Can We Get Off the Patch Cycle Merry-Go-Round?
Yesterday was Patch Tuesday for Microsoft--a busy Patch Tuesday with 12 new security bulletins addressing 22 separate vulnerabilities. It was also a big day for patching issues with Adobe software as well. As comforting as it might be to know that all of these vulnerabilities have been patched, the unfortunate truth is that we're still going to do it all over again next month. Shouldn't there be some better way than applying new Band-Aids every month?
The current software and security model creates economic opportunities for security software and services vendors, and information security professionals, but it is constantly a day late and a step behind the attackers. The model relies on reacting to threats after they are detected in the wild, and a perpetual cycle of rinse-and-repeat patching with no end in sight.
Anup Ghosh, chief scientist and founder of Invincea, explains in a blog post, "To err is human. However, the reality is, any model of security that counts on the correctness of millions of lines of code that form the attack surface area of Internet-connected software is a fundamentally flawed model and untenable for security."
Ghosh adds, "We should not be fine with being told on Tuesday that we were screwed on Monday and everyone accepting that as a norm. We should not accept the contention that there is no such thing as secure--that prevention is a failed strategy--that the best we can hope for is to detect our adversaries once they are in our networks."
Ghosh points out that fire protection engineers don't just install smoke detectors and fire extinguishers, but also proactively engineer better construction techniques and building designs to prevent fires in the first place. Similarly, the security industry needs to get out of the reactionary, defensive posture of patching, and signature-based threat detection, and take a proactive initiative to simply design more secure systems and software in the first place.
So, what's the answer? Well, Ghosh doesn't claim to have the answers. It is more a venting of frustration over the current security model, and a call to action for all parties to focus more on solutions that are simply engineered better in the first place to prevent attacks.
Ghosh proclaims, "It is time to innovate in security again to change the game to return the advantages to the defender rather than the attacker."
Do you think it can be done? Or, do you think we are just doomed to playing catch up to our attackers?