Microsoft originally created Patch Tuesday to solve problems for IT security. So why do so many of us approach it with a sense of dread?
But here’s a more important question: Why, in the year 2021, are we all scrambling once a month, racing against the clock, to update as much as possible as fast as possible? Isn’t there some way to make patching easier?
What Is Patch Tuesday?
Launched by Microsoft way back in 2003, what most of us know as Patch Tuesday is actually technically called Update Tuesday. The idea, however, has remained the same since the very beginning.
According to Tech Republic, Patch Tuesday, which always falls on the second Tuesday of every month, was initiated “to keep administrators from having to scramble to deal with updates released on an unpredictable schedule.”
Because time is money, the goal of Patch Tuesday ultimately included saving money both for Microsoft and for its end users by creating a single drop date for releasing Common Vulnerabilities & Exposures (CVEs) and their fixes and/or workarounds. CVE reports also contain helpful information like the degree of severity for each vulnerability according to Microsoft’s standard scale, which includes Low, Moderate, Important, and Critical. Microsoft also ranks vulnerabilities depending on how likely they are to be exploited.
Cybersecurity platform Rapid7 reports that a typical Patch Tuesday will include about 50–90 vulnerabilities, although 2020 was much higher. That was especially true on Tuesday, April 14, 2020, as technology journalist Robert Lemos writes, when between Microsoft’s Patch Tuesday and a slew of patches from third-party vendors, administrators were hit with patches to remediate a total of 567 security flaws in a single day.
In light of the then newly emerging COVID-19 situation, this kind of deluge of patches created a serious challenge for security teams and served to highlight the fact that many organizations have outgrown the Patch Tuesday model.
The Downside of Patch Tuesday
The original insights behind Patch Tuesday certainly still hold true: Patching on a schedule can save time and effort. And Microsoft’s clockwork release schedule certainly underscores the importance of patching as the core of every organization’s security infrastructure.
Most companies still acknowledge Patch Tuesday and use it to trigger their monthly patching update cycle. However, even though all organizations must deal with patching as part of their security and IT operations, many IT and system administrators struggle with getting everything done every time Patch Tuesday rolls around, leading to that familiar sense of dread. And there are a few good reasons why they feel this way:
- “Exploit Wednesday.” Security teams aren’t the only ones receiving notification of newly discovered vulnerabilities on Patch Tuesday—hackers do, too. And the faster they are to exploit these weaknesses before they’re patched, the greater their chance of scoring big.
- “Uninstall Thursday.” It’s a well-known truth that patches break things. An article in CSO Online comments wryly, “No one gets a raise for crashing a server even if it was due to installing a security patch.” They also suggest that you “[h]ave a good plan to back out of the patches in case one of them causes big problems.” If you deploy a patch right away on Patch Tuesday, Thursday is the day your IT team will be scrambling to roll back the patch once they realize it’s broken something critical.
- Finally, some organizations have simply grown too large to patch everything on a rigid “one-Tuesday-a-month” model. Enterprises, in particular, have a hard time recognizing that they’ve outgrown the Patch Tuesday model because it’s become so central to the IT security mindset. But without good automation tools to help their team perform at scale, they simply can’t keep up.
Sure, bulletins from Microsoft’s Security Response Center (MSRC) can help by explaining where the vulnerabilities lie and what work processes might be affected by the patch. But even if you do this “homework,” there might still be unforeseen problems—problems that, again, escalate to become a nightmare at enterprise scale.
But even for small and medium-sized organizations, Patch Tuesday can be a lot of work. So, let’s look at some ways to minimize the work involved and come out on top of your patching cycle.
Patch Tuesday Best Practices
Based on nearly 20 years of Patch Tuesday, here are a few basic lessons that can help make the day manageable when it rolls around each month:
- Save work by checking MSRC bulletins carefully to see which, if any, of your systems and software are affected.
- Wait a week or two before rolling out a patch—assuming there are no in-the-wild exploits reported—to be sure it won’t cause problems.
- Speed up patch rollouts using WSUS and GPO, but be aware that this may come with a loss of granular control.
- Apply patches at a time when your organization is the least busy, usually over a weekend.
- Automate patching via custom scripts (however, be aware that these can also introduce other problems).
The absolute best way to save work and headaches surrounding Patch Tuesday is by implementing automation to speed up the process wherever possible. Today, tools like JetPatch can take care of this step for you, making patching far simpler not just on Patch Tuesday, but every day of the month.
Make Patch Tuesday Easy
The original inspiration behind Patch Tuesday came from the idea that IT teams would be manually installing patches.
But over the years, as organizations have expanded to a huge and unpredictable range of devices, including on-premises and in the cloud, it’s become clear that the more automation you can introduce and the less reliance your organization has on human employees manually rolling out patches, the better.
What’s the ideal? Eventually, a “zero-touch” Patch Tuesday may actually be a reality. Your systems will download their own patches, pre-test them to determine that they won’t harm mission-critical processes, then roll out the patches, and send you an all-clear—or roll back and flag you in the rare event that something went wrong. At least, that’s the dream.
Until that dream becomes a reality, JetPatch has your back, every single Patch Tuesday. JetPatch is a modern patch management solution designed for your complex environment.
JetPatch offers you benefits like…
- Intelligent prediction to avoid errors and downtime
- Patching automation across your entire environment to cut patch time to a minimum
- Clear single-dashboard visibility that flags your most urgent vulnerabilities so you can remediate them fast
Patch Tuesday is coming, but you don’t have to dread it this time around… get JetPatch working for you instead. Talk to us!