Has the value of patch management disappeared?

Is the value of patch management decreasing?  Some experts say, due to a rise in privately held vulnerabilities, the value of patch management is eroding.  Others feel patching is losing the race and becoming too little and too late with the rapid development of attackers.  I too have chimed in on the topic and stated patching all vulnerabilities is not economical, as most are never widely exploited.  But does this mean we should be looking at alternate paths, away from patch management?  I stand firm in support of the end-node update concept, but take a slightly different view of the scope and value.

I see ‘patch management’ as the strategic capability of managing end nodes.  I consider the delivery of ‘patches’ as a broad term which includes OS, application, and hardware BIOS upgrades which can benefit the security posture of the device.  This includes and is akin to the widely accepted delivery of security product updates for anti-virus, anti-spyware, firewalls, etc.  Some of which are updated daily.

Attacks are constantly changing.  They normally take advantage of poor coding practices, use design functionality in unintended ways, or exploit avenues to misguided end-user judgment.  The ability to update systems is crucial to maintain security equilibrium.  It is a support function for systems to adapt to new threats.  This capability has a multitude of benefits, both strategic and tactical.  Being able to reach out to systems allows for a better understanding of the number, type, and usage of systems in the environment.  An effective system can paint a picture of systems at risk.  It is a sweeping means to close identified vulnerabilities in deployed code, which can reduce the exposure surface.  It can be used to respond to compromises and drive clean-up activities.  Such services can raise the general security level of a community and may drive to a more homogenous security stance, which strongly lends towards efficiency.

Mapping ‘patch management’ against a /javascript:; model shows it allows for Prevention of exposure to known vulnerabilities where patches exist.  It can provide Detection capabilities to improve alerting of attempted as well as successful attacks.  Once systems are compromised, this Response function aids in the restoration of services back to a norm state.  The combination of indicators generated in these areas may assist in efficiency improvements and be used to comprehend future trends, therefore providing a potential Prediction opportunity

Overall, actively managing end-node security via ‘patch management’ is very important.  I doubt any serious security professional is advocating turning off all patch or remote system security updates.  The value may vary over time and across different systems, but we have a lot of control in how this capability evolves and the value it returns.  We are empowered to maximize the return on investment.

The question still remains, from a measures and metrics perspective, how best can we show and quantify the benefits, efficiency, and value.  The industry as a whole has yet been able to adequately or consistently tackle this challenge.  That discussion is fodder for another blog.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.