Hundreds of millions of records have been stolen in recent corporate data loss incidents
All of these compromised networks had patching programs in place. Yet every one of them fell victim to a KNOWN vulnerability, meaning that the weaknesses that hackers used were well described and discussed in the public domain and that, in theory, patches or work arounds existed.
The obvious lesson is that automated patching solutions are not keeping up. Apparently neither were the enterprise grade firewalls, antivirus programs and IPS/IDS programs these major corporations had in place.
Patching is vital. However, it has its costs and as the frequency of patch publication increases, a point may be reached where existing resources are not enough to keep up.
For example, Microsoft alone releases over 300 patches a year. A typical organization needs less than 30. Installing patches just because they were published means increasing downtime and taking the risk that a patch might break existing functionality - all of that unnecessarily. Additionally, many serious network vulnerabilities are not poor coding issues but rather configuration issues.
You may have every Microsoft patch in place, but if you are also running Linux, Mac, Cisco and Oracle devices in your network then patching as recommended by just the major vendors is not enough. Installing every patch from every vendor is an administrative headache to say the least.
Also keep in mind that most networks have accumulated applications and code that are no longer in constant use but are kept around, just in case. If these are not actively patched, then these offer an easy avenue for entry to your system.
The term 'back door' is appropriate. The most elaborate home security system will not keep a thief from attempting to walk into a wide open back door. The known network vulnerabilities on your system today are that wide open door. Instead of adding more layers of alarms, how about just finding and closing the door?
Vulnerability scanning is the vital fourth pillar of your security strategy. Firewalls, antivirus and IPS/IDS react to attack while Vulnerability Assessment and Management will remove the incentive to attack at all.
Since nearly four nines (99.99%) of all data breaches are accomplished using known vulnerabilities, here's the best security strategy: Find your actual, current and real vulnerabilities and put your security resources to work eliminating them. Then, when your network has no known vulnerabilities, you can confidently put your attention on the issues that will actually move your company forward!