A patchy channel
Do your own research and don't be afraid to look elsewhere when advising customers about patches and security vulnerabilities, says Verismic's Ashley Leonard
Downtime: one word to strike fear into the hearts of even the hardiest IT manager.
Avoiding downtime at pretty much all costs is the name of the game now. However, with the reliance on Microsoft products and their attendant regular security updates, some downtime will inevitably be necessary to roll out patches to keep systems secure.
The problem is that the more updates there are, the more downtime is needed to update and install patches. This can be a challenge for customers, but for IT service providers and managed services companies it can be a real headache. Invariably, your customers have a very limited window where systems can be taken offline to install patches.
This is all well and good when there are only a few patches, such as in Microsoft’s January update, but when there are a large number (generally eight or more), it can be a real challenge. Microsoft has its own rating system for its patches: critical, important, moderate, and low.
On a typical Patch Tuesday we will see a small number rated critical, and the rest are invariably rated important. If taken at face value, you’d presume to roll out critical patch updates first, and work down the list.
But what may be a critical patch for one of your customers could in fact be almost unnecessary for others due to the different systems they use.
So how do you differentiate those that genuinely pose a significant threat to those that don’t? How do you make best use of the limited patch window available?
The second source
One of the key reasons for outsourcing security to MSPs is the fact that you are the expert on whom the customer relies.
Yet if you go by Microsoft’s rating alone, you aren’t actually advising your customer at all, Microsoft is.
Microsoft’s ratings have been taken as gospel for a number of years, but more recently its vulnerability reporting and remediation processes have been brought into question. That’s why you would be well advised to look for third-party analysis of Microsoft’s patches.
Following the release of each month’s Patch Tuesday updates, US-CERT releases its own independent analysis of the vulnerabilities, and there are numerous occasions where we have seen a stark difference in what Microsoft deems critical compared with US-CERT.
Be a trusted adviser
How does this relate to you, you may ask? Quite simply, there is the opportunity for you to position yourself as an authoritative figure on patch management for your customers – both in terms of making the best use of the time available, and patch prioritisation.
I am often surprised at how little is truly known by IT managers about the Patch Tuesday process.
Many times a customer will roll out patches without any real analysis of how it affects them, whether it’s even necessary, or even if the patch will work – in fact, there have been numerous examples over the past year of patch updates causing the dreaded blue screen of death.
Although Microsoft is trying to keep up with the ever-increasing number of security vulnerabilities by providing a service for which everyone is thankful, it does need policing by a second source.
The “critical” is not always critical and sometimes the moderate needs urgent attention, and your customers will be looking to you to advise them on the most significant patches of the month.
Ashley Leonard is President and CEO of Verismic