Advanced Patch

Modified on Wed, 10 May 2023 at 01:37 PM

Advanced Patch helps to simplify the process of updating operating systems and applications. With a seemless integration in the five(9)s Console it offers a role-based management for zero-touch patch deployments, definable patch steps (pilot groups), optional approvals and intuitive exclusion rules for different device groups. All changes to teams, groups or exclusion rules are documented to offer transparency to the process.

Top Features

  1. Zero-Touch Patchmanagement
  2. Definition of Pilot-Groups via Custom Inventory
  3. Patch-Exclusion-Rules for different device groups
  4. Patchmanagement Dashboard to visualize active patch deployments
  5. Role-based management to delegate responsibilities
  6. Approvals for Patch-Deployments

Licensing of Advanced Patch

The Advanced Patch Module needs an additional license for your five(9)s Console to become visible as a menu entry.

Please feel free to contact us via support@five9s.de to get a 30-day-trial or your individual license offer. After our adjustment to your license you simply have to reactivate the console by clicking the Refresh License button shown below (no password needed).

Configuration of Advanced Patch

1. Create Patch Teams

The first steps of configuring the Advanced Patch module have to be done in the Admin Section on the Patch Settings screen:


Click on Add Patch Team to create a user group, responsible for patch management of certain device groups.

Give your team a name and short name, assign a five(9)s Console role to it (only users in this role will be able to see patch deplyoments of this team) and define a minimum pilot device count overall or by percentage as well as the suspend timeout hours for suspended vulnerabilities. After this time all suspended vulnerabilities are no longer blocked from deployment and will be processed in the next patch run.

Tipp: You can have Patch Teams for clients and server in general, clients for specific countries, critical application server and so on. A SecurityAudit role is preconfigured for monitoring purposes.

2. Configure Patch Options

Move on to Advanced Patch - Options

You can define all necessary default values for your patch process on this screen including the management of pilot and patch groups by Custom Inventory, administrator and escalation email recipients, the vulnerability types you want to deploy and all time intervals or mimimum counts for devices in patch groups. 

Tipp: Click on the (i) information buttons to get detailed instructions for every configurable option.

Using Advanced Patch

1. Dashboard

If you are logged in to the five(9)s Console with a user that is member of a role included in a patch team, the Advanced Patch Screen will show up in the console menu:


The first submenu when you click on Advanced Patch is the Dashboard. It gives you all the information you need about your runnin patch deployments like pending or breached approvals, success rates for patch installations or devices that are not covered in one of your patch groups.

Info: Tiles are often interactive!
Have a mouse-over on the icons in the upper right corner of the tiles to get more information about the displayed data or click on the tiles to drill into your patch process and take actions.

2. Patch Rollout Templates

Proceed with the creation of a Patch Rollout Template by switching to the section via the menu on the left and choosing Add new template. Rollout Templates will be used afterwards to define Patch Groups (groups of devices in your company that needs to be handled differently in a patch process). Templates can be used as defaults for all those Patch Groups regarding: 

  1. How many patch steps/pilot phases do I need?
  2. What is the duration of those steps/ pilot phases?
  3. Do I need approvals before AutoFix?



Enter a name for your template and assign it to a Patch Team. Add additional steps as needed, change step durations and decide, which steps need an approval. Save your template with a click on OK.

3. Patch Rollout Groups

Patch management repeatedly forces us to take individual groups of devices into account. 
Example: your standard clients can be patched differently than highly critical application server.

Patch Rollout Groups have to reflect the diversity of devices in your company. You could create Rollout Groups for client machines per division, city or country. Alternatively you could categorize them by installed applications. It is up on you!

Click on Add new group



Give your group a name and descrition, choose the assigned patch team (who should manage this patch group in the five(9)s Console) and pick your formerly created Rollout Template.


If you want to make changes to your Patch Group later on you can simply edit the group with a click on the pencil icon:


As you can see, by choosing the Patch Template all settings from the template were inherited to the Patch Group:



4. Patch Filter Rules

Patch Filter Rules can be assigned to Patch Groups to decide which patches should and should not be deployed to the group. This can be achieved by blacklist- and whitelist-rules and their combinations. 

Info:
  1. If no rule is assigned, all patches will be deployed.
  2. If Whitelists are assigned, only patches that are at least on one Whitelist will be deployed.
  3. If Blacklists are assigned, only patches that are NOT on one of the Blacklists will be deployed.
  4. If you combine Whitelists and Blacklists, only patches that are at least on one Whitelist and NOT on one Blacklist will be deployed.

Create a new rule by clicking on Add new Rule


  1. Enter a self-explanatory name
  2. Choose a team that should work with this filter rule
  3. Choose your rule-type
  4. Enter a description
  5. Define your filter condition
  6. Click on preview, to check which vulnerabilities are effected by your filter rule

Save your rule by clicking on OK.


