My time this quarter is not only occupied by the exciting realm of big data, but also by the less exciting – but waaaaay more common – problem: security patching.
Here is a thought: every organization on this planet has an upper limit to their patching speed. For example, even if you threaten every sysadmin with torture upon failure and/or offer to pay them a $1m each upon success, there is no way (for example) to patch every Windows system at a large global bank in 3 days. The real situation is of course more nuanced and different systems have different time limits. Patching all Oracle databases within a week of patch release date is as unrealistic as patching all Windows desktops within one day, etc.
So, think of this as a “patching sound barrier”- you can try to break it, but your craft may well shatter to pieces. The knowledge of your limit is important since if your patch management is tied to risk reduction (as it should), and you are trying to reduce risk further by reducing your patching window, there is a point at which you really should stop trying… Also, if you can work *really* hard and shrink your patching window from 90 days to 30 days, meanwhile the attacker gets in within 3 days of patch release date, is your work really justified? Maybe other safeguard should be considered instead.
What factors affect this “patching sound barrier”? They include:
- Size of an organization
- Utilized system types (legacy, traditional, virtual, etc)
- Type of technology being patched (stock Windows desktop vs complex distributed application)
- System Admin/system ratio
- Degree of automation acceptance
- Change management process maturity
- Available patch management tools
- Desired risk balance (risk of patch crashing the system vs risk of unpatched system exploitation).
This limit needs to be taken into account when security recommendations and practices are considered and implemented.
Related blog posts on patching:
- Patch Management – NOT A Solved Problem!
- Next Research Project: From Big Data Analytics to … Patching
- On Nebulous Security Policies (featuring “we patch all systems within 30 days” boondoggle)
- All posts related to patching
- All posts related to vulnerability management.
