.
Flexera’s best-in-class solution, Software Vulnerability Manager (previously Corporate Software Inspector) provides a scalable solution for mid and large enterprises, using vulnerability intelligence from Secunia Research to prioritise the patch status of over 20,000+ applications - more than anyone else - and fully integrates with WSUS (Windows Server Update Services) and SCCM (Windows System Center Configuration Manager) to patch all your non-Microsoft applications and systems.
Further Reading
- WSUS and SCCM Third-Party Patch Management
- A Buyer’s Guide to Patch Management Software
- On-Demand Webinar: How to Develop Security Vulnerability Management Programmes
- What Is a Vulnerability Scan and Does My Company Need One?
- Pros and Cons of Outsourcing Your Cyber Security - In-House, MSSP or Virtual SOC?
About CyberOne
Powered by a dedicated team of software vulnerability specialists, CyberOne helps give you tools, support and services to manage your critical software updates intelligently. With expert deployment, 24x7x365 support and fully managed ‘Patch Management-as-a-Service' options, CyberOne works with many of the UK’s leading organisations to simplify your software vulnerability management.