Patch management strategy

Date : October 07, 2021

The soaring numbers of vulnerabilities to deal with, leads some people to the conclusion that it is no longer possible to apply security patches for all the vulnerabilities and on all the systems. It is then often suggested to adopt a RBVM (Risk-Based Vulnerability Management) approach which will focus on the most severe vulnerabilities for the company.

RBVM implies of course to know the assets of the company, their values and the acceptable risk levels. It can be a complex system (especially when deployed over a large perimeter), but simpler systems can also be implemented. This article present a simple patching management strategy that could be described as a mini RBVM system.


Applying patches everywhere

It is important to note first that the idea that it is not necessary (or not possible) to apply patches everywhere is a bad idea (from our point of view). It is clear that it is not possible to reach a 100% coverage (for example, because of shadow-IT and systems that cannot be patched). But it is also clear that system which is not patched regularly will degrades progressively, as new vulnerabilities are discovered, and becomes more and more vulnerable to attacks.

From our point of view, it is therefore necessary to regularly (for example, at least once a year) perform a systematic application of all available security patches (regardless of the severity of the flaws corrected), and on all systems. These patching campaigns are generally carried out during the scheduled application maintenance that already exists for the systems (and this allows to optimize the validation or qualification activities).

Note: for systems where this is not possible (those that make the 100% coverage target unreachable, as mentioned above) we have created the "zone 0" that we describe later in the article.


Decide on the right time to apply patches

Setting-up a RBVM system involves:

  • Assign a intrinsic severity to each vulnerability,
  • Assign to each asset (or each IT subsystem) a level of sensitivity and exposure,
  • Decide on the speed at which protection should be put in place according to the two previous parameters.

And for the speed to put in place protections, the SSVC method (see our July 2021 article) defines 4 values:

  • Defer: no treatment for the moment,
  • Scheduled: patches will be applied at the next scheduled maintenance,
  • Out-of-Band: patches will be applied at a specific date without waiting for the next scheduled maintenance,
  • Immediate: patch must be applied right now.


Rank assets by sensitivity

We recommend to split the assets into 4 categories:

  • Unmaintained (zone 0): This category is for all the assets for which there is no security maintenance (for example, for which there is not at least one annual security update). These assets are vulnerable. If they cannot be move to other categories, they must be isolated (to prevent them from infecting other components) and protected (by placing them behind protection systems).
  • Minimal (zone 1): In this category, assets will receive scheduled updates (e.g. once a year).
  • Normal (zone 2): This category (aka zone) is for most of the assets. They will receive the "Scheduled" updates and some "Out-of-band" (according to the SSVC parlance). Except in very exceptional circumstances, they will never receive an "Immediate" updates.
  • Sensitive (zone 3): These assets will receive Scheduled updates, Out-of-band updates, and also (routinely) Immediate updates. The teams responsible for these assets will therefore have to define in advance the processes (and resources) that will be applied when an out-of-band or an immediate update event is triggered. This is also true for the other zones, which must also define the processes (and resources) for each type of update.

Each company defines its own criteria for assigning assets to zones. But from our point of view, the "Sensitive" category must contain all the equipment exposed on the Internet (accessible from the Internet without a VPN protection) and the "Immediate" rule must be triggered for them as soon as an exploit exists on the Internet for a vulnerability.


Monitoring threats

Usually 2 teams are involved in patch management.

  • The operational team responsible for running the assets (or groups of assets). This team is responsible for evaluating the actual exposure of the assets to a given threat and to define the best way to counter this threat (apply patches or implement workarounds).
  • The team responsible for the security of the company (or part of the company). This team gathers information about new threats (and the new patches available) and pass this information to the operational teams. By default, all threats for which a patch exists are transmitted to the operational teams with the status "Scheduled" (default status). But some threats, considered as more critical, may be labelled as "Out-of-band", which indicates to the operational teams that it is strongly recommended to organize a specific deployment operation, without waiting for the next scheduled maintenance. Finally, the "Immediate" status is used to indicate to operational teams that a threat has reached a level requiring immediate action.


Patch management is a complex problem (this has been known for a long time). The processes we present are simple and quite classical in their principles. But the real difficulty is to succeed in deploying them on a large scale, with limited resources.

More globally, it should be noted that patch management is only a part of the defense against attacks. Indeed, it is considered today that there are 3 ways to attack a target:

  • 0-day: the attacker uses a previously unknown vulnerability to penetrate the company.
  • N-day: the attacker uses an already known vulnerability for which a patch has been available for N days.
  • ATO (Account Take Over): instead of using a technical vulnerability, the attacker will steal a user account or buy it on black-market or convince the user to launch a malicious executable.

Patch management allows to control the risk induced by N-day attacks. And this is an essential component of the defense activities. It is started after the build of defenses (with system hardening, networks segmentation, etc.), and performed in parrallel with continuous monitoring (by SOC) and resolution of detected incidents (by Incudent Response team).

Previous Previous Next Next Print Print