Toward the Strategic Security Imperative: Integrating Automated Patch and Vulnerability Management Into an Enterprise-wide Environment
by Lane F. Cooper - Originally published in issue 2 of (IN)SECURE Magazine - Tuesday, 30 August 2005.
The result is a tactical approach to security that is:
  • Fragmented, because it is implemented in a stove-piped fashion in different departments;
  • Manual or minimally automated, because point solutions cannot effectively interact with each other;
  • Disjointed, or at least not well integrated with the applications they are meant to protect; and finally;
  • Blind, in the sense that is difficult to get a clear, complete and accurate picture of an organization’s security posture.
It is also costly. According to recent research from Yankee Group, it can cost as much as $1 million to manually deploy a single patch in a 1,000-node network environment.

The firm has documented an instance in which an organization spent $2 million to rush a patch in a telecommunications network that had 500,000 nodes.

“What contributes to these costs? It is the manual labor, the fixing of problems, the downtime for businesses while the patches are being deployed,” explains Phebe Waterfield, Senior Analyst, Security Practice, Yankee Group.

Waterfield confirms that many organizations remain highly reactive in their approach to patch management, and therefore have not developed automated and integrated strategies for making sure that the most current measures are in place within the enterprise to deal with known threats to their IT assets. This contributes to a reactive and expensive approach to security that does not make progress toward the goal of reducing an organization’s risk posture.

A Changing Threat Picture

Malicious hackers, authors of viruses and other sources of threats have become a major cost of doing business in the digital economy. Their handiwork is now covered by the mainstream media as well as the business and technology press. Their destructive impact on the economy is measured in the billions – if not trillions – of dollars.

While organizations may be struggling with how to protect their information assets in an integrated and strategic manner, attackers do not suffer from this angst. We are seeing the rise of hybrid threats in which viruses are used as launching points for initiatives that are designed to gather sensitive corporate data and/or execute identity theft.

For instance, spam is being used for phishing (an online con in which a "fake" site is set up to attract victims and solicit sensitive information from end-users), at which point spyware/malware or viruses are planted on consumer computers, while simultaneously gathering information that makes it easier to hack into the networks of the organizations they are spoofing.

As a result, we have seen attacks on enterprise networks become much more sophisticated and focused.

“This is why a tactical approach to security simply doesn’t cut it anymore... especially when the threat picture to digital assets in all enterprise environments has become so acute. Where once the hacker community may have been seen as kids playing games, today we see malicious activity that is profit driven in some cases, and guided by fanaticism in others,” notes Moshir.

A Strategic Response

A growing number of large organizations are recognizing the imperative for the IT community in general - and the information security community in particular - to move away from a tactical perspective of their role, and become a more strategic element in their organizations.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th