What is Your Minimum Time To Patch or “Patch Sound Barrier” [BACKUP FROM DEAD GARTNER BLOG]

 

My time this quarter is not only occupied by the exciting realm of big data, but also by the less exciting – but waaaaay more common – problem: security patching.

Here is a thought: every organization on this planet has an upper limit to their patching speed. For example, even if you threaten every sysadmin with torture upon failure and/or offer to pay them a $1m each upon success, there is no way (for example) to patch every Windows system at a large global bank in 3 days. The real situation is of course more nuanced and different systems have different time limits. Patching all Oracle databases within a week of patch release date is as unrealistic as patching all Windows desktops within one day, etc.

So, think of this as a “patching sound barrier”- you can try to break it, but your craft may well shatter to pieces. The knowledge of your limit is important since if your patch management is tied to risk reduction (as it should), and you are trying to reduce risk further by reducing your patching window, there is a point at which you really should stop trying… Also, if you can work *really* hard and shrink your patching window from 90 days to 30 days, meanwhile the attacker gets in within 3 days of patch release date, is your work really justified? Maybe other safeguard should be considered instead.

What factors affect this “patching sound barrier”? They include:

• Size of an organization
• Utilized system types (legacy, traditional, virtual, etc)
• Type of technology being patched (stock Windows desktop vs complex distributed application)
• System Admin/system ratio
• Degree of automation acceptance
• Change management process maturity
• Available patch management tools
• Desired risk balance (risk of patch crashing the system vs risk of unpatched system exploitation).

This limit needs to be taken into account when security recommendations and practices are considered and implemented.

Related blog posts on patching:

• Patch Management – NOT A Solved Problem!
• Next Research Project: From Big Data Analytics to … Patching
• On Nebulous Security Policies (featuring “we patch all systems within 30 days” boondoggle)
• All posts related to patching
• All posts related to vulnerability management.

Monthly Blog Round-Up – September 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

1. “Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
2. “Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
3. “Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
4. My classic PCI DSS Log Review series is popular as well. The series cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not.
5. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases in depth (the paper link is now RESTORED!)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on using big data approaches for security:

• More On Big Data Security Analytics Readiness
• Broadening Big Data Definition Leads to Security Idiotics!
• Next Research Project: From Big Data Analytics to … Patching
• 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
• “Big Analytics” for Security: A Harbinger or An Outlier?

 

Past research on incident response:

• My Incident Response Paper Publishes
• On Three IR Gaps
• Fusion of Incident Response and Security Monitoring?
• Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
• Security Incidents vs “IT Problems”
• Top-shelf Incident Response vs Barely There Incident Response
• On SANS Forensics Survey
• Incident Plan vs Incident Planning?
• On Importance of Incident Response
• Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
• Time-tested Incident Response Wisdom?
• Incident Response: The Death of a Straight Line
• Alert-driven vs Exploration-driven Security Analysis
• My Next Research Area: Incident Response

Past research on endpoint detection and investigation tools (ETDR):

• My Paper on Endpoint Tools Publishes
• Endpoint Threat Detection & Response Deployment Architecture
• Essential Processes Around Endpoint Threat Detection & Response Tools
• Named: Endpoint Threat Detection & Response
• Endpoint Threat Indication & Response?
• Endpoint Visibility Tool Use Cases
• On Endpoint Sensing
• RSA 2013 and Endpoint Agent Re-Emergence
• A Quiet Assumption

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

• Monthly Blog Round-Up – August 2013
• All posts tagged monthly.