Does it really take a year to patch a critical vulnerability? Simple answer, “Expect it.”
Patching ensures information systems support critical, accurate, and deliberate decision-making in today’s fast-paced environment. With Oracles recent patch release addressing dozens of vulnerabilities, it reminds us patching alone is not enough to keep systems secure. It’s part of a larger ecosystem: maintenance, governance, defense in depth, etc.
Face it: Maintenance? Boring.
No poster hero here. Log reviews, patching cycles, rebooting systems in order so He-Man down in the mailroom keeps streaming the news… tl;dr. Yet, this maintenance corrects configuration divergence, missed patches, and poor security practices. Any one of these issues alone might not break security controls, but complacency will.
Governance
Governance ensures accountability exists to prevent that complacency. Without clear ownership, it is easy to be one of the Spidermen pointing at other Spidermen. Powerful systems don’t fail because no one cared, they fail because responsibility was not clearly defined nor enforceable.
Defense in Depth – Pick up the pieces!
Even with strong patching, maintenance, and governance; security can still fail. This is where defense in depth picks up the slack. Kind of like the “Alice in Wonderland” tale, defense in depth is deep. A solid defense in depth strategy does not get built overnight in IT/OT silos.
Given patching alone will not prevent the sky from falling. Like Oracle’s patches to critical vulnerabilities, many large vendors still take a long time remediate critical vulnerabilities.
Sound familiar? ZombieLoad, anybody? Even in simple architecture, we still face budget and infrastructure improvement delays (TPM 2.0)?
Old wise ones, how did you deal with this reality?