The Patch Cycle

Aug 08, 2017

The Patch Cycle

Historically, corporations have patched on a scheduled timeline. Following detailed policies and procedures. Some of which have been dictated by the industry they are within. For example, PCI states that critical updates/patches must be applied within 30 days. This might work in an environment under the control of PCI. However, a lot of organizations take this as their company wide standard.

We have seen an ever increasing threat landscape hitting the end user within organizations world wide. While patching a controlled production environment every 30 days may be sufficient, it's proving to not be sufficient in the user environment. Companies need to adapt to the increased threat and patch more often.

How often should you patch?

Organizations need to take a risk based approach and analyze all patches that may apply to their user environment. This includes both the operating system as well as all other applications that reside on user systems. Given the current threat landscape, and how fast we have seen malware spread, I would suggest the following patch schedule for user systems:

  1. Operating System or applications that have remote code execution vulnerabilities need to be patched within 24 hours of a patch being released.
  2. Operating System or applications that have privilege escalation vulnerabilities should be patched within 7 days.
  3. All other patches should be applied within 30 days.

All of this should tie into your corporate vulnerability management program. Vulnerability scanning of your external production environment should occur on a weekly basis. This should ensure you are catching and remediating any unwanted changes performed that increase your attack surface. Internal authenticated scanning of your user environment should also take place on a weekly basis. This should provide two things:

  1. It verifies that the correct patches are installed.
  2. It identifies any additional vulnerable applications that have been installed by your users.

To some, this might seem like a lot. However, we need to stay ahead of the malicious actors and protect our overall infrastructure.