In recent years, the common wisdom has been that keeping up-to-date on software patches is key to safeguarding a company's networks against viruses, worms and other pests. But with dozens of flaws being discovered each week, that approach has turned out to be a Herculean task.
That has network administrators, as well as providers of security products, looking beyond patch management for protection.
The race to plug network holes before attackers use them is becoming a heavy burden on system administrators.
Network managers are returning to an older strategy, which calls for defensive measures on many levels of the network, to meet the challenge.
"Five years ago, patch management was not a (priority) for operations people. But then the worms came out, and it was patch everything you can and as fast as you can," said Gerhard Eschelbeck, chief technology officer at Qualys, a security information provider. "Now we've entered a phase of being more selective about patching."
These days, security professionals are returning to an older strategy, which calls for defensive measures on many levels of the network, from the gateway to the employee's PC.
The technique taps into a wide array of new security technologies to throw up multiple barriers to virus writers and online intruders. And there's a bonus: Widespread defenses like these will likely buy system administrators more time to test and apply software fixes.
In some cases, administrators using patch management have to move so fast to install a fix that they aren't able to test it beforehand.
"People often feel squeezed. Sometimes there are cases where they can't patch quickly enough. There may be an exploit out there before you can get your systems patched," said Jason Chan, a moderator of mailing list Patch Management.org who is also a consultant at security company Symantec.
That's despite the fact that patches have frequently caused additional problems within corporate networks by turning off needed functions, or because the fixes themselves have had flaws.
Back in 2004, Todd Towles, a network systems analyst for a medium-size retail chain, was overseeing 40 Windows NT workstations that were a low patching priority, since most security threats focused on Windows XP 2000. One time, he patched the systems before fully testing the fix and immediately encountered problems.
Security experts tend to take a multilevel approach to protecting the digital equivalent of a company's crown jewels, defending systems even after an intruder has gained access.
Network: Firewalls and intrusion detection systems protect a community of systems against attack.
System: Antivirus systems and personal firewalls limit attacks on individual PCs.
Data: Encryption, backups and integrity scanning all help to make sure data isn't accessed, changed or deleted by unauthorized users.
Identity: Strong passwords and a second ID check, such as smart cards, are increasingly used to keep attackers out.
Source: CNET News.com
"Five of them blue-screened on reboot, which didn't go over well with the professionals who were using them," Towles said.
He had to rebuild the operating systems on the five workstations himself--a task that convinced Towles to adopt the broader defense strategy.
In addition to patching, that strategy typically involves a combination of technologies, such as host-based firewalls, intrusion detection and prevention systems, antivirus software, and encryption, as well as configuring systems to be robust against attacks.
But there are trade-offs. Experts have argued that this "defense in depth" approach can lead to increased technology costs and complexity, seen as a major burden by IT professionals. "There has to be a focus on easing the administrator's experience," said Richard Threlkeld, an information engineer at Qualcomm, a San Diego-based digital-wireless-technology company. "A lot of tools that are out there are such a hassle to use."
Security product providers are doing their part to help the shift. Many are moving away from signature-based techniques, in which software