Patching Strategy Templates

Effective management and deployment of software patches is crucial for maintaining the security and stability of an IT infrastructure. The Patching Strategies included in Tenable Patch Management address various deployment scenarios and considerations.

Recommended Use

You can choose a Patching Strategy template, save it under a descriptive local naming convention, and then customize it as needed. Tenable Patch Management Patching Strategy templates reference objects that include the minimum requirements for a successful patching strategy: Deployment Wave, Deployment Bot, and Patching Process.

recommends creating a folder to hold all new or customized strategies. This separates them from the strategies provided with the product.

Patching Strategy Template Naming Conventions

Tenable Patch Management Patching Strategy templates cater to four specific use cases: Approval Types, Rollout Scheduling, User Interaction Settings, and Rollout Phasing. When deciding which Patching Strategy to choose, consider the following example to understand naming:

UUID-d4834a80-e5f0-e094-9148-2e2110911b5c.png

By offering various combinations of these parameters, the templates are a versatile framework that can accommodate a wide range of patching scenarios.

Minimal customization includes adding the products to patch and a schedule. This flexibility allows for efficient patch management without the need for extensive customization or the creation of new strategies.

  • Approval Type: Level of approval needed prior to deployment:

    • No Approval: Deploys at once.

    • Initial Approval: Requires approval prior to deploying.

    • Phased Approval: Requires approval between each wave in the Deployment Waves object.

  • Rollout Scheduling: Defines the schedule and impact of a deployment.

    • Immediate: All product patches deploy at once.

    • RiskBased: Targeted and controlled deployment based on specific risk levels (low, medium, high, critical). Schedule and run patch deployments based on risk levels. Uses Deployment Channels.

  • User Interaction: Defines permitted user actions related to the patch installation.

    • Mandatory: Alerts the end user who can postpone depending on User Interaction Settings but cannot decline. All product patches deploy at once.

    • Options: Alerts the end user. Otherwise, functionality not available in this release.

  • Rollout Phasing: Deploys in separate phases to allow a review before continuing.

    • Minimal customization includes adding the products to patch and a schedule.

    • This flexibility allows for efficient patch management without the need for extensive customization or the creation of new strategies.

Initial Patch Manager Approval Strategies

Each of these strategies requires an approval step before deploying updates. Except for Risk Based Mandatory Deployment, the Patching Process within these strategies manages the deployment process exclusively and does not use Deployment Channels.

Similarly, the Deployment Bot does not apply any filtering mechanism, so the Patching Process manages all updates related to the products included in the non-risk strategies.

  • Initial Approval - Immediate Mandatory Deployment

    Approval required prior to deployment, then deploys at once with no user interaction.

  • Initial Approval - Immediate Mandatory Phased Deployment

    Approval required prior to deployment, then deploys at once in a phased manner, rolling out to each wave of business units sequentially with no user interaction control.

  • Initial Approval - Immediate Optional Deployment

    Approval required prior to deployment, then deploys at once in a phased manner, rolling out to each wave of business units sequentially. User interaction allowed.

  • Initial Approval - Risk-Based Mandatory Deployment

    Approval required prior to deployment, and then deploys at once to all devices in the targeted business units based on the patch risk levels.

    Uses both Deployment Waves and Deployment Channels. Higher-risk updates have priority in high-frequency Deployment Channels. Lower-risk updates belong to lower-frequency Channels.

    Also uses Deployment Bot to filter patches based on risk level, and then sends the final wave to the proper Deployment Channels.

    Ensures processing and deployment of the final wave through the most suitable Deployment Channel and adds a layer of control and customization to the deployment process.

No Approval Strategies

Each of these strategies requires no approval before deploying updates. Except for Risk Based Mandatory Deployment, the Patching Process within these strategies manages the deployment process exclusively and they do not use Deployment Channels.

Additionally, the Deployment Bot does not apply any filtering mechanism, so the Patching Process manages all updates related to the products included in the non-risk strategies.

  • No Approval - Immediate Mandatory Deployment

    No approval needed prior to deployment. Deploys at once with no user interaction.

  • No Approval - Immediate Mandatory Phased Deployment

    No approval needed prior to deployment. Deploys at once in a phased manner, rolling out to each wave of Business Units sequentially. No user interaction.

  • No Approval - Immediate Optional Deployment

    No approval needed prior to deployment. Deploys at once to all devices in the targeted business unit. User interaction allowed.

  • No Approval - Risk-Based Mandatory Deployment

    No approval needed prior to deployment. Deploys at once to all devices in the targeted business units based on the patch risk levels. No user interaction.

    Uses both Deployment Waves and Deployment Channels. Higher-risk updates have priority in high-frequency Deployment Channels. Lower-risk updates belong to lower-frequency Channels.

    Also uses Deployment Bot to filter patches based on risk level, and then sends the final wave to the proper Deployment Channels.

    Ensures processing and deployment of the final wave through the most suitable Deployment Channel and adds a layer of control and customization to the deployment process.

Phase Approval Strategies

Each of these strategies requires phased approvals before deploying updates. Except for Risk Based Mandatory Deployment, the Patching Process within these strategies manages the deployment process exclusively without using Deployment Channels.

Similarly, the Deployment Bot does not apply any filtering mechanism, so the Patching Process manages all updates related to the products included in the non-risk strategies.

  • Phase Approval - Immediate Mandatory Phased Deployment

    Approval required between each wave of the deployment, and then deploys the updates in a phased manner, rolling out to each wave of business units sequentially. No user interaction.

  • Phase Approval - Risk-Based Mandatory Deployment

    Approval step required between each wave of the deployment, and then deploys the updates at once to all devices in the targeted business units based on risk levels. No user interaction.