What's the Difference between Patching & Vulnerability Management?

Our managing partner, Dustin Bolander, sat down to discuss the differences between patching and vulnerability management. The conversation has been lightly edited. You can watch the video here: https://youtu.be/B4WysvBSzNU

What is the difference between patching and vulnerability management? Who cares? Does it really matter?

There is an important distinction between the two. Patching is how we’ve traditionally done things in IT, right? For example, Microsoft released this latest patch for security vulnerability and we are going to deploy it on Saturday. We’ll have to reboot the servers but all in all that is about it. Everyone moves on with their lives. Microsoft has automated a lot of it too. We’ve automated things like updating Zoom, LexisNexis, Westlaw, etc. However, there could be a situation where you’ve downloaded this more obscure docketing tool. That isn’t something that most IT folks are going to have an automated way to patch. Going forward from here, there are 2 different ways you can proceed.

  • Option 1: We will manually look for updates on their website or hope they send us an email whenever an update comes out. The question is, do you trust companies to do a good job at that?

  • Option 2: We can institute vulnerability management. Now, not only are we sitting here patching the network on a regular basis, but we’re also scanning it regularly.

Another example, let’s say someone went and plugged in a new copier or a postage meter. These are things IT can’t automate the patching of. Rather than checking it manually, our scanning tool is sitting there daily checking the network to find security vulnerabilities and then alerting us once it does. Now instead of having to go check for security updates, we are getting an alert that says this vulnerability exists and then we can reach out to the vendor and ask if there is an update that needs to be installed. Trusting but simultaneously verifying is a good way to put it around vulnerability management systems.

If you are ready to take your cybersecurity and IT to the next level, fill out this form:

Trey Hiller