Patching no longer works, says Cisco CSO
By
Negar Salek in the Gold Coast
20 May 2008 12:55PM
Tags:
auscert
Patching is dead and costly, according to John Stewart, chief security officer at Cisco Systems, who presented a keynote address at the AusCERT conference on the Gold Coast, today.
24/7 online access requirements; sheer volume of client seats requiring patches (especially at an enterprise level,) and surging malware numbers are fuelling the demise of the age-old practice.
“Patching is a deadline of first defense,” Stewart said. “I can’t use patching environments of anti-virus. It’s already the case that we have consumed or over consumed those two technologies in a way to defend.”
In fact, Stewart claimed that to mathematically keep up with the frequency of new malware is now impossible.
Using Cisco as an example, Stewart said applying patches has become problematic as it requires offline time.
“I rely on my infrastructure, I can’t have it offline,” Stewart said. “[And] I only want to patch it when I can take it offline. Those are very restrictive time frames.”
As well as an expensive one he added.
"When a company like Cisco is a 73,000 person company, it has 73,000 seats of anti-virus, it’s a phenomenal amount of capital expense.”
Stewart also called on security professionals to share information and collaborate further.
“One of the things I want to be sure of is that you learn from my mistakes so if you’re about to embark on something, you can learn what we learned and hopefully not repeat some of the mistakes we made,” he said.
“Think about what the hacking community is doing. They’re doing that already, we’re just not.”