Best Practices for Windows Patch Management

With today’s security landscape, most IT and security professionals are aware of the importance of Windows patch management. However, many organizations choose to neglect the most important part of patch management—patching Windows applications (i.e., third-party applications) in addition to patching the Windows OS. Based on CVSS scores (the “risk score” associated with vulnerabilities), the riskiest applications not to patch are third-party applications and not the Windows OS itself.

Analyzing CVSS scores for Windows products (OS and third-party apps) shows that many of the “riskiest” products are third-party apps. This website provides a list of the top 50 products by total number of “distinct” vulnerabilities. Even though the list is ever changing, I can assume that at the time you will be viewing this page the number of third-party applications in this list will still be significant.

The obvious conclusion? You must implement a Windows patch management process that focuses on third-party application patching, as well as Windows OS patching.

In this post I’ll share my experience as a security product manager and offer some Windows patch management best practices.

1. Scan your endpoints and servers for missing patches at least weekly—and for all products—even if you don’t intend to patch those products.

Why scan for everything when you only want to patch a smaller set of applications? Simply scanning for everything provides the needed visibility into your environment. Remember, bad guys don’t “care” about your internal Windows patch management processes. They’ll target unpatched applications whether you decide to patch them or not. Understanding your patch state with all applications helps you better understand your security posture and what you can do to improve it. Understanding your “patch” posture also becomes valuable when you get hacked.

2. Define a set of operating systems and third-party applications that you “want” to patch–as many as you can. Every Patch Tuesday, start to roll out those patches to your endpoints and servers.

Most of the customers I speak with use Patch Tuesday as the “launching” date for a new patch “campaign.” This makes sense as many vendors release patches around the Patch Tuesday timeframe. The key here is to keep track of patches that are released after Patch Tuesday, and to make sure that new patches are always added to your Windows patch management queue.

It’s also very important to patch proactively, on a predefined cadence. Don’t wait for your security team to find vulnerabilities and ask you to patch them. Make sure you patch proactively so your security team doesn’t find un-patched applications in their security scans. Doing so will save time and allow the security team to focus on other security issues that can’t be automated.

Remember, even if you had a bad experience patching third-party applications in the past (Java?) and decided not to patch them, the bad guys most likely already have