Patch management

Patch management is concerned with the identification, acquisition, distribution, and installation of patches to systems. It is defined as a sub-practice of various disciplines including vulnerability management (part of security management), lifecycle management (with further possible sub-classification into application lifecycle management and release management), change management, and systems management. Some definitions of patch management are as a software-level practice, while others are as a systems-level process: software, drivers, and firmware.

While reserving time for patching takes up enterprise resources, there are balancing factors which can make proper patch management into a net productivity boost for the organization. Up-to-date systems often perform more efficiently, less expensively, with less errors, less security risks, and better user workflow. Additionally, compliance with changing local and federal regulations are more likely to be satisfied.

Relation to security management
Patches can be used to defend against and eliminate potential vulnerabilities of a system, so that no threats may  exploit them; therefore, patch management can be considered a sub-discipline of vulnerability management. Every device in a system presents an attack surface that must be secured.

Challenges
There are a multitude of problems that can arise during patch management. A common issue is buggy patches, which either fail to fix their problem or introduce new issues. Another issue is deployment synchronization, since various subsystems may receive instructions to update at different times. Similarly, the difficulty of patch management across many devices may grow at an uncontrollable rate depending on organizational size.

One prominent demonstration of the challenges facing proper patch management was the buggy Falcon Sensor patch by CrowdStrike which caused one of the worst IT outages of all time.

Implementations
A patch management tool (alternatively patch manager, patch management system, patch management software, or centralized patch management) help orchestrate all of the procedures involved in patch management. Tools can be in-house (applied locally by local administrators), or external, as with managed service providers (applied externally by a provider).

Patch management software

 * Intel Active Management Technology, used with Intel vPro technologies, has features like scheduling, upgrade verification, and remote management; implementing patches along with unified endpoint management.
 * Windows Update for Business, System Center Configuration Manager, and Windows Server Update Services offer control over patch deployment, with features enabling testing, scheduling updates, and setting custom configurations on Windows platforms.

Managed service providers

 * ManageEngine Patch Manager
 * SolarWinds Patch Manager
 * Automox
 * Atera
 * Kaseya VSA

Features/Best practices

 * Defense-in-depth - All devices in the system should be included in a unified patch management solution.
 * Scheduled - Since the updating process interrupts workflow and normal operations, patching time windows should be preplanned and advertised across the organization.
 * Sandboxing - Apply any updates first to a small subset of devices to verify desired behavior.
 * Authorization decision stakeholders - The responsibility for approving and maintaining various system/device patches should be clearly delineated.
 * Scalable - Use tools to orchestrate and control across large systems.
 * Remote patch management - For systems with many devices, tools to apply patches remotely can eliminate redundant labor.
 * Contingency - There should be rollbacks available for any applied changes.
 * Risk rating - Risks should be sorted by priority, and patches should similarly receive priorities.
 * Continuous monitoring for new updates.
 * Standardization - Establishment of a baseline, and its continuous management as changes are made.
 * Documentation - Logging should hold a robust history of past updates, scheduled updates, approved changes, and more, potentially integrated into a security information and event management system for streamlined use.