News Stay informed about the latest enterprise technology news and product updates.

Don't have a patch attack

IT managers should stop trying to patch everything and focus instead on multi-layered security architecture, experts said at the NGN conference in Boston.

As network managers gear up for Microsoft's monthly patch release Tuesday, vulnerability management experts have a message for them: They can chase all the patches they want. But if their goal is rock-solid security, it's a futile effort.

"People are obsessed with just patching, worrying about viruses and trying to get through the day without an attack," said Dave Piscitello, telecom evangelist for MediaLive International Inc. of San Francisco. "Security is about so much more than that."

At the Next Generation Networks conference in Boston Thursday, Piscitello moderated a panel discussion on future security architectures with Firas Raouf, chief operating officer for Aliso Viejo, Calif.-based eEye Digital Security, and Stuart McClure, president and CTO of Mission Viejo, Calif.-based Foundstone Inc. The trio agreed enterprises need a multi-layered approach that helps prioritize patching needs based on a company's most important assets.

People are obsessed with just patching, worrying about viruses and trying to get through the day without an attack.
Dave Piscitello
telecom evangelistMediaLive International Inc.

"Organizations need to figure out the acceptable level of risk – what needs protecting and what is most important," Raouf said. "Trying to protect every single asset is like trying to solve world hunger. Every other day there's an announcement for some new vulnerability or worm. This forces us to reach an understanding about what is critical and what is just noise. You can't go after everything."

There are several reasons enterprises can no longer afford to wait for patch releases and then rush to install them, Raouf said. "Patches are becoming more complex to deploy as vendors consolidate fixes into fewer updates, and delays in the release of patches is increasing the possibility of zero-day attacks," he said. "The fact that a firm like [eEye] reports a vulnerability to Microsoft and has to wait up to 220 days for Microsoft to release a patch is concerning. How are you protected in the meantime?"

He outlined three vulnerability management best practices:

  • Vulnerability assessment: discover, audit, prioritize and remediate before an attack;
  • Vulnerability prevention: deploy, monitor, shield and mitigate during an attack; and
  • Vulnerability forensics: capture, analyze, monitor and reconstruct after an attack.

Raouf concluded that multiple layers ensure absolute protection, a layered approach to host-level protection. Host-level firewalls prevent unauthorized connectivity and applications from running, intrusion prevention systems shield assets from unknown attacks without the use of signatures and vulnerability assessment scanners detect known security issues and policy noncompliance.

McClure pointed out that "vulnerabilities are built into the fabric of human beings. We're not going to make them go away, so we need to manage and mitigate them."

More News on Patch Management

Microsoft giving three-day notices on patches

Threat management: Assessing patch rankings

One solution, he said, is to have automated policy enforcement as part of future security architectures. This could help enterprises:

  • Detect new devices on the network;
  • Assess the health of the device in terms of vulnerabilities, misconfigurations and policy compliance; and
  • React by either allowing or denying access to the network.

"By and large, policy enforcement is a manual process, but products will emerge to automate the task," McClure said. In the meantime, he said, "If you can take the first step and prioritize, you can go a long way toward true security."

He noted that companies have been wanting for good risk metrics. "A metric is absolutely vital," he said. "If security wants to be a viable department, it must prove its worth. You need metric. You can't protect it if you can't measure it."

He concluded, "[Foundstone] believes security is not a goal but a process. You must build it into your day-to-day life. Metrics is an important step in that direction."

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.