21 Replies Latest reply on Jan 31, 2013 9:41 AM by mdriskell

    Patching and Antivirus : Technology Doppelgangers?

    Carlo Costanzo
      As I am sitting here thinking about Windows Patching (I don't take my meds till 11am ), it strikes me that there are some real parallel threads among patching and Antivirus.

       

       

      They both seem to be a necessary evil.  AntiVirus software is notorious for wrecking applications.  Support always has a sneaky suspicion that your Antivirus program is actively working against your business applications but you are obligated to run it.  On the flip side, patching applications might just break them. It's a gamble.  Fix one thing, break two more.  You just can't be sure without properly testing.

       

       

      Antivirus programs are mini patch managers.  There probably is no better example of a program that needs almost constant updating and patching than an Antivirus program.  Those definition files come out at a furious pace sometimes.  Centralized patching and Antivirus definitions are critical to not bringing your network to a crawl during peak times.

       

       

      Both Antivirus and Patching strategies have a security angle.  They actually work hand in hand.  One knocking down threats that probe and attack and the other closing holes and reducing attack surfaces for threats that are already there.

       


      With all these similar and synergistic qualities, do you see Antivirus components and patch management a part of an overarching security strategy or separate and distinct solutions?  With separate and distinct ownership and roles in the environment?

      *Reply to this post to earn 50 points and 1 entry to win an iPod Nano

        • Re: Patching and Antivirus : Technology Doppelgangers?
          Sohail Bhamani

          With the many customer environments I see, I have seen examples of both.  The larger companies tend to be more silo'd in terms of teams on an IT organization and smaller companies tend to not have these silo's.  I can also say that it seems it is more industry specific as well in terms of these silo's.  In the telco and pol/gas space, these silo's are very evident.

           

          In these silo'd environments, patching, av, and network security are handled by 3 teams with an over arching, yet usually powerless, information security department over the top.  These types of teams tend to move more slowly and are just less agile than what I have seen in smaller companies.

           

          The best bet in my opinion would be to treat them as individual parts of a larger mechanism.  The onion of security if you will.  It takes patch management, AV management, network security, physical security, and what ever else to be less prone to any issues.

           

          Sohail Bhamani

          Loop1 Systems

          http://www.loop1systems.com

          • Re: Patching and Antivirus : Technology Doppelgangers?
            rulob

            Where I work now there is only 1 team responsible for both patch and av. And us for network security, so basically we have 2 teams regarding IT Security.

             

            We both have 1 Systems Department above us, but thank God they are willing to hear us when we need to act. I know the team of patch and av has it worst, because they have to be up-to-date with those things. They sometimes ask for out support.

             

            Since we have good collaboration, when we have to make some changes in the network HW or SW, we always talk to them first and see if there is going to be some impact in the production application, or if they'll need an upgrade on patch and AV cuz of what we want to do.

             

            Truth is we have medium/large size company, and is amazing how well we can work together without getting in each other's way.

             

            Now, regarding your question. I see them as separate products/solutions. Patch is there to fix broken things(yeah rigth) and AV is there for preventing them.

            For me patching is passive and AV is proactive. If you have to patch is because something bad happened, while with AV you are keeping bad things for happening(Utopia much?)

             

            --Raul

              • Re: Patching and Antivirus : Technology Doppelgangers?
                Carlo Costanzo
                Now, regarding your question. I see them as separate products/solutions. Patch is there to fix broken things(yeah rigth) and AV is there for preventing them.

                For me patching is passive and AV is proactive. If you have to patch is because something bad happened, while with AV you are keeping bad things for happening(Utopia much?)

                 

                Raul, I think you are probably with the majority in your views and approach.. (maybe a minority in your various team's abilities to not step on each others toes ) though..  I do find it interesting that patching is passive (or reactive) and AV is proactive.  AV really HAS to be proactive since once you get a virus, they can be pretty intrusive to remove but it's interesting that patching is passive.  Similar to an infection, once a security breach occurs, it's probably a bit too late to be reactive.  I think this is a result of viewing the products separately since that can lead to treating and prioritizing them differently.

