IT pros are feeling anxious about third-party patching in today’s volatile threat landscape. In an ideal scenario, every application on every endpoint would have all the security patches applied as soon as available. Even then, you’d still have to account for functional updates as well. In reality, you prioritize intelligently and work as efficiently as you can. In this blog, I’ll summarize some tips and tricks experts shared in Adaptiva’s recent ConfigMgr Third-Party Patching Roundtable Webinar.
Some of the world’s leading voices on the topic joined the discussion, including: MVP Anoop C. Nair; MVP Harjit Dhaliwal; Bob Kelly, Director, Flexera; and MVP Andy Malone.
Anoop: ConfigMgr Third-Party Overview
Microsoft has all but eliminated the older System Center Updates Publisher (SCUP). While SCUP is still available, Anoop recommends using a newer technology. With ConfigMgr 1806, Microsoft introduced the ability to do third-party patching without installing SCUP. See what’s new in this overview diagram.
Anoop also provided a great explanation of how to enable third-party patching in ConfigMgr. You may be able to get what you need from the diagram below. If not, you can watch the webinar on demand.
Harjit reminded the audience that there can be more to application updating than just applying patches. ConfigMgr allows you upgrade or replace existing applications by using a supersedence relationship. You can optionally specify a new deployment type to replace the deployment type of the superseded application.
Bob: Patching Prioritization
Bob talked about the importance of prioritization. There just are not enough hours in the day to keep up with new application requests, functional updates, and security updates. It’s too much to track and and too many decisions points. For that reason, companies often just focus on popular applications.
That’s a major danger, because the top vendors account for only about half of software vulnerabilities.
Bob suggests instead looking a number factors, starting with threat intelligence. It’s not enough to know which applications are vulnerable. You really need to know which of those vulnerabilities are being exploited in the real world. He breaks patching down to four main factors: threat, criticality, prevalence, and asset sensitivity.
Andy: Application Security Vulnerability Patching
Any had some very specific advice for thinking strategically:
- Adapt your organization’s security policy to keep up with changing technologies. It should be a living, breathing document.
- Ensure you have “best bractice” cybersecurity procedures in place.
- Identity and prioritize your key assets in terms of risk.
- Have a solid security awareness program for your staff.
- Establish a solid incident response plan.
- Start looking at security from an assumed breach standpoint. You’ll see security in a very different way.
- Have a verification process for 3rd party updates / supply chain attacks
He also implored the online audience to know their tech, which is not as simple as some people might think! He offered several suggestions.
If you’d like to learn more, there’s an easy solution. Watch the webinar on demand and review the full slide deck as well.