Hi everyone! Long time reader, first time poster! Please forgive the following wordy post, but I have some questions regarding managing patches based on severity.
We use a few tools to help manage our environments and I’ve noticed some inconsistencies when it comes to how vendors rate the severity of patches. I’m interested in your input and overall opinion and have a few questions along the way.
As I understood it, that rating is typically dictated from Microsoft directly – on a scale of Critical, Important, Moderate and Low. You can see these ratings within Windows Update and I presume WSUS displays this severity scale as well. (I have not yet used WSUS or SCCM, which will be the plan in the near future so I will know that answer soon enough…)
I have also seen the Exploitability Assessment scale typically listed on CVE bulletins that range from 0-3.
We use Qualys for the majority of scanning, Kenna Security for helping summarize those scan reports and ManageEngine’s software for additional deployment and reporting functions, especially for any 3rd party applications.
It seems some patches that may be considered “Important” by one, are listed by another as “Critical” or have a higher score rating. So I’m wondering if there is any rating system that you trust over the other when it comes to classifying patch severity.
This is important for my use as we write policies that dictate what patches we must schedule for and those we skip based on a lower severity vs a higher risk of patching our production environments.
Additionally, I remember an old rule that after running a manual WU Check for Update scan, it would return any Critical patches needed with the checkbox automatically checked. However in recent memory, I’ve seen this happen for “Important” updates in addition to Critical. Should that be the case? Are they now being treated with similar priority in terms of what’s recommended? (even though I know MS clarifies the differences well)
What are your thoughts on the aforementioned vendor’s ratings and overall success in patch management?
Thanks!!