Is the value of patch management decreasing? Some experts say, due to a rise in privately held vulnerabilities, the value of patch management is eroding. Others feel patching is losing the race and becoming too little and too late with the rapid development of attackers. I too have chimed in on the topic and stated patching all vulnerabilities is not economical, as most are never widely exploited. But does this mean we should be looking at alternate paths, away from patch management? I stand firm in support of the end-node update concept, but take a slightly different view of the scope and value.
I see ‘patch management’ as the strategic capability of managing end nodes. I consider the delivery of ‘patches’ as a broad term which includes OS, application, and hardware BIOS upgrades which can benefit the security posture of the device. This includes and is akin to the widely accepted delivery of security product updates for anti-virus, anti-spyware, firewalls, etc. Some of which are updated daily.
Attacks are constantly changing. They normally take advantage of poor coding practices, use design functionality in unintended ways, or exploit avenues to misguided end-user judgment. The ability to update systems is crucial to maintain security equilibrium. It is a support function for systems to adapt to new threats. This capability has a multitude of benefits, both strategic and tactical. Being able to reach out to systems allows for a better understanding of the number, type, and usage of systems in the environment. An effective system can paint a picture of systems at risk. It is a sweeping means to close identified vulnerabilities in deployed code, which can reduce the exposure surface. It can be used to respond to compromises and drive clean-up activities. Such services can raise the general security level of a community and may drive to a more homogenous security stance, which strongly lends towards efficiency.
Overall, actively managing end-node security via ‘patch management’ is very important. I doubt any serious security professional is advocating turning off all patch or remote system security updates. The value may vary over time and across different systems, but we have a lot of control in how this capability evolves and the value it returns. We are empowered to maximize the return on investment.
The question still remains, from a measures and metrics perspective, how best can we show and quantify the benefits, efficiency, and value. The industry as a whole has yet been able to adequately or consistently tackle this challenge. That discussion is fodder for another blog.