As noted by SANS end-point patch management lags: "New attack data shows organizations are missing the mark in their security priorities as client-side application flaws, Web flaws dominate as attack vectors"
It’s safe to assume that most organizations that want run AV on their end-points do, but why not patch management? Both are needed, so why not just deploy a solution and solve the problem? Both patching and AV products have been around for years, right?
So why does the SANS study show end-points are not well patched?
A few thoughts -- WSUS is too hard to manage and if you get it right you only find out that is supports just some of Micorsoft products and no other products. Strike one, it simply does not work. And WSUS is also the engine for SCCM so that does not work either. Strike two.
How about Altiris? Great product, right? Just not for patch management. Foul Ball, but its still 0-2.
How about a security product like FoundScan or Qualsys? no patch management, another foul ball and end-points are still not patched.
How about rolling out an integrated patching AV end-point product like ours at the same time as you rollout AV, all done in one shot? it solves both problems at one time. its a base hit, or better maybe its a home-run. Why are other major vendors not doing this? Doing patching right is hard work to get right and keep right, and most vendors are not invested enough in it so they are not providing solutions their customers need, and machines are not kept patched.
The answer is there but Microsoft does not want you to know it, they have a big bet on you not knowing. The same holds true for Symantec and other security vendors including McAfee.
Comments