cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mattrjohnson
Viewer

Question on Patch Management Controls

Greetings – I have been attempting to work with an outsourced managed service provider regarding maintaining and updating our computing environment. 

 

Our managed service provider has taken a firm position that a reduction in vulnerabilities indicates successful patching.  The vendor claims measuring the effectiveness of patch management and patch compliance should be evaluated using a vulnerability scanner (e.g. Qualys).  Using vulnerability information as a patch management control goes against professional guidance and experience I am familiar with, where patch and vulnerability management controls are in separate domains by design.

 

There is also debate going on where our vendor states they are responsible for deploying the patch management tool; but are not responsible for actively managing machines failing to patch or brining such issues to our management’s attention.

 

Any insights from the community would be appreciated.

 

Regards,

Matt

5 Replies
csjohnng
Community Champion

Let's break down into 2 question here.

 

1) Without outsourcing arrangement, how do you current company measure the patching effectiveness in the first place?what is the KPI? Once you have that you might able to benchmark with the outsource vendor or decide which is a more "acceptable" apporach.

 

2) the vendor states they are responsible only for deploying the patch management tools, I guess this is no an brainer. Because testing the patch itself has a lot of work and coordination with the application and application testing cycle to see if patch has any adverse effect to the application running on top.

This means they are only responsible for the lifecycle and use of the patch management tools itself but not the full patching cycle (include testing and operation)

I guess you will need to have a long way for discussion and negotiation with your vendor to fill the gap which both parties are comfortable with.

John
tmekelburg1
Community Champion


@mattrjohnson wrote:

 

Using vulnerability information as a patch management control goes against professional guidance and experience I am familiar with, where patch and vulnerability management controls are in separate domains by design.

 


Not different domains. Patch Management Program fits inside of the Vulnerability Management Program. These links explain them well. 

 

Vulnerability Management Program Basics: A Getting-Started Guide (rapid7.com)

What is Patch Management? Benefits & Best Practices | Rapid7

 

 

 

 

dcontesti
Community Champion

 

I agree with Tony ( @tmekelburg1 ) that patch management and vulnerability management are in the one domain but I am concerned about the statement:

 

There is also debate going on where our vendor states they are responsible for deploying the patch management tool; but are not responsible for actively managing machines failing to patch or brining such issues to our management’s attention.

 

I am concerned that they would NOT provide something to management on unpatched systems.  I would think this would be a key finding and necessary to report.

 

At a very minimum, I would expect them to produce a listing of un-remediated machines such that someone is able to track down why they are not patched (are they out of service, etc.).

 

HMOO without understanding which computers are not patched, you could have a lurking bomb on the network so I would definitely stand my ground on this one.

 

d

 

Cees
Newcomer II

Totally agree. This means that they run patch automation. 90% is succefully patched and 10% fails. If they do not follow up, who is following up on this 10%?
mattrjohnson
Viewer

@tmekelburg1 @dcontesti @Cees @csjohnng 

 

Really appreciate everyone's responses. 

 

I do believe there needs to be separation of duties between the parties managing patching and the parties managing vulnerabilities; maybe not separate domains, but duties should be separated.  

 

Regarding the situation described, it is totally messed up, factors below, and fortunately my Board of Directors agrees with my concern and does not want to accept the risk.

  • I found a computer last updated Aug. 2020, reflected as a status of "Fully Patched" on a July 2021 report from the vendor.
  • The vendor has not been providing listing of unpatched systems or items requiring management attention.
  • The vulnerability scans the vendor claims are to monitor patch management controls reflect something we pay a separate vendor to conduct (e.g. vendor managing the patches is not able to determine if their patching is effective).
  • Our agreement is for the vendor to apply critical patches within 30 days of release.  Since they are not monitoring or managing timely application of patches, it is not possible for them to know if this is achieved.

Needless to say, with great support from our governance team, I am going to be empowered to find a solution to mitigate risk.