Search for:

Articles 

Contact us 

Media 

News 

Events 

Links 

Free Downloads 

 

Special Report > Archives > Back Home

  

 
Cyber Talk
Discussion with Andre Yee, the President and Chief Executive for NFR Security

ITSS: What are the biggest challenges to vulnerability management today?
Yee: Two things come to mind immediately. First, the biggest challenge is tying vulnerability management intelligently to intrusion prevention. The Vulnerability management is informative but it’s insufficient if you cannot take real time action in light of that information. What’s required is for intrusion prevention systems to intelligently process vulnerability information and ensure that protection parameter are dynamically adjusted response to those vulnerabilities. It’s a concept known as dynamic shielding. Second, managing vulnerabilities resulting from the volatility of enterprise change needs to be accounted for. It’s one thing to protect against vulnerabilities of known entities but how about servers and systems that are deployed without the prior knowledge of the security manager. Currently, that’s handled procedurally but that’s wholly inadequate.

ITSS: Has Microsoft’s scheduled Patch Tuesday’s helped or hindered that task?
Yee: It’s not the panacea we may wish for but I think Patch Tuesday is a step forward from where we were previously because it’s at least a consistent process that can be managed.

ITSS: How can organizations better prepare for Patch Tuesday?
Yee: Load up on Starbucks because you’re not getting much sleep if you’re a security manager. On a serious note, part of the answer is about being aware of your enterprise environment ahead of Patch Tuesday. The better you know your environment, what’s running where and what systems are affected, the better equipped you’ll be to handle Patch Tuesday.

ITSS: What does the recent Windows Meta-File zero-day vulnerability say about the current threat climate and the effectiveness of Patch Tuesday?
Yee: The Windows Meta-File vulnerability showed us that Patch Tuesday isn’t the answer. There are times when certain vulnerabilities are so pervasive and potentially critical that Microsoft is unwilling to wait for Patch Tuesday. It comes back to the problem of assuming that patching is the answer to security…it’s absolutely necessary but insufficient. The conventional view that doing our best to keep patches current will adequate protect enterprises is erroneous for two reasons. One, patch currency in an organization is much more challenging and takes more time than we think - the larger the organization, the tougher the challenge. Second, critical zero day threats do occur and it’s important to be protected or shielded immediately. That’s why intrusion prevention systems are so important.

ITSS: In 2005 the industry average was a full 30 days for IT administrators to fully deploy a new critical security patch. How can organizations shrink that 30-day window to patch deployment?
Yee: I’m not sure that it’s an issue anymore of getting that window to shrink…the patch tools are pretty good but you’ll always have a patch window to deal with because patches need to be evaluated and tested before being applied corporate wide. It’s more important to ensure that you’re protected in that 30 day window by leveraging other security products

<< Previous Page

© IMPIRE Communications, LLC All Rights Reserved.  Website designed & managed by Oculus Networks