Downtime. One word to strike fear into the hearts of even the hardiest of IT manager. Avoiding downtime at pretty much all costs is the name of the game now. However, with the reliance on Microsoft (MSFT) products, there is inevitably going to have to be some downtime to roll out patch updates to keep systems secure.
The problem: The more updates there are, the longer the downtime is needed to update and install patches. For customers this can be a challenge, but for IT service providers and managed services companies, this can be a real headache. Invariably, your customers have a very limited window when systems can be taken offline to install patches. This is all well and good when there’s a only a few patches, such as in January’s update, but when there are a large number (generally eight or more), this can be a real challenge.
Microsoft has its own rating system for its patches: Critical, Important, Moderate and Low. On a typical Patch Tuesday we will see a small number rated Critical, and invariably the rest are rated Important. If taken at face value then you’d presume to roll out Critical patch updates first, and work down the list. But what may be a Critical patch for one of your customers may in fact be almost unnecessary for others due to different systems being in use. So how do you differentiate those that genuinely pose a significant threat to those that don’t? How do you make best use of the limited patch window available?
The Second Source
One of the key reasons companies outsource their security to MSPs is the fact that you are the expert that the customer relies on. Yet, if you go by Microsoft’s rating alone, you aren’t actually advising your customer at all, Microsoft is. With the recent issue between Microsoft’s vulnerability disclosure policy and Google’s (GOOG), it would be worth taking a moment to think about who polices the police. For any number of years Microsoft’s ratings have been taken as gospel, but more recently its vulnerability reporting and remediation processes has been brought into question.
That’s why you’d be well-advised to look for third-party analysis of Microsoft’s patches. Following the release of each month’s Patch Tuesday updates, US-CERT releases its own independent analysis of the vulnerabilities, and there are numerous occasions where we have seen a stark difference in what Microsoft deems as Critical compared to US-CERT.
Be a Trusted Adviser
How does this relate to you, you may ask? Quite simply, there is the opportunity for you to position yourself as an authoritative figure on patch management for your customers, both in terms of making the best use of time available and patch prioritization. It’s a service Verismic already offers to both customers and our MSP partners, and I am often surprised at how little is truly known by IT managers about the entire Patch Tuesday process. Many times a customer will roll out patches without any real analysis of how it really affects them, whether it's even necessary, or even if the patch will work—there have been numerous examples over the past year of patch updates causing the dreaded Blue Screen of Death.
Although Microsoft is trying to keep up with the ever-increasing number of security vulnerabilities, providing a service everyone is thankful for, it does need policing by a second source. The Critical is not always Critical and sometimes the Moderate needs urgent attention, and your customers will be looking to you to advise them on the most significant patches of the month.
Ashley Leonard is CEO of Verismic, a software and services management company with headquarters in Aliso Viejo, California; Hampshire, UK; and Sydney, Australia.