Here at Indigo Mountain we reckon we have just taken Patch Management Best Practice to the next level.
How do we view a best practice approach?
1. Maintain the integrity of your patch deployment and testing across your estate
For the majority of customers there is a requirement for a level of testing first, before we deploy to the entire site. We term these as “Rings” so the initial patch deployment to a select set of test machines after Patch Tuesday would be “Ring 1”.
A subsequent release either to a restricted second ring or all other machines would then be “Ring 2”.
A manual label tends to work best as the initial test target, and if you use Device smart labels, make sure you exclude servers or any other business critical machines. With servers that can easily be done by creating a server label and then excluding it specifically from the patch deployment labels.
We need to ensure that no matter how many days Ring 2 runs after Ring 1, that the patches that are deployed are that same. In other words, only patches deployed to the initial test group are available to be deployed to subsequent groups. That is particularly key if you are deploying patches from other manufacturers that may not adhere to the Patch Tuesday schedule.
To achieve that, we have developed a set of smart patch labels that only populate with patches if it is the correct day of the cycle, calculated by the date and day number to make sure the cycle is in the correct week. This means that if the dates move in the month, you can run a schedule but it will be deploying an empty smart patch label.
This approach also enables a granular approach to patching that can be planned on a day by day basis if required.
2. Capture or Highlight problem machines and auto redeploy
We have developed a set of device smart labels that will identify a machine failing to run in week 1 of deployment and therefore gets deployed again in the second week. This means that from the initial deployment, the machines that miss the deployment get filtered down, week after week, enabling the tech to focus on those machines to ensure full coverage.
We have found that with UK customers that are trying to achieve Cyber Essentials or the NHS equivalent, the patch objective of deploying Critical patches within 30 days becomes much more visible and easier to manage. . Not only that, but we also reckon that our solution can be deployed for any customer, remotely, with only 3 man day effort spread over a 2 month period.
If you want to know more, just get in touch here