              • Re: Patching and Antivirus : Technology Doppelgangers?
                th3cap3

                Like some of the others who have posted here, I have seen both situtations. My last job, I was responsible for patching our systems and my buddy at the other desk was resposible for updating AV, but we often did the other job if one of us was out of the office on assignment. My current work place has seperate teams that handle the various aspects of security, which is a lot to get used to from my point of view, but it seems to run well, granted a little slow.

                 

                I also agree with patching being more of a passive defense and AV being proactive/reactive, patches help plug holes while the AV works to prevent infection and then attack if an infection is detected.

                • Re: Patching and Antivirus : Technology Doppelgangers?
                  byrona

                  We absolutely see patching and anti-virus as part of the same inclusive security solution even to the point that we run our centralized anti-virus server on the same system as our patch manager.  In our environment our Windows team is responsible for bot the anti-virus as well as the patch management system.  I often hear a lot of horror stories about anti-virus in business environments but I can honestly say that we have had a very good experience with both the software that we use as well as the support for it.

                   

                  I started laughing when I read "Support always has a sneaky suspicion that your Antivirus program is actively working against your business applications" because as an MSP the first thing our customers always ask us to do when they are having problems with their application is to turn off the anti-virus.

                    • Re: Patching and Antivirus : Technology Doppelgangers?
                      Carlo Costanzo
                      I started laughing when I read "Support always has a sneaky suspicion that your Antivirus program is actively working against your business applications" because as an MSP the first thing our customers always ask us to do when they are having problems with their application is to turn off the anti-virus.

                       

                      I think most people would vouch for that statement. And for the record, based on my experience, it's RARELY the AntiVirus program these days.  They are pretty smart these days and can filter out non threats.

                    • Re: Patching and Antivirus : Technology Doppelgangers?
                      antwesor

                      Security has always been and always will be a layered process. To be secure Windows has to have to the latest patches. To protect windows even further you must have an anti-virus in place for malware that will attack even if Windows is fully patched. Other layers of security are network firewalls and other appliances that protect the local network from intruders of all kinds.

                       

                      Antivirus and Patch management should be part of an overall security strategy. Just remember there are other components to an overall security plan for both networks and computers. I can see both roles being combined into one, however, they should probably be separated so that more and one person is responsible. Just as you would not have one person responsible for ALL security processes, it is good to have multiple layers of security managed by separate people or groups. Placing trust in in person or one group for ALL security is just a bad idea.

                      • Re: Patching and Antivirus : Technology Doppelgangers?
                        joseph isahack

                        I see them as two separate solutions and strategies.  With regards to OS patches, many windows server admins will not patch certain servers until a need arises.  AV updates to client devices should fit into the environment’s overall security strategy along with firewalls, intrusion detection, etc.

                         

                        On a side note, the patch concept itself is starting to look like part of a dated security model.  You only patch after a flaw if found through a security breach or infection. Breaches and infections develop and spread faster and farther than ever before.  Moving forward, newer security models less dependent on patches will be developed.

                          • Re: Patching and Antivirus : Technology Doppelgangers?
                            Carlo Costanzo
                            On a side note, the patch concept itself is starting to look like part of a dated security model.  You only patch after a flaw if found through a security breach or infection. Breaches and infections develop and spread faster and farther than ever before.  Moving forward, newer security models less dependent on patches will be developed.

                            Pulling patching away from security is definitely a worthy goal.  Originally patching was used to correct application bugs or add new features.  Somehow it morphed into a practice or securing application holes.

                          • Re: Patching and Antivirus : Technology Doppelgangers?
                            bsciencefiction.tv

                            We have separate teams for this, but one lab (team) that tests both AV and Patches.  So we get the best of both worlds.  We get subject matter experts who are focusing on what patches we should and should not impliment, another that makes sure our AV is up to date and our AV vendor is on his toes.  But we also get one team who makes sure that nothing that either team does compromises an individual box or server or the network integretiy as a whole.

