This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Myth #1: You can patch yourself to safety
The theory behind patch management is simple: Patch vulnerabilities before the bad guys can exploit them. Unfortunately, it's also impractical and idealistic for most environments.
"There's a great Pennsylvania Dutch proverb that says, 'The hurrieder I go, the behinder I get,'" says Oracle CSO Mary Ann Davidson. "Nobody can keep up with security patches. It's just too overwhelming."
Most would agree that patching is a critical step in the identify-assess-remediate-defend lifecycle of vulnerability management. What's more, recent research shows that enterprises are getting better at patching. According to vulnerability management firm Qualys, over the past year, organizations have reduced the "half-life" of critical vulnerabilities (the exposure window for worms and automated attacks) on externally facing systems from 30 to 21 days. This appears to be great progress--until you realize that the interval between a vulnerability's discovery and the appearance of an exploit is now 10 days or less.
The problem is that too many IT and security managers view patching as a binary function--a system is either patched/secure or unpatched/vulnerable, which puts unrealistic pressure on patch management systems (be they manual or automated) to efficiently and systematically prioritize and deploy fixes.
"Patching is blatantly bad news," says Ron Moritz, senior VP and chief security
For one thing, effective patching relies on accurate asset management, which most organizations lack. Automated patch management systems can help, but most lack the intelligence to correlate vulnerabilities, threats and patch deployment status.
Perhaps most importantly, the patch philosophy flies in the face of harsh business realities, in which uptime and productivity are valued far more than exposure management. Put another way, your CEO may proclaim, "Security is the foundation of our business," but, when push comes to shove, nobody is taking the accounts receivable database offline during earnings reporting season--SQL vulnerability or not.
A better approach views patching as part of the risk management continuum. Moritz argues for a "situational command center" approach in which risk scenarios are constantly simulated and modeled. That way, when patching takes a backseat to the need for uptime, you've already got a workaround in place--for instance, temporary system isolation at the router level.
This was first published in January 2005