Security Manager's Journal: Without patch management, you are nothing.

You may have an extremely sophisticated security program in place, but it's all for naught without patch management.

Does it all come down to patch management? As a security manager, I pursue many initiatives, striving to protect the company on many fronts. But patch management is a key metric of our risk exposure, since there is a direct correlation between security incidents and patch compliance. So, in a way, it does all come down to something as basic as patch management, because if we fail there, we can't be secure.

Of course we have a patch management policy, but I've been frustrated in trying to get our various IT and engineering departments to comply with it.

I'm not even talking about the impossibility of patching the control PCs that are connected to tools running in our labs and our engineering departments. There, we need to maintain older versions of operating systems to support legacy products. We can't keep those patched, and I accept that.

Instead, I'm talking about things like the deployment of new virtual servers. When we first talked about implementing virtualization, it was agreed that we would keep on top of the security patches for the images used to deploy new virtual servers. At first that process was followed, but it's very easy to bypass the formal change-control process when deploying new servers, and as time went by, I started noticing that some virtual servers didn't have the latest patches.

A year ago, when the patch process was running smoothly (the honeymoon phase), I authorized the disabling of Windows Update so that we could use Microsoft System Center Configuration Manager to handle updates. It seemed like a reasonable response to a big problem: Some PCs didn't operate properly after the automatic downloads. Better to disable the automatic updates in favor of a testing and validation process. That way, we could push out patches only when we were sure that potential problems had been mitigated. That led to a new problem, though: It could take weeks, if not a month, to deploy patches that had to be tested and validated first; so much for timely patching. As you would expect, the delays led to an increase in security incidents.

But we could institute some compensating controls. I told the IT department to identify the IP addresses or machine names of PCs that weren't patched properly and add them to watch lists for our intrusion-detection sensors to monitor. And because we don't have full IDS coverage, I also ordered the installation of a host-based intrusion-detection agent. I'm also talking to our network team about creating a separate quarantine virtual LAN with appropriate firewall rules to protect our main corporate environment from attacks targeting vulnerable servers.

Get the NAC

But even with these new policies in place, along with our Web content filtering, firewalls and network monitoring infrastructure, we still have a big problem: We have no control over the connection of unauthorized devices to our network. Anyone at all can connect any sort of device to our network -- and then introduce malware or steal intellectual property.

My great hope is that we can implement network access control someday soon. NAC would enable us to guarantee the configuration of any device that attempted to connect to our network (preadmission NAC). It would also establish the identity of the user of that device and control which resources that device could access (postadmission NAC). NAC is on my road map, but unfortunately, there's no funding available at this time. For now, it is the Nirvana I aspire to.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags patchingsecuritynetwork access control (NAC)

More about etworkIntrusionLANMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place