Is patch management the best protection against vulnerabilities? No

Sana Security's Steven Hofmeyr says patch management has failed and host-based intrustion prevention is the answer.

Currently, the most widespread means of preventing intrusions is patching, and it's failing miserably. The number of security incidents reported to CERT has grown exponentially over the past six years, reaching an all-time high of 137,529 in 2003, which was also the year that the Blaster and MS-SQL Slammer worms caused widespread devastation. Patch management seeks to address these issues through automation that lets patches be installed rapidly and without Herculean human effort. But patch management  is of limited benefit. Consider the following:

The other side by Eric Schultze

Face-off forum

Debate the issue with Schultze and Hofmeyr.

•  Faulty patches can bring down critical servers and cost more to an organization than a security breach. This is an all-too-common scenario: An analysis by WireX Communications and Zero Knowledge Systems indicates that one-fifth of all new patches are revised. Hence, it is very risky to immediately deploy a patch without thorough regression testing to make sure the patch will not cause damage.

•  Sometimes vendors do not develop a patch because they mistakenly regard a vulnerability as unimportant or they do not have the time and resources to do so. As of June 2003, there were 19 unpatched vulnerabilities in Microsoft's Internet Explorer. Many of these were serious and resulted in costly breaches and inconvenience to users.

•  Some vulnerabilities cannot be fixed by patching. Patch management will not correct vulnerabilities caused by misconfiguration, such as default settings that allow access to systems that should be restricted.

•  Vendors cannot develop a patch if they are unaware of the vulnerability. Most vulnerabilities are discovered by non-vendor third parties. Legitimate researchers follow responsible-disclosure guidelines, giving vendors time to develop patches before announcing vulnerabilities. Unfortunately, some parties release vulnerability information without informing vendors beforehand. In these cases, patch management is useless because it only can protect against vulnerabilities the vendor knows about well before the attackers.

•  New hacker tools are reducing the patching window. These tools let attackers automatically reverse-engineer a patch to determine what was fixed and develop an exploit, sometimes within hours of patch release. Even using patch management, deployment speed is constrained by regression testing.

There is an effective alternative to patch management: host-based intrusion-prevention systems (IPS ). IPSs that reside on host computers monitor the behavior of running software and block any deviations from a profile of normal or allowed behavior, requiring no prior knowledge of vulnerabilities. IPSs overcome all the limitations of patch management: They block attacks against unpatched vulnerabilities and provide protection immediately, so there is no window of opportunity for the attacker. Patch management is a useful tool for reducing the cost and time involved in patching, but it is a flawed security solution, that offers limited protection. For comprehensive protection, IPSs are a much better answer.

Hofmeyr is founder and chief scientist with Sana Security, a host-based IPS company. He can be reached at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.

IT Salary Survey: The results are in