The analyst's warning came after the release of NIST's latest bulletin summarizing recommendations for patch and vulnerability management (VM), referencing SP 800-40, version 2. NIST recommended that organizations implement a systematic, accountable and documented process for managing exposure to vulnerabilities through the timely deployment of patches.
Gartner Director Amrit T. Williams pointed out that the analyst firm has advised clients to implement an effective VM program for several years.
"We still believe that VM is essential to improving organizational security. SP 800-40, version 2, maps well to the Gartner VM life cycle. However, organizations must understand the deficiencies in the NIST model before they can address the changing threat and vulnerability landscape in an increasingly heterogeneous and complex IT environment," said Williams. "NIST 800-40 suggests dealing with vulnerabilities through patching. But NIST 800-40 does not account for conditions in which patch management is not effective, such as networking devices, large commercial applications and database systems, embedded appliances, service-oriented architectures and application service providers."
Williams went on to stress that an effective VM program needs to address all environmental elements - not just those under patch-management control. Organizations considering NIST 800-40 will need to augment their VM programs by incorporating shielding controls, he advised.
Williams said: "Security products such as network- and host-based intrusion prevention systems, network and host-based firewalls, and networking devices such as routers can be configured to prevent an attack as a first step prior to deploying the patch, and as an effective response to a critical vulnerability with exploit code in the wild."
According to Gartner, organizations turning to NIST 800-40 for guidance should expand their VM activities to include networking devices, commercial enterprise and database applications, and internally developed web applications (many of which cannot be patched in the same manner as Windows servers and desktops).
Firms also need to understand technical and logistical limitations, as well as the potential for system disruption with rapid patching, and prepare for conditions where patch management will not be effective to respond to a threat, the firm said.
Additionally the analyst advised firms to incorporate shielding and mitigation controls as their initial response to critical vulnerabilities with exploit code and elements that cannot be patched.