Third Party Patching
Rapid Application Patching with Application Manager
Kody WollaTopics: Third Party Patching
Previous discussions on our blog have emphasized the critical role of third-party application patching in cybersecurity. Unpatched vulnerabilities are now the primary culprits in most security breaches, a stark reality. As much as IT departments try to keep up with patching, third party applications often get pushed by the wayside as OS updates take priority. This has made third party application vulnerabilities a core target for cyber criminals. Without a tool in place to automatically monitor and deploy new patches, many IT teams are quickly overwhelmed by the immensity of the challenge.
What is Rapid Patching?
Rapid patching is an approach to patching where the security of the organization takes top priority. With a rapid patching approach, teams ditch the pilot, test, and production group model in favor of pushing out application updates to production when they become available. Rapid patching prioritizes swift action over lengthy testing cycles, balancing the risk of potential patch-related issues against the more immediate threat of cyber-attacks.
This may sound like a scary situation as we all know that new updates aren’t always perfect, but the fallout from one buggy patch going out is far less devastating than a threat actor exploiting a vulnerability in an application in your environment.
Why is Rapid Patching so Important?
As mentioned above, it all comes down to the organization’s security. It used to be that phishing attacks were the biggest concern for security departments. That is quickly being replaced by unpatched software. About 60% of breaches today are linked to unpatched vulnerabilities, and a 2022 Adaptiva + Ponemon Institute report found patching to be the greatest endpoint management difficulty for IT teams. Threat actors can now identify and exploit application vulnerabilities so quickly that teams must adjust their patching practices or face the high likelihood of becoming a victim. If you want to read more about the importance of taking a swift approach to patching, check out our recent blog post on the subject.
How Application Manager Enables the Early Adoption of Rapid Patching
Let’s look at how teams can take a more rapid approach to patching with Application Manager, one of Recast Software’s third-party application patching solutions. For demonstration purposes, I will show how to set up a deployment process for Intune, but Application Manager also covers ConfigMgr.
Note: The deployment process setup for ConfigMgr differs from the Intune setup demonstrated below. For details on how to set up a deployment process in Application Manager for MECM, please see this documentation page.
Assuming you have already added the application that you want to patch, let’s get a deployment process set up so that this application gets patched ASAP. I will use Adobe Reader for this example.
A Step-by-Step Guide to Setting Up Automated Patching with Application Manager
- Accessing the Deployment Processes Page:
- Navigate to the Application Manager portal.
- Select ‘Services’, then ‘Application Manager for Intune’ (or your specific environment).
- Go to ‘Administration’ and choose ‘Deployment Processes’.
- Creating a New Deployment Process:
- Click on the “+New deployment process” button, located at the top left.
- Enter a name for your process, such as “Rapid Patching”, in the pop-up box.
- Click ‘Add’ to confirm.
- Selecting Applications for Rapid Patching:
- Find your newly created deployment process in the list and select it.
- On the right, choose the applications to include in this process.
- For example, add Adobe Acrobat Reader as a test application for rapid patching.
Note: Adobe Acrobat Reader could be a good application to use to test the rapid-patching waters in your environment. If you run into issues with a patch for Acrobat Reader, it likely wouldn’t create a significant work stoppage issue.
- Setting Up a Deployment:
- Switch to the ‘Deployments’ tab.
- Click to add a new deployment.
- Select a group for deployment. For demonstration, I’ve used “All Devices,” but tailor it to your specific needs.
- Modifying Deployment Settings:
- Set the install intent, e.g., to ‘Required’ for mandatory installation.
- Optionally configure email notifications and restart behavior.
- Configuring the Schedule:
- In the ‘Scheduling’ section, set availability and installation deadlines to ‘As soon as possible’.
- Now as soon as a vendor releases an update, Application Manager will package and deploy it promptly. Rapid patching is a reality.
- Finalizing the Process:
- Click the blue “Add” button to complete the setup.
- Application Manager will now automatically manage the deployment of updates according to the rapid patching strategy.
That’s it!
This paradigm shift can certainly feel scary. You will not have a pilot group, and apps will go out at breakneck speeds. However, you will also automatically stay ahead of potential threats. I would be a fool to claim that there won’t ever be hiccups with this approach, but also know that the Recast Software team takes pride in our application packaging and fully tests our packages before they make their way to your environment.
Onboarding Fast, Automated Patching
On balance, this approach is surely not for everyone. For one, some organizations have written policies that explicitly lay out their deployment processes and there isn’t much wiggle room. Norms and policies would need to shift. Additionally, some industries are certainly more suited to rapid patching, while others that mandate 100% uptime for core applications must add checks and balances to the patch deployment process.
For teams able to consider the rapid patching method, diving into the deep end is not advised. Instead, try dipping your toes in and push forward with one or two low risk applications. Monitor the results as you go, reporting to all relevant parties.
Ultimately, the faster teams can patch their vulnerabilities, the fewer breaches they will see as a result.
