Most mature security programs monitor the monthly patching of all client hosts and servers. Every single month all machines weather client or server weather windows or Linux should be fully patched at the OS level. Additionally applications such as Office, Adobe Flash, Adobe Reader, and Java should be patched monthly as well as they represent well known harbingers of malware, historically. This should be followed up by monthly vulnerability scans and follow up vulnerability remediation scans. For the patching there are many good options, WSUS, SCCM, Solar Winds, ManageEngine, IVANTI. For the vulnerability scanning the industry standards are: Nessus, Qualys, Nexpose.

Patching of Security Appliances and Network devices however is a little trickier. The Security team must use good judgement based on best practices and an intimate knowledge of their own environment when performing or recommending patching. That being said there are some general guidelines which may be useful. Security appliances and Network Devices including Firewalls should be patched immediately for any critical or security vulnerabilities. Most Firewalls and AV Servers handle the updating of the attack signatures and antivirus definitions automatically.

Upgrades to Network or Security Devices should be carefully planned and you may want to wait one or two versions before updating unless again the update is critical or involves a  security vulnerability. You should probably never wait 6 months to patch a system, unless of course in the unlikely event that there are no vendor patches available in that time frame, again a very unlikely scenario as most vendors from Microsoft and even Linux comes out with patches monthly and many security vendors release several patches a year, sometimes it’s hard to keep up but it is necessary for any security operations team.

Patch, patch, and always patch. This should be the mantra for all mature networks. These patches though need to be thoroughly tested and vetted first, especially if they involve a Network or Security Appliance, a Server and in particular SQL. Client machines also need to have the patches tested first.


Many well-known breaches occur because of a failure to patch for a known vulnerability. It is a very basic security control included in all standards weather NIST, ISO, COBOL, COSO, PCI, HIPPA-Hi-Tech, SOX, GLBA all of them mention regularly updating the systems on your network. Because it is such a basic and powerfully effective control it is critical that it be implemented in order to improve your security posture.


In order to keep your network fully protected don’t ignore or forget to patch those very devices that connect and protect your domain. At the very least you should be aware of what patches are available for all of the machines on your network. Patch, patch and always be patching.