Patch More or Patch Less: A Hobson's Choice

There are two emerging and opposite patching philosophies: Patch more, or patch less.

Vendors in the Patch More school have, almost overnight, created an entirely new class of software called patch management software. The term means different things to different people (already one vendor has concocted a spin-off, "virtual patch management"), but in general, PM automates the process of finding, downloading and applying patches. Patch More adherents believe patching isn't the problem, but manual patching is. Perfunctory checks for updates and automated deployment, checks for conflicts, roll-back capabilities (in case there is a conflict) will, under the Patch More school of thought, fix patching. PM software can keep machines as up to date as possible without the possibility of human error.

The CISO at a major convenience store chain says it's already working. "Patching was spiralling out of control until recently," he says. "Before, we knew we had a problem because of the sheer volume of patches. We knew we were exposed in a handful of places. The update services coming now from Microsoft, though, have made the situation an order of magnitude better."

Duke University's Rice tested patch management software on 550 machines. When the application told him he needed 10,000 patches, he wasn't sure if that was a good thing. "Obviously, it's powerful, but automation leaves you open to automatically putting in buggy patches." Rice might be thinking of the patch that crashed his storage array on a Compaq server. "I need automation to deploy patches," he says. "I do not want automatic patch distribution."

The Patch Less constituency is best represented by Peter Tippett, vice chairman and CTO of TruSecure. Based on 12 years of actuarial data, he says that only about 2 per cent of vulnerabilities result in attacks. Therefore, most patches aren't worth applying. In risk management terms, they're at best superfluous and, at worst, a significant additional risk.

Instead, Tippett says, improve your security policy - lock down ports such as 1434 that really had no reason to be open - and pay third parties to figure out which patches are necessary and which ones you can ignore. "More than half of Microsoft's 72 major vulnerabilities last year will never affect anyone ever," says Tippett. "With patching, we're picking the worst possible risk-reduction model there is."

Tippett is at once professorial and constantly selling his own company's ability to provide the services that make patching less viable. But many thoughtful security leaders think Tippett's approach is as flawed and dangerous as automated patch management.

"He's using old-school risk analysis," says Burns. "How can you come up with an accurate probability matrix on blended threat viruses using 12 years of data when they've only been around for two years?"

An additional problem with the Patch Less school is the feeling of insecurity it engenders. Not patching is sort of like forgetting to put on your watch and feeling naked all day. Several information executives described an illogical pull to patch, even if the risk equation determined that less patching is equally or even more effective.

There's also an emerging hybrid approach - which combines the patch management software with expertise and policy management. It also combines the costs of paying smart people to know your risks while also investing in new software.

Hernan says: "I can understand the frustration that can lead to the attitude of, 'Forget it, I can't patch everything', but that person's taking a big chance. On the other hand, he's also taking a big chance applying a patch."

"I don't have much faith in automated patching schemes," says Rambus. "But I could be convinced."

Wynn is ambivalent too. "If you think patch management is a cure, you're mistaken. Think of it as an incremental improvement. I have to take a theory of the middle range," he says vaguely.