Patch management is a little like flossing your teeth. Everyone knows they're supposed to do it, but most of us still don't.
Some pundits say the simple answer for patching lies in proactivity. Get the patch applied before an incident occurs, and keep the problem from occurring rather than fixing it after the fact. That's a simple truth, but in practice, it's a lot harder to pull off than it sounds. It also contradicts the way security is usually addressed.
Unfortunately, despite all the hype around being proactive and prepared, especially after 11 September, 2001, the reality remains that a majority of security fixes are done retroactively, after an incident has occurred.
One problem is that being proactive often gets confused with being fully automated. This is risky, because they're two very different concepts.
While there is much to recommend with regards to automating portions of the patch process, there are also compelling reasons to support manual intervention as a component of the work flow. There's no doubt that administrators are drowning in a flood of daily threat warnings and patch updates and have valid reasons for not applying every patch immediately.
Too many have been burned by server farms going dark with a collective "blue screen of death" after applying a buggy service pack and are, quite reasonably, skittish about automatically slapping the latest patches on their production servers. Complicating matters are the vendors themselves. Many release vulnerability warnings concurrently with the patch fixes, escalating the urgency of the patch cycle. Yet the patches themselves are often not fully tested and can result in more problems -- such as patches that delete critical third-party agents -- rather than fewer.
The result is that the industry is between a rock and a hard place on the patch issue. Case in point: Six months before SQL Slammer hit companies such as Bank of America and Washington Mutual and brought portions of their automatic teller machine networks to their knees, Microsoft had released a vulnerability warning and a patch. Why hadn't those organisations applied the patch? Were their administrators asleep at the wheel? Far from it. What they need is focused intelligence about which patches to apply -- and when.
