How Do You Cope with the Patching Predicament?

If, after you look at your software patch strategy awhile, you find yourself unconsciously humming that old Clarence Carter tune Patches, its probably even more fitting than the title suggests. The poor boy Patches inherits a farm full of vulnerabilities from his dying daddy, and has a whole family depending on his keeping it running. Expenses and threats mount up. Hmm.

At last weeks RSA Security conference, the difficulty in patching corporate systems was a hot topic. Vulnerability assessment company Qualys presented two years worth of data showing that it takes a month to halve the number of vulnerable computers connected to the Internet. Similarly, John Gordon, a retired U.S. Air Force General who advises President Bush on Homeland Security, warned that if the industry expects people to heed its security advice, it needs to make it much easier to employ solid security.

Back in August 2003, CSO covered the patching dilemma in a story called Patch and Pray. The story pointed out many of the problems inherent in the system, particularly the frequency of patches being sent, the need for rapid deployment for maximal security, and the lack of time for testing patches that might end up introducing new problems into the computing environment. Raleigh Burns, security administrator at St. Elizabeth’s Medical Center, told CSO, “Executives think this stuff has a Mickey Mouse GUI, but even chintzy patches are complicated.” And Bob Wynn, CISO of the state of Georgia, said, “We’re between a rock and a hard place. I can’t just automatically deploy a patch. And because the time it takes for a virus to spread is so compressed now, I don’t have time to test them before I patch either.”

In October 2003, Microsoft announced it would revamp its patching procedures, issuing a monthly compilation of fixes and patches instead of the steady flow of one-at-a-timers. This solved the frequency problem, but still left users unhappy about the erratic reliability of the patches and the boy-who-cried-wolf nature of so many things being labeled critical. To say nothing of the ongoing grousing about the need for so many patches in the first place.

Then last month a Yankee Group study showed that it costs, on average, $234 per patch per desktop for a medium-sized to large American company. Yankee analyst and author of the study Phebe Waterfield pointed out that between Jan. 2003 and Jan. 2004 Microsoft released 40 desktop-related security patches. If an organization kept totally up to date, diligently installing each patch, thatd be $9,360 a year per desktop, or more than $18 million for an organization with 2,000 desktops. And that doesnt take into account expenses incurred when a patch interferes with another function or fails altogether. The Yankee Group also found that the per-seat cost for security patching rose with the size of the organization as well as with the size of an organizations security budget.

None of this is encouraging news, as MyDoom variants echo through the Webosphere. How are you coping? And what do you see as the best (realistic) solution to the patching problem? Let us know, even while youve got Clarences voice in your ear: Every night I heard my mama pray: Lord, give him the strength to face another day&.