ISC Tip of the day: surviving patching

As part of its August “advice-a-day” series, ISC offered some tips on surviving the monthly patch releases. The advice is somewhat contradictory, but at least for once they present a spectrum of suggestions for dealing with a problem rather than pretending there is only one way.

  • Patch now – if there is any pain from patching it will be less than the pain from getting hit by a virus before getting patched.
  • Deploy to a representative group, monitor, deploy to wider group. But still the total time-frame needs to be quick.
  • Patch critical services, and laptops which are more vulnerable.
  • Deploy to a representative group, monitor, deploy to wider group. Taking 4-6 weeks to get it done.

It seems like their advice is lacking in preventative steps. I suppose such as “use a personal firewall” or “login as a limited rights user” only work for specific types of attack. Seriously, the best way to address the patch cycle isn’t to run faster. Its to get off the exercise wheel all together. Virtual Patching may be the answer. That is where you use a HIPS product to prevent the client from being vulnerable to the attack in the first place. Products like CSA, McAfee HIPS, ISS, and Third Brigade should be closely examined. I’d be interested in hearing from anyone with one of these products. Do you agree that the need to patch is less once HIPS is deployed? Or have you found that not to be the case.