Patching is an incredibly important service that MSPs provide to their clients. In fact, it can even be used as a differentiator between your services versus your competition. Practicing smart patching procedures will make you a more effective services provider and add value to your clients. On the contrary, ignoring these best practices can lead to a number of issues.
On this episode of MSPradio, we chat with Joel Kennedy, Director of Technical Account Management at Continuum and Shauna Peters, Technical Account Manager at Continuum, to discuss patching best practices and how MSPs can use them to improve their overall quality of service to their clients.
Tune in this week and subscribe to our podcast on iTunes.
Nate: All right welcome back folks to another episode of MSP Radio. I am your host Nate Teplow. We’ve got an awesome episode lined up for you here today. We are going to get a little bit more technical on this episode, we’re going to talk about patching.
Before we get into it, I’ve got to give you the normal drill. Subscribe to our podcast on iTunes. If you search for MSP Radio in the iTunes store, you can subscribe there and get episode straight to your iTunes account. Also for android users, we are available via the Stitcher App so you can search for that on the android marketplace.
Also follow us on Twitter, follow the handle at follow Continuum. We push out a lot of Continuum through their so we would love to see you all on Twitter.
So as I mentioned today, we’re going to be talking about patching and some patching best practices, how MSP’s can be using it to better their business and really provide the best overall solutions to their clients.
So I am joined here by Joel Kennedy who is the assistant director of technical account management here at Continuum as well as Shauna Peters who is the technical account manager here at Continuum also. So Shauna and Joel, welcome to MSP Radio!
Shauna: Thank you.
Nate: So Shauna and Joel are visiting our Boston office. I had to sit down with them and talk about this. They are incredibly knowledgeable and they worked very closely with our partners to help them develop the best overall technical solutions that they can for their clients. So this episode I wanted to focus on patching and talk about some best practices for our partners, for other MSP’s out there on patching. So maybe Joel you can kick this off. Why is patching so important and what are some characteristics of a strong patching procedure?
Joel: Patching is important primarily for security reasons as security vulnerabilities are found, Microsoft will release patches. Anyone who is going to any type of security audit will be required to show reports, to show that the machines that they are managing are patched and up-to-date and that those security vulnerabilities have been close.
Some of the characteristics of a strong patching procedure, flexible patch policies and especially testing, white and black listing of the patches that are going to be deployed. Sometimes Microsoft will say perhaps rush getting a patch out and it can cause problems especially as it interacts with other third-party applications and it’s really important to find out those things before you deploy the patch and reboot a machine that does not come back up.
Nate: Yeah, so you can’t just push a patch every time up, there’s an updated patch, let’s get it out there. You want to actually test it and think about it before actually applying it to your clients devices?
Joel: Very important.
Nate: Yeah, cool, cool. So Shauna, I will direct this question to you. Give me some do’s and don’ts on MSP’s; some things that I should be doing when it comes to my patching and some things that I shouldn’t be doing when it comes to my patching.
Shauna: I would say well, A, you want to use the Continuum patching [inaudible 03:44]. You do want to create your own policies for your clients needs. You do want to establish the regular maintenance window for patching and also you want to test those patches before deploying them and some don’ts, I would say don’t assume you hear about the issue before they are a problem. So you definitely want to have those patching preset and that maintenance time.
Don’t assume that your machine is always patched. You need to double check and verify that by using our reports on our patching. And you don’t use, want to use a solution that only patches the operating system like ours, it will patch across the body of tools and other options.
Nate: So how often should I be looking at patching? I mean you mentioned about visiting the reports and obviously Microsoft and Windows, everyone patches constantly and run programs. How often should I be checking for these and trying to keep them up-to-date?
Joel: We roll patches out throughout the week. It’s a good idea for an MSP to check their patches page about once a week and any patches that are failed, they can then assign those back and our noc engineers with actually log on to those computers and fix those patch deployment failures; that’s a great value added that Continuum brings to the table.
Nate: Cool. And would you guys recommend doing… I mean assuming that you are looking at these patches and testing them and validating them before you push them. Should you push them to every client all at once or should you kind of focus on a per client basis?
