If you follow the news, you will often see that yet another company has been breached or taken hostage by ransomware. If you read the full details of these stories, usually they have one main thing in common: These organizations are behind in patch management. The question that arises, then, is why?
There are two sides to this story: A technical one and a procedural one. Let’s dive into the procedural side first. In general, patches — with the exception of emergency patches — can only be installed during a maintenance period. This is to ensure that business continuity is not interrupted. This brings the first issue forward: How do you determine what should be an emergency patch?
Following threat intelligence feeds can be a huge help here. If there is a rapidly emerging threat that can be prevented by installing an emergency patch, that is a valid justification to apply the emergency patch procedure.
Do You Know Your Mean Time to Patch?
If a patch is not considered to be an emergency patch, it is generally scheduled for the next maintenance period. According to various researchers, the average mean time to patch (MTTP) is between 60 and 150 days. There are many valid reasons for delaying the installation of a patch, which should be governed by a risk management process. However, is creating a monitoring use case in a measure success patch management efforts
