As network managers gear up for Microsoft's monthly patch release Tuesday, vulnerability management experts have a message for them: They can chase all the patches they want. But if their goal is rock-solid security, it's a futile effort.
"People are obsessed with just patching, worrying about viruses and trying to get through the day without an attack," said Dave Piscitello, telecom evangelist for MediaLive International Inc. of San Francisco. "Security is about so much more than that."
At the Next Generation Networks conference in Boston Thursday, Piscitello moderated a panel discussion on future security architectures with Firas Raouf, chief operating officer for Aliso Viejo, Calif.-based eEye Digital Security, and Stuart McClure, president and CTO of Mission Viejo, Calif.-based Foundstone Inc. The trio agreed enterprises need a multi-layered approach that helps prioritize patching needs based on a company's most important assets.
"Organizations need to figure out the acceptable level of risk – what needs protecting and what is most important," Raouf said. "Trying to protect every single asset is like trying to solve world hunger. Every other day there's an announcement for some new vulnerability or worm. This forces us to reach an understanding about what is critical and what is just noise. You can't go after everything."
There are several reasons enterprises can no longer afford to wait for patch releases and then rush to install them, Raouf said. "Patches are becoming more complex to deploy as vendors consolidate fixes into fewer updates, and delays in the release of patches is increasing the possibility of zero-day attacks," he said. "The fact that a firm like [eEye] reports a vulnerability to Microsoft and has to wait up to 220 days for Microsoft to release a patch is concerning. How are you protected in the meantime?"
He outlined three vulnerability management best practices:
- Vulnerability assessment: discover, audit, prioritize and remediate before an attack;
- Vulnerability prevention: deploy, monitor, shield and mitigate during an attack; and
- Vulnerability forensics: capture, analyze, monitor and reconstruct after an attack.
Raouf concluded that multiple layers ensure absolute protection, a layered approach to host-level protection. Host-level firewalls prevent unauthorized connectivity and applications from running, intrusion prevention systems shield assets from unknown attacks without the use of signatures and vulnerability assessment scanners detect known security issues and policy noncompliance.
McClure pointed out that "vulnerabilities are built into the fabric of human beings. We're not going to make them go away, so we need to manage and mitigate them."
One solution, he said, is to have automated policy enforcement as part of future security architectures. This could help enterprises:
- Detect new devices on the network;
- Assess the health of the device in terms of vulnerabilities, misconfigurations and policy compliance; and
- React by either allowing or denying access to the network.
"By and large, policy enforcement is a manual process, but products will emerge to automate the task," McClure said. In the meantime, he said, "If you can take the first step and prioritize, you can go a long way toward true security."
He noted that companies have been wanting for good risk metrics. "A metric is absolutely vital," he said. "If security wants to be a viable department, it must prove its worth. You need metric. You can't protect it if you can't measure it."
He concluded, "[Foundstone] believes security is not a goal but a process. You must build it into your day-to-day life. Metrics is an important step in that direction."