Vulnerability and Patch Management

Build a Vulnerability and Patch Management Program

The experts at Novacoast are ready to work with our customers to refine a Vulnerability & Patch Management program that ensures full coverage and expedient patching for assets.


What We Do

Configuration and Management of Automated Patching Schedules

Automated Patching Schedules are designed to deploy in multiple stages: one or more test stages and one production stage. The testing phases are critical for identifying issues in patches before deploying enterprise-wide. Test stages should contain systems that are a good representation of the different operating systems and system roles throughout the organization.

Novacoast will configure and maintain the following to allow facilitate the automated patching process:

  • Custom Tags: Custom tags are defined in order to define membership in a computer group.
  • Computer Groups: Patches are deployed to endpoints based on Computer Groups. Groups are created for Servers, Workstations, Test and Pilot endpoints, critical assets, etc. Typically these groups are dynamic, and membership is determined by a Custom Tag on an endpoint.
Maintenance Windows

Maintenance windows are established that determine the times that patches can be deployed to an endpoint. Windows are applied to the computer groups as required. Typically there are different maintenance windows created for servers, workstations, test and production devices. If an endpoint does not have a Maintenance Window assigned, it is allowed to patch any time that there is an active deployment.

Block Lists

Block Lists are used to create a list of patches that should not be deployed in the environment.

Deployment Templates

Deployment Templates define the content, timing, behavior, and other settings of patch deployments. Deployment Templates can contain settings for:

  • Platform
  • Frequency
  • Download settings
  • Override of Maintenance Windows or Block Lists
  • Notification of Reboot Behaviour
Deployments

These are the jobs that deploy patches to the various groups.

The Patch Cycle

In performing patching, we will conduct the following steps:

  • Verification of Setup.
  • Deploy patches to test group(s)
  • Monitor test patch deployment and results – adjust patch list, block patch lists, or deployment properties if necessary based on testing results
  • Deploy patches to production group
  • Monitor production patch deployment and results – adjust patch list, block patch lists, or deployment properties if necessary.
  • Create uninstall deployments if needed

Basic Monthly Reporting

  • Prepare and verify reports in Patch and Trends modules to report on patch effectiveness
  • Prepare and verify reports in Comply to report on vulnerability remediation and outstanding risks
  • Provide recommendations for vulnerability and remediation that are outside of OS patches or predefined for deploy patches

Sample Monthly Patch Cadence

A monthly patch cadence will be established. There are portions of this cadence that are automated, some that are Novacoast’s responsibility, and some that are the customer’s responsibility.

A typical cadence begins with the release of updates—Microsoft’s “Patch Tuesday” for example—and goes through cycles of evaluation, patching windows, monitoring, and troubleshooting for both TEST and PRODUCTION environments. Patching is performed and reviewed on a dependable and sustainable cycle so as to integrate the practice into the fabric of operations.

Promote Security Maturity

We believe that to properly manage security technology it’s our responsibility to work towards improving the security posture of the technology we’re managing and the organization we are providing service for.

Novacoast will compile an operational maturity plan comprised of four phases. Each phase is a step toward a maturity goal and defines targets to help attain and sustain patching cycles for systems and applications throughout the organization.