24/7 online access requirements; sheer volume of client seats requiring patches (especially at an enterprise level,) and surging malware numbers are fuelling the demise of the age-old practice.
“Patching is a deadline of first defense,” Stewart said. “I can’t use patching environments of anti-virus. It’s already the case that we have consumed or over consumed those two technologies in a way to defend.”
In fact, Stewart claimed that to mathematically keep up with the frequency of new malware is now impossible.
Using Cisco as an example, Stewart said applying patches has become problematic as it requires offline time.
“I rely on my infrastructure, I can’t have it offline,” Stewart said. “[And] I only want to patch it when I can take it offline. Those are very restrictive time frames.”
As well as an expensive one he added.
"When a company like Cisco is a 73,000 person company, it has 73,000 seats of anti-virus, it’s a phenomenal amount of capital expense.”
Stewart also called on security professionals to share information and collaborate further.
“One of the things I want to be sure of is that you learn from my mistakes so if you’re about to embark on something, you can learn what we learned and hopefully not repeat some of the mistakes we made,” he said.
“Think about what the hacking community is doing. They’re doing that already, we’re just not.”
Patching no longer works, says Cisco CSO
By Negar Salek in the Gold Coast on May 20, 2008 12:55PM