Comments on: Grid security still in national spotlight – Obama declares December Critical Infrastructure Protection Month

By: Toney Jennings

Toney Jennings — Fri, 18 Dec 2009 17:01:42 +0000

Thank you for the kind words, Cindy. I think the market has evolved–largely supported by social media–into one that rewards executives that interact directly with the market. I love listening to other’s opinions and engaging in open discussions/debates like we’ve been having. Everyone–customers, analysts, customers, employees and even competitors–are all far better off from those interactions.

By: Cindy Kim

Cindy Kim — Thu, 17 Dec 2009 21:04:38 +0000

Toney, thanks for the great discussion. I’m glad we agree on two fronts and on the reactive front when it comes to patching, in that manner yes I see your point. On a side note, I frequently write about blogging, especially around executive blogging and I have to say how impressed I am with your blogs and consistency. Keep up the great work.

By: Toney Jennings

Toney Jennings — Thu, 17 Dec 2009 19:35:57 +0000

Thanks again for the discussion, Cindy. You make great points, and I agree with many of them. At a minimum, we agree on two fronts: the need for application whitelisting and the best-practice of patching.

On the first point, companies need application whitelisting to stop any malware (known or unknown) that enters computers through unknown or unpatched vulnerabilities–or via all the OTHER ways to deposit it (e.g., drive-bys). Patching only stops one of many, many ways for the code to enter the computer.

On the second point, I agree that it is just good common sense to patch known vulnerabilities. Why leave a door open if you don’t need to do so? Patching is a best practice discipline. I do believe that anything done in haste is begging for trouble, so I do believe that patches should be thoroughly tested before being deployed and that “emergency” patches should be avoided whenever possible.

Where we differ is on our definitions of “proactive”. When I said that patching is reactive, I meant that you have to wait for a vulnerability, wait for the patch, test the patch and then deploy it. It doesn’t proactively stop anything. You may ultimately stop an attack, but patching isn’t proactive in my book.

Thanks again! Great discussion.

By: Cindy Kim

Cindy Kim — Thu, 17 Dec 2009 05:49:02 +0000

Apologies for the delay in my response. I do agree with you that it is a sad state of our endpoint security strategy, especially given the maturity of patch and vulnerability management solutions that have been out there for years. Organizations are still struggling when it comes to prioritizing and implementing the right protection strategy and by that I mean understanding the key technologies necessary to protect against new and existing threats. In our recent Worldwide State of the Endpoint Survey 2010, surprisingly, around 41 percent of the respondents said they did not have a PC Management Life Cycle tools in place, including patch management. This goes back to my point. Patch management while mature is still the first and last line of defense against new and emerging threats. The bad guys are taking advantage of existing vulnerabilities that companies have not patched to exploit. In your statement, you said patching is a reactive strategy. I disagree. I think if organizations have the right process in place, it can be proactive as most bad guys exploit known vulnerabilities so if companies do their due diligence when it comes to plugging all the known holes, they can remain ahead of the bad guys. However, this is not enough. With zero-day exploits becoming much more common, organizations need more than just one technology to solve all their problems – they need a layered approach – which should include application whitelisting and patch management as their foundational layer.

By: Toney Jennings

Toney Jennings — Wed, 09 Dec 2009 20:39:05 +0000

Thanks for the comment Cindy.

While I agree with you that patch management and vulnerability won’t go away anytime soon (which is good news for you folks at Lumension), their relative importance in Gartner priorities is an indication of the sad state of our endpoint security strategy. When I talk about the “diminishing effectiveness of patching” I am speaking specifically to the inability of patching to protect against new threats. Patching is a reactive strategy that provides little to no real protection against new and targeted attacks and the fire drills that companies go through to rush a new patch out is evidence of true lack of protection for our endpoints. It is this problem specifically that whitelisting aims to address.

IT professionals are faced with an interesting dilemma, carefully test and deploy patches and leave yourself open to new attacks for a longer period of time, or rush out patches that can disrupt existing applications and cause other problems. Even in the fastest patch deployment there is still a significant window of exposure to attacks as well as systems that remain un-patched despite IT’s best efforts. The situation is even worse for the systems at the core of the critical infrastructure (e.g., control systems). Most control systems cannot be rebooted or can only be rebooted at specific times in very tight maintenance windows, making unplanned installations of operating system or application patches infeasible.

Will patching go away? No. Would the introduction of an endpoint security technology that actually offered protection against new vulnerabilities change the way that we deploy and maintain patches to our systems? Most certainly.

I would never imply that AV and patching will go away, but their role as the centerpiece of endpoint security strategy changes as we add true protection against new threats to our endpoints.