I’ve trimmed my hedge three times this year. That’s not something I usually do. Typically, I have a marathon weekend where I trim the hedge for 12 hours and make three trips to the recycling center.
But I have a nice view from my backyard overlooking a meadow, and if I stand on my toes in the bedroom, I can even catch a glimpse of a lake. That view disappears in early summer if I don’t trim the hedge down, and this year, I wanted to keep it. That meant trimming the hedge three times, and it felt like a drag the third time before I started. But after finishing the job in under an hour, with my daughter following me around the garden and picking up all the clippings, I thought to myself, there is really something to this trimming the hedge multiple times a year.
In IT, there’s also a lot to gain from ‘trimming’ your patch management and doing it in a structured way. Patch management isn’t exactly exciting (it’s okay if you yawn a bit now), but it’s essential for maintaining a secure infrastructure. And if done in an organized way, it can save you a lot of time and money.
An example of structured patch management is Patch Tuesday.
Patch Tuesday is a concept developed by major American software companies to structure the rollout of updates. Previously, software manufacturers released updates continuously, meaning IT staff worldwide could face unexpected work at any time, 24/7, to ensure that critical security updates were applied to their infrastructure. To prevent this, a group of large American companies introduced Patch Tuesday. The manufacturer collects updates over the course of a month and releases them in one package once a month.
By designating a specific day of the month, IT teams can plan for the deployment of new updates and prepare the organization for upcoming changes in a controlled manner. For example, with Microsoft Windows, this approach allows you to begin by updating a few PCs in the IT department before rolling out updates across the entire company. You could also start in a test environment, ensuring that the new updates only impact production once thoroughly tested.
I may only need to trim my hedge one Tuesday during each of the summer months, as that’s when it grows the most. However, with Patch Tuesday (and similar strategies), it becomes simple and predictable for IT departments to plan and execute regular updates, keeping endpoints and infrastructure healthy and secure throughout the year.
Why Tuesday?
Patch Tuesday. It sounds very American, almost like Super Bowl Sunday, but not much beer, snacks, or football is involved with Patch Tuesday. However, it makes a lot of sense that it’s on a Tuesday. Monday is free to catch up on any potential weekend issues before dealing with new challenges from an update. Plus, Tuesday allows the maximum amount of time before the weekend to handle any problems that may arise from the updates.
An example of a company that follows Patch Tuesday is Microsoft. They have selected the second Tuesday of the month, strategically distancing it from the end of the month. Many companies impose a freeze on changes around month-end to prevent issues related to accounting, payroll, and other similar processes.
How do I get started?
Patch management can seem overwhelming, especially since most companies use many different IT products. However, as my colleagues working with micro-segmentation projects often mention, start with your most critical or exposed products. Examples of this could be your perimeter firewalls or your data center.
Start by understanding the software lifecycle strategy of the vendors you use. If the vendor follows a Patch Tuesday strategy, consider how you can incorporate it into your structured processes to make it more proactive.
For example, Cisco’s Secure Firewall receives planned updates twice a year, while Cisco’s IOS-XE software gets four updates annually, but not on a specific day. In these cases, you must implement a process that initiates when new software becomes available.
You should also have a clear process for handling critical updates outside the regular update schedule. This can occur when a vulnerability is made public or becomes known online, and the issue is so severe that the vendor decides it can’t wait until the planned update window. Unfortunately, we’re seeing this happen more frequently—not because the code is deteriorating, but because IT is becoming more complex, and our adversaries (hackers, cybercriminals) are becoming more skilled and numerous.
What does a structured process offer us as a company?
I recently heard about several devices at a customer’s site that hadn’t been updated in 9 years (since they were put into operation). Because the customer was so far behind on updates, multiple steps were required to bring them up to the current, secure level. This meant the update process would take 14 days, requiring several maintenance windows to bring everything up to the latest stable (and secure) software version. It was a significant investment of time, effort, and money on hardware already at the end of its lifecycle and due for replacement. The customer ultimately chose to upgrade their hardware instead of updating the devices.
If we choose to update proactively when new software is released, we gain several advantages:
- We gain continuous experience with the update process, eliminating the need to search for manuals or the location of new software downloads.
- A clear and tested plan for updating. Maybe we should start with the IT department to avoid disrupting production equipment if issues arise.
- Familiarity with our test plans—what is critical to test, what works before the update, and what works afterward.
- And, most importantly, improved security.
Exploit Wednesday
Of course, the primary benefit is closing security gaps. The day after Patch Tuesday is often referred to as Exploit Wednesday. When a new update is released, it typically includes information on the vulnerabilities that have been addressed. If the update isn’t applied promptly, those now-public vulnerabilities can be exploited, making it crucial to stay on top of updates from your vendors. If you can’t manage this internally, you can ask your service provider to help structure your patch management.
So, if you want to take control and plan what’s on your calendar for Exploit Wednesday, it’s worth considering a structured approach to patch management. For me and my hedge, three trims a year—split between early and late summer—keep things efficient while letting me enjoy the view year-round. What’s the right number for you and your patch management strategy to meet your goals?