                            • Re: Patching and Antivirus : Technology Doppelgangers?
                              xbod

                              I view patching and AV updating as part of the same security strategy, but they get different levels of attention.  I view AV as a valuable part of system security (especially when we're dealing with public access computers) that should be kept very up to date in hopes of preventing very real threats against computers and networks.  Windows and application patches are important, but once a month patching is good enough.

                              • Re: Patching and Antivirus : Technology Doppelgangers?
                                jsimon16

                                Patching and anti-virus/maleware should all be the same role.  FEP/SCCm does a great job of this.

                                • Re: Patching and Antivirus : Technology Doppelgangers?
                                  RandyBrown

                                  I agree with the others that are saying that patching and AV should be considered the same role.  They both seem to have the same kind of impact on productivity:

                                   

                                  - When they work, they keep systems running well

                                  - When they don't work properly, they bring systems to their knees

                                   

                                  Case in point ... we just had a horrific last few days where our VMWare View desktops would freeze every day at 10am for about 5-7 minutes.  Literally hundreds of desktops rendered unusable.  We have narrowed the problem down to our Trend Micro Deep Security appliances which were updating components (something they've done every day for the last several months without a problem) and spiking the CPU utilization on our hosts.  What a nightmare!!!  Once we realized what was causing it, we shut it off and haven't had the problem since.  Now we are in the process of reconfiguring in such a way that this kind of problem cannot have this kind of negative effect in the future.

                                   

                                  That said, it's inevitable that AV or patching will come back to bite us again.  It always does.

                                    • Re: Patching and Antivirus : Technology Doppelgangers?
                                      Carlo Costanzo
                                      Case in point ... we just had a horrific last few days where our VMWare View desktops would freeze every day at 10am for about 5-7 minutes.  Literally hundreds of desktops rendered unusable.

                                      So that explains your delay in joining our discussions here. Where are your priorities Randy!?! Ha! Glad you were able to sort it out though.  Any particular tool help you narrow down the cause or just good old fashion investigative troubleshooting?

                                        • Re: Patching and Antivirus : Technology Doppelgangers?
                                          RandyBrown

                                          Good old fashion investigative troubleshooting.   We had a hunch it was AV which happened to be scheduled to do it’s ‘updates’ at 9:50am.  Turning it all off for a day proved that our hunch was right.

                                           

                                          I wish there would’ve been a tool that I could’ve typed the symptoms into and it would make suggestions based on the search criteria.  I suspect Solarwinds will have something like that someday.

                                           

                                      • Re: Patching and Antivirus : Technology Doppelgangers?
                                        jeremymayfield

                                        I use Symantec Endpoint Protection, and mail gateway.   I find letting it do its thing is best.  Keeping it simple with Symantec is the best because every time i try to get fancy with it, SEP breaks.  I think in part it should be a separate process for the mean of protection i don't like the concept of having a tool be able to update my security tool.   what if the updater tool is what is corrupt?

                                        • Re: Patching and Antivirus : Technology Doppelgangers?
                                          dave@entwistle.cc

                                          Microsoft Forefront sort of tried to merge the patching and av/malware features into WSUS and later with endpoint protection in SCCM.  I think they could be handled together because they sort of go hand in hand but the issue is that most of the av porgrams I have seen out there need closed systems for updating and reporting.  If they had to release updated through a third party product there would need to be better standards for software and av packaging.

                                          • Re: Patching and Antivirus : Technology Doppelgangers?
                                            mdriskell

                                            In my environment they are handled by the same team and by separate teams .  What I mean by that is that patches that address security vulnerabilities are identified by our security team along with handling the AV applications.  Patches that are more for break/fix/upgrade are handled by our OS teams.  The OS teams deploy all patches but the security team is the one on the look out for vulnerabilities.