Patch management: Balancing security, stability, and speed

IT veterans will recall July 2024 as one of the most significant IT disruptions in recent memory, triggered by a faulty CrowdStrike update that rendered systems unusable at scale. Microsoft later estimated the incident affected approximately 8.5 million Windows devices.  

The event forced teams into immediate, manual remediation efforts, leaving little time to evaluate change management strategies. Nearly two years later, however, the incident stands as a reminder of why strong patch management processes are critical.

The problem with the n-1 strategy: Attackers love n-1

The n-1 strategy means an organization is intentionally running one version or component behind the latest available version (n). The reasoning is to avoid potential disruptions some patches can cause.  

Now, imagine being a nefarious hacker looking for an easy payday. You know that Microsoft releases security updates on a set schedule, and those updates are published publicly, often with details of the security vulnerabilities they address.  

If companies patched immediately, this information would not be of much use, but if they are wary of applying new, unknown update to their entire organization, that hesitation leaves a window of opportunity. An attacker can race to exploit vulnerabilities before systems are updated.

In today's age of AI-assisted attacks, that is an incredibly generous window.

Why organizations should be wary of automatic updates

If delaying an update introduces a window for cybercriminals to attack a known vulnerability, surely just turning on automatic updates is the better option, right? The answer is not so straightforward.  

While turning on automatic updates reduces that exposure window, it can also introduce new, unknown risk. Recent software supply chain attacks involving compromised packages and malicious updates have shown that trusted software distribution mechanisms are not immune to abuse. Organizations that deploy updates automatically and at scale may also accelerate the spread of any issues introduced by those updates. For some organizations, this tradeoff is acceptable, but for others, additional testing and staged deployment processes may be warranted.

Why patch management is crucial to your cybersecurity strategy

Effective patch management remains one of the most important ways organizations can reduce risk by addressing known vulnerabilities before they are exploited.

Attackers frequently target vulnerabilities after patches become available, knowing many organizations struggle to deploy updates consistently across their environments. A strong patch management strategy helps security teams identify affected systems, prioritize remediation efforts, and deploy updates in a controlled manner.

While cyber insurance may help offset the financial impact of a cyber incident, it does not prevent one. Insurance companies are also holding policyholders more accountable for breaches caused by outdated security, further heightening the importance of proper, timely patch management.  

The goal is not simply to install updates as quickly as possible. Effective patch management balances security, stability, and business continuity by ensuring critical vulnerabilities are addressed without introducing unnecessary disruption to production environments.

Patch management best practices

So, what should enterprise IT professionals be doing to secure their environment? The answer is well known but requires constant effort.  

Updates should be immediately deployed to a test environment that closely mirrors production. Once deployed, it should be subjected to a battery of QA tests to ensure that every critical business function continues to operate as expected.  

Once validation is complete, production rollout should begin in stages rather than all at once.  

It is precisely because this process is difficult to implement and time-consuming to maintain that events like those from July 2024 occur, or worse, that organizations fall victim to exploitation through known vulnerabilities.

How ThreatLocker secures patch management

At ThreatLocker, this approach is implemented through structured update channels. Each agent release undergoes vigorous testing before being deployed internally. After passing internal validation, it is promoted to beta and distributed across the following channels:

• Pre-releases
  Once an agent update enters beta, groups set to the Pre-releases update channel will slowly receive the update, enabling early-stage validation in controlled environments. ‍
• Expedited
  After an update has successfully completed all beta testing and is released to production, computer groups set to the Expedited update channel will begin receiving the update. ‍
• Regular (Default)
  After the Expedited rollout, computer groups set to the Regular update channel will begin receiving the update. ‍
• Slow and Steady
  Once the Regular group is finished updating to the newest stable build, endpoints in the Slow and Steady update channel begin receiving updates to the previous stable build.  ‍
• Manual Updates
  Computer groups set to the Manual Updates channel will not be updated automatically, providing full administrative control over when updates are applied.

This tiered approach enables organizations to implement effective change control, balancing security, stability, and operational risk.

In addition, ThreatLocker offers Patch Management capabilities designed to support change control strategies across organizations of all sizes.  

In today’s threat landscape, effective change management is no longer just an operational best practice. It is a critical component of an organization’s security posture.