Why it’s the perfect time to reflect on your software update policy

The threat landscape is evolving by the minute, with both malicious actors and well-intentioned researchers constantly on the hunt for new attack vectors that bypass security controls and gain control of systems and applications. In fact, thousands of new vulnerabilities are reported each month. In this dynamic threat landscape, an organization’s ability to deploy software updates in a timely fashion is not just a measure of its IT efficiency, but a critical facet of maintaining a good security posture.

Historically, software updates have been an opportunity for developers to strike a balance between introducing new features and addressing known vulnerabilities. However, in the face of an increasingly nimble attacker community and an overall jump in attack sophistication, this balance has tipped towards a more urgent need for rapid security responsiveness.

Apple’s recent refinement of their update process – separating critical security patches from general updates – is a clear signal to the broader market. It’s time for all organizations to examine and potentially recalibrate their software update policies. This article delves into the why and how of this necessary introspection, aiming to provide a comprehensive guide to developing a robust software update policy fit for the modern workplace.

The signal for change: Learning from Apple

Apple’s move to decouple their most time-sensitive security patches from full-scale updates via Rapid Security Response (RSR) mechanisms is a signal that traditional update cycles are no longer sufficient.

RSRs focus on security updates that address vulnerabilities currently being exploited by threat actors. These are patches for critical security flaws that hackers have discovered and are actively using to compromise systems.

The implementation of RSRs allows organizations to address critical vulnerabilities swiftly, minimizing the window of exposure to potential exploits. This expedited response is crucial, given that the risk of exploitation often outweighs the inconvenience of rolling out more frequent updates. This new approach from a leader in technology serves as a benchmark for other organizations to reevaluate their update timelines.

So, given this renewed urgency for prioritizing security updates, how fast should businesses aim to roll out these updates? The timescale for security updates is now a strategic decision rather than a routine IT task. Prioritization is key—with a focus on devices and applications that are mission-critical or most vulnerable to disruption.

Updates should be released to high-priority devices first, often within days of availability, to mitigate risks. For other updates that are not categorized as RSRs, a 30-day window is an efficient balance that allows for adequate testing and user adaptation, ensuring business continuity while maintaining security.

Adopting a similar mindset to Apple’s RSR model will not only enhance an organization’s defense against active threats but also demonstrate a proactive security culture. It can also demonstrate an organization’s responsiveness and commitment to user security, thus increasing its credibility.

Crafting a robust software update policy: A step-by-step guide

Pre-work phase

The foundation of a sound software update policy begins with thorough pre-work. This involves setting the groundwork for delivering successful updates, creating an inventory of devices, documenting baseline configurations, and understanding the applications that are critical to business operations.

Organizations must establish baseline configurations and communicate the requisite standards to users. A comprehensive inventory of all devices used for work, including BYOD and unmanaged devices, is essential. This also encompasses documenting the end of support for devices being phased out, noting the critical business applications in use, and understanding which devices and users depend on them.

Identifying devices that are no longer receiving security updates yet access critical applications should be a priority. Similarly, sufficient staff must be allocated to the help desks to cope with increased queries during update rollouts. Organizations should also prepare a diverse group of informed early adopters and testers from across the business spectrum to ensure that feedback is timely and representative. These groups should include employees who use critical applications and work in remote or hybrid settings.

Active monitoring for new OS updates and security patches is another critical pre-work task. This ensures that the organization can react promptly when updates are released.

RSR rollout

The rollout phase is where strategic planning meets execution. IT departments must assess new updates to prioritize based on their impact on the business. Enhanced security monitoring becomes crucial here, particularly if the exploit’s mechanism is understood, allowing teams to look for indicators of compromise. Security teams should also leverage phishing logs to monitor for any changes in routine patterns, as many threat actors tend to use social engineering as the initial attack vector.

Organizations should also take a ‘slow roll’ approach at this stage, deploying updates to a small group of early adopters and devices where software interruption risks are minimal or end users have demonstrated a willingness to collaborate with IT. Monitoring for performance issues and user feedback during this soak time allows IT security teams to assess the impact before wider deployment.

Once security teams are confident that the update will not impact business operations, they can start pushing the update to the remaining devices. Throughout this entire phase, the device inventory and required update time should be closely monitored. Businesses should set a target for the number of devices updated before transitioning to standard support; aim for 90-95% or whatever the business considers appropriate given the device population and end user expectations.

Post-rollout actions

Once updates are rolled out, the focus shifts to enforcement and monitoring. Implementing conditional access policies ensures that only updated devices can access sensitive resources. Security teams should also keep a vigilant eye on security logs that were recorded during the update period, searching for signs of any breaches on devices that may have been compromised during the pre-update exposure window.

Organizations can also develop a strategic threat hunting program, leveraging insights from RSR assessments to diminish potential risks. If any devices are believed to be compromised, remove them from active use and address the security threat prior to reintegrating them into your network.

In all these stages, the management strategy shouldn’t be an afterthought, but a forethought. Utilizing device management tools and integrating security event management systems can streamline the update process and enhance security postures. Device management is particularly useful for tracking update adoption and assisting in the threat-hunting process when coupled with data from network threat prevention products.

This comprehensive approach to policy development, when rigorously followed, creates a robust framework for managing the evolving landscape of software threats. It ensures that organizations are not just reactive but proactive in their defense against cybersecurity risks.