Unpatched and Vulnerable

Cybercriminals only have to be right one time to infiltrate a network, so every possible attack vector needs to be monitored and secured properly.

Patch Management

One of the most important things you can do to secure your clients’ environments is to keep them current with security patches. The patch management services you offer identify and fix security vulnerabilities and test your clients’ software and systems once the patch is installed.

Multiple common vulnerabilities and exposures (CVEs), ranging from low to critical, are announced each month—sometimes, new CVE alerts come out each week or each day. A recent, high-profile example is the vulnerability discovered in December 2021 in Apache Log4j 2 17.0 for Java 8 and up, which enables malicious actors to initiate infinite recursive lookup, resulting in StackOverflowError, aka a denial of service (DOS) attack.

As patches are released for these vulnerabilities, managed services providers’ (MSPs’) clients rely on patch management services to correct issues and protect them from cyberattacks that exploit them.

Michael Hornby, CEO of Techmentum and ASCII Group member, says the demand for IT security services, including patch management services, is increasing, and services must have the capability to be immediately responsive. “Major, exploitable software vulnerabilities have been discovered in far greater numbers the past couple of years,” he says. “Patches sometimes need to be rolled out within hours, not days or weeks.”

Patch Management Services Processes that Work

Any MSP who offers patch management services knows it’s easier said than done. The first challenge is knowing what to patch. “Unfortunately, there’s no single platform for keeping track of security updates across vendors,” Hornby says. “It’s not just Microsoft products delivered by Windows Update that need our attention. Most vendors have email lists that send notifications about updates, and we often subscribe using our ticketing system email address, so any updates are addressed quickly.”

He adds, “Everyone needs to be vigilant in following the latest vulnerabilities. Cybercriminals only have to be right one time to infiltrate a network, so every possible attack vector needs to be monitored and secured properly.”

Then, once you are aware of a vulnerability, you need to find all software that it may impact. Hornby says. “Our RMM tool does a fantastic job of software inventory and change tracking. We can view software in aggregate across all of our clients, down to the device level. It takes seconds to find out exactly what software is being used and where,” he explains.

Furthermore, although patches are essential for security, they can cause problems that impact software or network performance. “We’re more careful nowadays about which patches we roll out,” Hornby says. “It’s a delicate balance between urgency and validation. We rely heavily on the IT community that performs patch testing, and we further investigate (and often blacklist) patches that are found to be bad. We validate as much as we can in a test environment, but it’s impossible to test every single scenario, and we’ve had to do rollbacks or remediation in the past.”

Patch Management Services from a Trusted Business Advisor

Although security may be top of mind for your clients, remind them that patch management services also provide their businesses with additional benefits, such as compliance, increased uptime and enhanced IT system performance.

Meet the demand for patch management services that improve cybersecurity and enhance your client’s IT environments by building an offering that identifies, tests, and fixes vulnerabilities as quickly as possible. You’ll strengthen your relationship with your clients, provide a valuable service, and perhaps even see some business growth as a result.

About The ASCII Group, Inc.

The ASCII Group is the premier community of North American MSPs, MSSPs, VARs and solution providers. The group has over 1,300 members located throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national reach. Founded in 1984, ASCII provides services to members including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more.  ASCII works with a vibrant ecosystem of major technology vendors that complement the ASCII community and support the mission of helping MSPs and VARs to grow their businesses. For more information, please visit www.ascii.com.


Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of Managed Services Journal (formerly XaaS Journal) and DevPro Journal.