Patching and Antivirus : Technology Doppelgangers?

With the many customer environments I see, I have seen examples of both.  The larger companies tend to be more silo'd in terms of teams on an IT organization and smaller companies tend to not have these silo's.  I can also say that it seems it is more industry specific as well in terms of these silo's.  In the telco and pol/gas space, these silo's are very evident.

In these silo'd environments, patching, av, and network security are handled by 3 teams with an over arching, yet usually powerless, information security department over the top.  These types of teams tend to move more slowly and are just less agile than what I have seen in smaller companies.

The best bet in my opinion would be to treat them as individual parts of a larger mechanism.  The onion of security if you will.  It takes patch management, AV management, network security, physical security, and what ever else to be less prone to any issues.

Sohail Bhamani

Loop1 Systems

http://www.loop1systems.com

Silo'd environments are definitely a luxury of big companies.  A blessing and a curse realistically.  Like you mentioned, separate slow moving teams typically with their own agendas and priorities.

Even though operationally, there seems to be an overlap (big or small), when a company looks to upgrade 1 of the parts, do you think they consider the other parts of the larger AV/Patching solution?  My experience suggests that they don't.  They upgrade and evaluate products individually.  And this might not be a bad approach.  Not sure.

My experience also suggests that they do not.  Having an over arching information security team does mitigate this somewhat, but working as one large team is definitely the best situation for those massive teams.  The problem is excarbated even further when the teams are geographically separated.

Sohail Bhamani

Loop1 Systems

http://www.loop1systems.com

Where I work now there is only 1 team responsible for both patch and av. And us for network security, so basically we have 2 teams regarding IT Security.

We both have 1 Systems Department above us, but thank God they are willing to hear us when we need to act. I know the team of patch and av has it worst, because they have to be up-to-date with those things. They sometimes ask for out support.

Since we have good collaboration, when we have to make some changes in the network HW or SW, we always talk to them first and see if there is going to be some impact in the production application, or if they'll need an upgrade on patch and AV cuz of what we want to do.

Truth is we have medium/large size company, and is amazing how well we can work together without getting in each other's way.

Now, regarding your question. I see them as separate products/solutions. Patch is there to fix broken things(yeah rigth) and AV is there for preventing them.

For me patching is passive and AV is proactive. If you have to patch is because something bad happened, while with AV you are keeping bad things for happening(Utopia much?)

--Raul

Now, regarding your question. I see them as separate products/solutions. Patch is there to fix broken things(yeah rigth) and AV is there for preventing them. For me patching is passive and AV is proactive. If you have to patch is because something bad happened, while with AV you are keeping bad things for happening(Utopia much?)

Raul, I think you are probably with the majority in your views and approach.. (maybe a minority in your various team's abilities to not step on each others toes ) though..  I do find it interesting that patching is passive (or reactive) and AV is proactive.  AV really HAS to be proactive since once you get a virus, they can be pretty intrusive to remove but it's interesting that patching is passive.  Similar to an infection, once a security breach occurs, it's probably a bit too late to be reactive.  I think this is a result of viewing the products separately since that can lead to treating and prioritizing them differently.

Like some of the others who have posted here, I have seen both situtations. My last job, I was responsible for patching our systems and my buddy at the other desk was resposible for updating AV, but we often did the other job if one of us was out of the office on assignment. My current work place has seperate teams that handle the various aspects of security, which is a lot to get used to from my point of view, but it seems to run well, granted a little slow.

I also agree with patching being more of a passive defense and AV being proactive/reactive, patches help plug holes while the AV works to prevent infection and then attack if an infection is detected.

We absolutely see patching and anti-virus as part of the same inclusive security solution even to the point that we run our centralized anti-virus server on the same system as our patch manager.  In our environment our Windows team is responsible for bot the anti-virus as well as the patch management system.  I often hear a lot of horror stories about anti-virus in business environments but I can honestly say that we have had a very good experience with both the software that we use as well as the support for it.

I started laughing when I read "Support always has a sneaky suspicion that your Antivirus program is actively working against your business applications" because as an MSP the first thing our customers always ask us to do when they are having problems with their application is to turn off the anti-virus.

Security has always been and always will be a layered process. To be secure Windows has to have to the latest patches. To protect windows even further you must have an anti-virus in place for malware that will attack even if Windows is fully patched. Other layers of security are network firewalls and other appliances that protect the local network from intruders of all kinds.

Antivirus and Patch management should be part of an overall security strategy. Just remember there are other components to an overall security plan for both networks and computers. I can see both roles being combined into one, however, they should probably be separated so that more and one person is responsible. Just as you would not have one person responsible for ALL security processes, it is good to have multiple layers of security managed by separate people or groups. Placing trust in in person or one group for ALL security is just a bad idea.

I started laughing when I read "Support always has a sneaky suspicion that your Antivirus program is actively working against your business applications" because as an MSP the first thing our customers always ask us to do when they are having problems with their application is to turn off the anti-virus.

I think most people would vouch for that statement. And for the record, based on my experience, it's RARELY the AntiVirus program these days.  They are pretty smart these days and can filter out non threats.

I see them as two separate solutions and strategies.  With regards to OS patches, many windows server admins will not patch certain servers until a need arises.  AV updates to client devices should fit into the environment’s overall security strategy along with firewalls, intrusion detection, etc.

On a side note, the patch concept itself is starting to look like part of a dated security model.  You only patch after a flaw if found through a security breach or infection. Breaches and infections develop and spread faster and farther than ever before.  Moving forward, newer security models less dependent on patches will be developed.