3rd Party Risk Management , Application Security , Governance & Risk Management
Patch Tuesday to End; Microsoft Announces Windows AutopatchA 'Step Toward Automation as Standard for Patching' But There May Be Exceptions
Starting in July, the second Tuesday of every month will "just be another Tuesday," Microsoft says. The technology giant, which has released patches for vulnerabilities in its software every second Tuesday of every month since 2016, is now set to roll out automatic updates.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Windows Autopatch, set to be released in July for enterprise customers, allows Microsoft to patch bugs for its users without any effort on the users' part. Windows Autopatch is also offered as a feature in Windows 10/11 Enterprise E3 at no additional cost.
Windows Autopatch will manage all aspects of deployment groups for Windows 10 and Windows 11 quality and feature updates, drivers, firmware and Microsoft 365 Apps for enterprise updates, which means all the drivers and firmware that are published to Windows Update as automatic will be delivered as part of Windows Autopatch, Microsoft says.
"The autopatch approach from Microsoft will bring an additional tool to businesses with managed desktops that could reduce the cost of that management and accelerate the deployment of patches reducing the opportunity of harm. This will leave businesses able to focus on their specific processes and applications," John Goodacre, director of the UKRI's Digital Security by Design challenge, tells Information Security Media Group. Goodacre is also a professor of computer architectures at the University of Manchester.
Microsoft says the pandemic drove demand for increased remote or hybrid work. "Business needs change in response to market shifts," says Lior Bela, senior product marketing manager for Microsoft managed desktop and Windows Autopatch on the Microsoft 365 team. "Security postures must be hardened as new threats emerge. Innovations in hardware and software enhance usability and productivity. Enterprises must continually respond to stay competitive, enhance protection and optimize performance."
Bela says that enterprise IT systems are unique and complex and that introducing environmental changes - such as software updates - into these systems requires time and resources. Since the technology is evolving, Bela says that the number of new changes to be introduced is always growing, resulting in gaps.
"A security gap forms when quality updates that protect against new threats aren't adopted in a timely fashion. A productivity gap forms when feature updates that enhance users' ability to create and collaborate aren't rolled out. As gaps widen, it can require more effort to catch up," Bela says.
In a separately released Windows Autopatch FAQ, Microsoft says the updates will be applied to a small initial set of devices, evaluated and then graduated to increasingly larger sets, with an evaluation period at each progression.
"This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized, which will free an IT department from that ongoing task," Microsoft says.
In addition, Microsoft says that in case of an issue, the Autopatch service can be paused by the customer or the service itself. "When applicable, a rollback will be applied or made available," it says.
Microsoft has categorized customer devices into four groups, called deployment rings. They are: Test, First, Fast and Broad. These deployment rings will contain a minimum number of representative devices, and the Test ring will contain small numbers.
According to Bela, the First ring is slightly larger, containing about 1% of all devices under management, the Fast ring contains about 9% of endpoints, and the rest assigned to the Broad ring. "The population of these rings is managed automatically, so as devices come and go, the rings maintain their representative samples. Since every organization is unique, though, the ability to move specific devices from one ring to another is retained by enterprise IT admins," he says.
Microsoft says it has focused on curating ring populations, which it says is important because Autopatch uses a progressive update deployment. The updates will be installed in the Test ring devices and during a validation period, they will progress to another testing and so on.
"As more devices receive updates, Autopatch monitors device performance and compares performance to pre-update metrics as well as metrics from the previous ring where applicable. The result is a rollout cadence that balances speed and efficiency, optimizing productive uptime," according to Microsoft. "Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate. As Autopatch serves more updates, it only gets better."
Microsoft also says that although issues should arise infrequently, Autopatch has three key capabilities to keep users productive.
"The first is the 'Halt' feature - updates won't move from ring to ring unless targets for stability are met, and updates can be halted by customers, too. The second is the 'Rollback' feature - if devices don't meet performance targets after being updated, the updates can be undone automatically. Third is the 'Selectivity' feature. This allows for portions of an update package to be passed on and portions that don't perform to target to be halted or rolled back selectively and automatically," Microsoft says.
Javvad Malik, lead security awareness advocate at KnowBe4, tells ISMG that by automating the patching process, Microsoft will help protect many organizations against a large attack surface that criminals can take advantage of.
Jamie Akhtar, CEO and co-founder of CyberSmart says, "Hopefully, this is a step toward automation as standard for patching."
According to Akhtar, "The single most important step a business can take toward improving its cybersecurity is regularly updating software with patches, yet so few do it as often as they should." He says that tools such as this one can "remove the human error element of patching, giving cybercriminals one less route to attack businesses."
Mike Varley, threat hunting lead at Adarma, tells ISMG the new automated updates are a "proactive, affirmative action to help protect against an ever-evolving and complex threat landscape."
Varley says Autopatch is the next phase in Microsoft's plan to move to entirely automated updates. The ability to only postpone - rather than outright decline - updates is now a standard feature in the Windows operating system, he says. But he adds that vendors, including Microsoft, "have a history of botched updates to overcome before enterprise organizations will begin to trust automatic updates again."
Jamie Graves, CEO of Uleska, says automation is an aid to under-resourced IT teams, but he warns about situations in which a certain system cannot be patched on a regular basis due to the ecosystem of other software on the platform.
"For instance, within critical infrastructure environments, some systems are simply too critical or too outdated to be patched. This needs to be a key consideration for this new security feature," he says, because "patches can and often do break things."
Malik agrees that there is a potential danger to organizations if the patch is incompatible or breaks any system processes. He says many organizations test a patch prior to pushing it out to production systems. "Microsoft will need to ensure any patches pushed out automatically do not adversely impact organizational processes," Malik says.
And Tom Bridge, principal product manager of JumpCloud, says patches may be a problem - if they lead to applications or operating systems not working properly, which can have a big impact on user productivity and performance and cause the IT team to revert users back to previous versions or rebuild systems.
Sam Curry, chief security officer at Cybereason, tells ISMG that whether Autopatch improves security, autonomy is the word of the day. Enterprises need to have the option to control their own deployments and therefore the trade-offs on risks.
"If Autopatch makes sense for organizations, adoption will rise," he says. Curry also says service level agreements matter, and Microsoft must meet the reliability and security needs of organizations.
"It remains to be seen how many enterprises are willing to hand over the configuration of their systems to Microsoft. Patch quality, that is – patches that don’t work as intended – has been an ongoing issue over the years, and system administrators may not trust Microsoft to completely handle their monthly updates," says Dustin Childs, communications manager at Trend Micro’s ZDI.
Childs adds, "There’s also the question of third-party patches. Even if they adopt Autopatching, enterprises can’t eliminate their patch staff as they still need to apply patches to the routers, switches, and non-Microsoft applications. Even if you automate all of the Microsoft updates, monthly patching is not a trivial issue. Because of this, enterprises may be reluctant to hand over this level of control to Microsoft. From Microsoft’s perspective, this makes a ton of sense. It allows them to consolidate many versions of Windows and Office into as few as possible, which make servicing all the easier. If they can accomplish this, it will certainly save them money and time when creating updates as there will be fewer platforms and configurations they will need to support."
Microsoft says automating the management of updates can provide a response to changes, increase confidence around introducing new features, and close the protection and productivity gaps. This will reduce the amount of time IT admins spend on the planning phase of update rollout and sequencing and over the long term, it will allow them to focus on driving value, according to Microsoft.