Shauna: I would suggest focusing on a per client basis. You really need to sit down and talk with your client, tell them, “We need to do these patching,” and why it’s important with security risks out there and all those vulnerabilities. And then sit with them to see are they an 8 to 5? Are they a 24 seven type of client? And make that determination with them and then set your patch policies to that.
Nate: Okay, cool. Are there certain… Did you want at something Joel?
Joel: I do. Reboots are important. We can deploy the patches through the Continuum portal whenever you like and you can schedule those reboots then. It’s really helpful to have that 24-hour patch deployment window you don’t have to worry about trying to deploy after hours when machines are turned off. We used to see a lot of failures at night and we had a patching window from midnight to 6 AM when the machine was never on, it would never get patched.
We’ve gotten around that with our latest updates to patching and being able to deploy those whenever and then reboots can be scheduled whenever it is convenient for end client.
Nate: Okay, cool, that’s really good to know and sounds useful. You want to be able to provide that coverage at any time.
So, tell me about some of the industries that this is the biggest topic for. I mean are there certain verticals that MSP’s are servicing that patching is a hot topic for?
Shauna: I would say that the health-care industries is the large one. They especially have a hard time with the reboot just as Joel mentioned, with how you can set that up, off hours maintenance. And another industry would probably be school districts which is another large one.
Nate: Why is a school districts so… I mean I understand healthcare and obviously there is a big privacy and security issues there but what about school? Is it universities? Is it public schools or just education as a whole?
Shauna: I would say education as a whole. I mean it’s very important to have all your devices up to date so if you are in college and you haven’t done it from University then that needs to be updated. It’s not just the backstop, laptop, it goes outside of that and deal with all types of electronic.
Joel: And a few other verticals to that as well, legal, clearly you want to have security. You want your employer to have a secure network and to keep your confidential files secure. And then also retail.
PCI compliance is very important and patching is a big part of that. If you have credit card number stored on a computer, you want it to be safe.
Nate: Yeah absolutely. That’s obviously been a new story that’s come up time and time again especially in the past year or so. So where do you see most MSP’s falling short when it comes to their patching procedures and what they are doing when they are issuing patches?
Joel: Sure an MSP that’s using a platform other than Continuum, has the option to just to deploy the patches that Microsoft releases or not. They can probably select which categories to deploy.
But what they are not getting is testing of security patches. When Microsoft releases patches, we take a few weeks to install them on a test bed, look at the different operating systems, we read a whole host of forums and we determine whether to white or black lace to those security patches. We will even continually blacklist patches that will interfere with some piece of software that may be installed.
If you’re not using a platform that does that testing, then you really are setting yourself up with a big risk because those machines may not reboot.
Nate: Yeah. And are there other platforms out there doing that or is that a unique offering to Continuum?
Joel: That is unique to Continuum. We have the service part now. We’re not just the software platform, we have service and a big part of the services that testing of patches that we do.
Nate: Cool. And who is testing that for Continuum? Is that your technical account team? Is it the noc? Who on the team is responsible for that?
Joel: It’s the preventative maintenance team and the noc.
Nate: Cool, and they are checking every single patches that is released?
Joel: They are checking security patches.
All right, so we are coming up on our commercial break here. Joel, give me one more best practice that every MSP should be doing when it comes to patching.
Joel: I would say that they should be using the Gateway agent. We have, we offer a piece of software that can be installed on a server on site and it will cache those updates and that prevents each computer from actually going up on the Internet and downloading them individually; it saves a lot of bandwidth if we can just grab those patches locally from the network.
Nate: Cool, that’s good to know. Is that something that is offered across all RMM platforms or is that something unique to Continuum?
Joel: Microsoft has the WinSus which is used by a lot of enterprises. But the gateway is nice because it is integrated into the portal when you have that single pane of glass that our partners are looking for, that one place to manage everything from.
Nate: Cool. That’s good to know. We’ve got to take a quick commercial break here. Coming up next we are going to continue talking about patching with Joel and Shauna and they’re going to tell you a little bit more about some enterprise best practices and what some other companies are doing when it comes to their patching procedures.