Understanding the Essential Eight: Patching Best Practices

Last week, we introduced the Australian Cyber Security Centre (ACSC) Essential Eight and helped you understand what it is and why it’s important for your conversations with end clients.

The Essential Eight provides a baseline of mitigation strategies that organizations can use to protect their systems from cyber threats. This week, we’ll dive into a couple of these key strategies, specifically those around patching.

Where to Start the Patching Conversation

Start the conversation about patching with what patches are, why they are important, and why you need a dedicated maintenance window.

In nearly all cases, regardless of the source, patching is going to be your first line of defense against security threats. Ensuring clients know what patches are and why they are important will help them understand the risk they are exposing themselves to by not staying up to date. This covers both Operating System (OS) patches and third-party application patches.

Sure, they might come back and say that it’s your job to ensure patches are up-to-date—but as we know, resources need to be left up and online so that you can do maintenance, which is where the maintenance window conversation comes into play.

As recently covered in our Relieving Patching Pains webinar, understanding your clients’ business will help you suggest some appropriate patching windows. Once you’ve established those maintenance windows, you’ll then need to remind, remind, remind and remind, until it becomes routine for the employees to leave machines on.

“But We’ve Had the Patching Conversation Before”

I know you’ve likely had this conversation before. But if this were easy and everyone did it, I wouldn’t be writing this blog and the Essential Eight wouldn’t have included patching as one of the core mitigation strategies. Sadly, this is not the case, and we still need to have those conversations with clients.

There’s a difference between the last time you had the conversation and now, though. You’re not the only one who is telling your clients the importance of patching. You leverage the suggestion of a government agency to support your suggestions. Sometimes it just takes a different voice, suggesting things in a slightly different manner, for someone to take notice. Leveraging the Essential Eight will provide that external credibility to your positioning.

Also, consider drawing a parallel. You likely know their environment and which SaaS applications they are using. Therefore, tie the conversation to one of those SaaS applications, or ones you use internally, to show how organizations are scheduling maintenance so that they can do similar patching exercises for their own systems.

A Different Approach to Patching

If you find yourself thinking, “well this doesn’t matter because patches don’t work, they break things, and they’re time-consuming for my team,” I get it. When patches don’t take, or when there is a bad patch, yes, it can lead to time-consuming drudgery for your team. It doesn’t have to be that way, though.

Perhaps you need to take a different approach to patching. Are you bringing those patches in and testing them? Have you considered sample deployments in a small subset of the client’s environment before a larger, broad-based roll out? Are you working with a managed services platform that can help resolve patch issues for you? Are you working with a managed services platform that adapts to changes to the patching landscape to keep your clients up-to-date?

Also covered in our Relieving Patching Pains webinar, SVP of Engineering, John Mandell, talked about how Continuum’s platform addresses some of the aforementioned concerns, features, and other considerations for MSPs to think about when it comes to patching.

Educate, Re-Educate, and Enforce

Most of us in the industry understand that patching is core tenant of a secure environment. However, you must also convey this to your clients so they understand its importance.

Based on the type of business your clients have, work with them to find a mutually suitable maintenance period when those machines will regularly be up and available for your team. Then, take a look at the tools you’re using to see if they’re getting the job done for you.

The Essential Eight lists both OS patching and application patching as important to providing a baseline security profile to button up known vulnerabilities. While you may be doing a great job making sure the Microsoft patches are being pushed out, that doesn’t cover potential vulnerabilities in the common applications that your clients use daily.

A Patching Example

Let’s take a real-world example of this to help explain why patching in general should be a priority focus when supporting your clients:

Almost everyone in the industry and beyond has heard about the Equifax breach—one of the largest breaches of consumers' private financial data in history. This was exposed to be a vulnerability with a coding flaw in one of the Apache modules. What is sad about this case, is that a patch was created a whole two months prior to the breach occurring. Equifax failed to apply this, and the results were devastating.

Like many things in life, hackers will always try to take the path of least resistance. By ignoring basic patching standards, you’re basically leaving a virtual key for hackers to come and go into systems as they please.

I’ll leave you with an old sales adage, which a colleague shared with me years ago. I think it’s very relevant to the patching conversation, and it’s simply this:

“Tell them what you’re going to tell them. Tell them. Tell them what you told them.”


Click here to read part three on application whitelisting and user application hardening.


Handpicked for you:

Watch Webinar: Relieving Patching Pains