Patch management has always been time-consuming and arduous. But it gets done, at least to some degree, simply because patching is so crucial to a robust cybersecurity posture. Patch programs are rarely perfect though, and imperfect patching arguably enables successful cybersecurity breaches – it’s an ever-growing concern for countless IT teams.
Related: MSSPs shift to deeper help
Managed Security Service Providers (MSSPs) do their best to patch their client’s systems while also juggling a long list of other tasks associated with developing, monitoring, and maintaining their client’s overall security and compliance program.
The resources an MSSP can dedicate to patching are, however, limited: MSSPs operate within a fixed client servicing budget, and no client will accept being billed whenever a vulnerability needs to be patched.
To patch or not to patch?
It poses a huge conundrum for MSSPs: patching everything everywhere sounds like a great idea because, after all, a single failure to patch can lead to a breach. Thorough patching means secure client systems. But patching that thoroughly isn’t economical. Some vulnerabilities are more critical – and some systems are more central to operations than others.
There is a balance to strike, but choosing where to prioritize is a tough call. Absent a game-changing technology the best solution would be to simply throw more resources at the patching problem, but that would drive up costs for MSSPs which could lead them to become uncompetitive.
There’s another problem that makes consistent patching tough to achieve: pushback from the client. Patching disrupts user workflows, causing frustration and impacting productivity. After all, patching commonly requires that the MSSP takes a service offline, restarting to apply the patch.
Jackson
A competently managed patching process should lead to no more than performance degradation, but manage patching poorly and it means downtime and big chunks of potential revenue loss. Companies need to plan for these disruptions which makes for a complex conversation between MSSP and their client.
Again, there’s a trade-off. Patching more can translate into more disruption, but patching less means taking a larger risk. The net effect is often less patching because MSSPs may judge that preserving the client relationship matters more than closing just one more vulnerability.
Enter live patching
Clearly, the patching conundrum needs a solution. Patching automation helps, and so does a sophisticated patch management program. But neither negates the labor hours involved in patching nor do these methods eliminate the disruption. Someone still needs to double-check that a restarted system goes back online correctly, and downtime must be managed (or tolerated).
There is a cybersecurity approach that changes the game. It’s called live patching, a patching method that applies updates to a running software system, typically an operating system or a kernel, without requiring reboots.
When MSSPs implement live patching it enables continuous system operation, particularly useful for critical systems and servers where uptime matters – but of value everywhere because it reduces the staff-hour workload and virtually eliminates disruption.
Several vendors developed live patching solutions. For Linux systems that includes Ksplice, offered by Oracle, which live patches Oracle Linux and a few other Linux distributions. Canonical offers Livepatch, compatible with Ubuntu.
IBM offers a live patching solution called Kernel Live Patching for IBM Z and LinuxONE systems. Microsoft introduced Azure Hotpatching which allows Azure users to apply security updates to their virtual machines (VMs) with zero downtime.
Integrated toolsets
Vendor solutions are, however, often tied to expensive support contracts and commonly compatible with just the vendor’s product. Third-party providers can sometimes offer a better package. For example, TuxCare’s KernelCare product covers the most commonly-used enterprise Linux distributions – while also delivering live patching across open-source databases, libraries, and virtual environments.
The best live patching tools integrate with vulnerability scanners and other automation tools to speed up the security and compliance process. MSSPs can therefore efficiently identify, prioritize, and remediate vulnerabilities all through a centralized platform.
This integration allows MSSPs to patch consistently, reducing the compromises inherent to patching programs so that clients can readily meet standards such as NIST 800-53 and PCI DSS. MSSPs also worry less about costs and maintain excellent client relationships because live patching removes friction.
By including live patching in the process, MSSPs minimize disruption and ensure the needed security updates are applied promptly and consistently. Thanks to the time saved, MSSPs can now allocate more resources to other aspects of cybersecurity.
About the essayist: Jim Jackson serves as President and Chief Revenue Officer at TuxCare.
Guest expert: Rami Sass, CEO, Mend
