12:15 CET on the 29th June 2011 Entry written by Stefan Frei.
I am pleased to share with you our new white paper focusing on the interrelation between IT security, risk management, and compliance: ‘How to secure a moving target with limited resources - Effectively mitigating business risks while the evolution of threats blindfolds traditional defences.’
How can an organisation balance the need to patch systems with the risks it faces and the need for stability? Our research concludes the following:
Firstly, compliance does not imply security. Secondly, traditional defences have many limitations and can be bypassed.
Patching is a primary security measure as it eliminates the root cause of compromise.
It's all about quality not quantity. A comparison of two patching strategies shows that knowing what to patch pays off.
However, identifying critical programs to achieve risk reduction is like chasing a moving target.
Then the risk of a failed patch vs. the cost of extensive testing needs to be weighed up.
Research reveals that an 80% reduction in risk can be achieved by patching and identifying either the 12 most risky programs or the 37 most prevalent programs.
Organisations cannot be complacent though, because what works today may not tomorrow. Therefore a dynamic and tactical approach is needed.
0-days are potentially paralysing external forces that are difficult to control. However, it's not all doom and gloom. Organisations hold the power to patch 65% of vulnerabilities on the day of disclosure firmly in their hands.
Can they afford to ignore the opportunity to significantly alter their threat landscape?
Overall, this white paper shows that organisations can do more with less. An intelligent patching strategy is an effective approach for reducing vulnerability risks, as well as for maximising operational efficiency with minimal costs.