Assign you filter rule to a Patch Group by ticking both objects (1) and (2) and a click on the arrow-left icon in the center (3)


It is recommended to document you settings with a change request so please enter a corresponding Ticket ID and Description to the process. Alternatively click on Skip.

The filter rule is now assigned to your Patch Group.


Info: All changes to a Patch Group like assigned or unassigned Filter Rules can be retraced in the groups history.

5. Assigning devices to Patch Rollout Groups

The assignment of devices to a Patch Rollout Group can be done by the known five(9)s Console feature Custom Inventory. When you activated Advanced Patch by license we aotumaticcaly add patch related CI objects. Go to the Home screen, select a device and click on Custom Inventory.
Pick a Patch Group an the optional Pilot Group and User to notify.


What do you have to select:

Remember the Patch Rollout Group Patchgroup 59s devices with their included steps:
 

We have an initialization phase followed by two pilot groups and an autofix step. 

1. In the initialization phase, the process is simply waiting and gives the devices some time to make security scans to evaluate which patches are needed on a machine.
2. In Pilotgroup 1 or 2 all vulnerabilities defined by your Patch Filter Rules will be installed on machines that are member of Pilotgroup 1 or Pilotgroup 2. This assignment can be made by Custom Inventory by selecting Pilotgroup 1 or Pilotgroup 2 from the Pilot Group Dropdown list:


Info: The field User to notify gives you the ability to inform the owner of a machine about upcoming patches. This is pretty interesting for members of the Pilot Groups so they can chek applications on their devices for proper functionality. Simply search for the Active Directory account for the user to assign him.

3. The Autofix phase will set all vulnerabilities defined by your Patch Filter Rules to Autofix for all the devices that are member of the selected Patch Group, independent from the selected Pilot Group.

Info: If you want a device to be a member of Patchgroup 59s devices but no Pilot Group use the following configuration:

 

Tipp: Mass Actions on the Home screen can be used to assign Patch Groups and Pilot Groups for large device groups with a few clicks.

1. Choose Custom Inventory
2. Search for your devices or pick a Scope- or Smart Filter.
3. Check the box for Patch Inventory
4. Choose your Patch Group
5. Choose your Pilot Group
6. Click on Update Selected


6. Activate Patch Groups

Now that we assigned devices to our Patch Group it is time to activate it so Advanced Patch can start the patch process for our devices.

Go to the Patch Rollout Groups section and click on the pencil icon of your desired group:


Check the Activate box and save your changes with OK.

 

Working with Advanced Patch

1. Patch Rollouts

As a default, Advanced Patch will check every 60 Minutes for new vulnerabilities that have to be deployed in a patch group:


When the process recognizes newly detected vulnerabilities for machines in a group it will create a Patch Rollout. Click on the Rollout to display the involved vulnerabilities:


Info: As you can see, the Patch Rollout for group Patchgroup 59s devices is in step Initializing and has a vulnerability count of 10.

2. Approvals

If you configured your patch steps (pilot groups or final Autofix) to need an approval to proceed, all open approvals will be display on the Approval screen.

Click on Approve for each Patch Rollout.


Info: There is a timeout for approvals to flag them as breached after the defined time is elapsed. You will be notified by email for pending and breached approvals.

3. Suspended and Excluded Vulnerabilities

If you discover problems with patch installations or incompatibilities with your business apllications after a system or application update, you can suspend or exclude vulnerabilities from deployment at any time, regardless of the distribution step in which a rollout is taking place.

Select the vulnerabilities you want to exclude from the rollout and click on Suspend.


Move to the Excluded or suspended Vulnerabilities screen and make your decision on how to handle these suspended vulnerabilities.


1. Exclude - Exclude the marked vulnerabilities from the rollout in this Rollout Group. Vulnerabilities will be ignored in the future.
2. Create Rule - Create an exclusion rule (Blacklist) for the selected vulnerability with a single click. This rule can be used for other Patch Groups as well.

3. Reset - This option turns back the actual deployment status of the vulnerability. It will be processed and evaulated again in the next Patch Rollout.
4. Resume - Brings the vulnerability back to the actual Patch Rollout and lets it proceed in the step where it has been suspended.

Info: Vulnerabilities cannot be suspended indefinitely. There is a maximum suspension interval setting per  Patch Team. After this timeout, a suspended vulnerability will be resumed.


Last Modified Date
02.05.2023

Verified versions
five(9)s Console version 4.4


Tags
  • Patch
  • Advanced Patch

Disclaimer
Even though every care has been taken by five(9)s GmbH to ensure that the information contained in this publication is correct and complete, it is possible that this is not the case. five(9)s GmbH provides the publication "as is", without any warranty for its soundness, suitability for a different purpose or otherwise. five(9)s GmbH is not liable for any damage which has occurred or may occur as a result of or in any respect related to the use of this publication. five(9)s GmbH may change or terminate this publication at any time without further notice and shall not be responsible for any consequence(s) arising there from. Subject to this disclaimer, five(9)s GmbH is not responsible for any contributions by third parties to this publication.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article