If our objective is to establish an efficient flow of patching and correcting flaws, the first thing we should keep in mind is that patching systems is not the same as patching applications or services. And the implications can be very different (and of very different degrees of severity). The separation of these patches at the technical level is due to the intrinsic characteristics of each, and the application patch cycles of these elements have to have different treatments. The idea is to automate and streamline the process. Once this is accomplished, a robust inventory must be drawn up that must always be attended to and kept up-to-date.
Designing and automating a correction cycle
We should begin by designing a work cycle specifically tailored to our system’s needs. Within this cycle we can use many tools that help us automate the process, streamlining the flow, etc. But we should keep in mind that not even the most sophisticated of methods will completely eliminate the manual phases of the flow.
To generate a correct flow of security patch implementation , we can identify several phases consisting in the detection of systems, services and applications, and the versioning of the software; the evaluation of the risk and the determination of the best way to carry out said evaluations; and the correction of policies according to the type of patch and classification of the risk.
A classification of the patch flow also consists in securing the pipeline, focusing on the hardening of the process in which the security requirements that must be met during the pipeline will be implemented. A detail that should not be forgotten is that the automated patching process must also be secured: management of the code of the configurations to be deployed, the automation of an incident, securing of backups, monitoring of logs, etc.
Integrating a good testing method
In many cases, testing seems relegated to the development of a product. But it also offers a very important function when it comes to patching, which will ensure the integrity of the infrastructure. After all, we must take these tasks of systems and services up to code. This will allow us to generate quality in what we are doing and guarantee, at least in large part, that our actions are being secured without relying exclusively on the human factor. Therefore, it will be necessary to generate tests that are sufficiently robust, of quality and with enough idempotence to guarantee minimums.
Maintaining control through monitorization
To have real visibility of what is happening during the processes that occur in the system, it is essential to have a good monitoring system. Therefore, it is essential that we rely on log and alarm correlation tools. That way, we will completely cover the temporal context of monitoring.
Establishing clear roles
As in any delicate task, it is essential to have clearly appointed managers responsible for their proper deployment. But it is also crucial to reduce the human factor as much as possible, relying instead on solutions that program the process. This avoids costly inefficiencies and serious losses when scheduling tasks. The idea is to bring everything viable up to code, to automate it. Of course, we must always do it after an in-depth analysis. This process, like many others, has to be adapted little by little.
Patching systems, services and applications is essential to protect our companies from possible cyberattacks. This important task can not be taken lightly; it is necessary to implement a method of action according to the characteristics of our company’s architecture and to evaluate the implication — in short, to use common sense and do it right, from planning to execution.