Patching Monthly May Be IMPOSSIBLE, Maintaining Compliance Is still POSSIBLE presented at saintcon 2016

by Adam Steed,

Summary : Most compliance requirements like PCI allow an alternative to monthly patching, which is having a risk based patch management program. What does this actually mean? Often times servers have multiple security layers including Host IPS, Application Whitelisting, and File Integrity Monitoring which can often change the severity of a patch or completely eliminate the vulnerability. If you are going to take this layered approach you will need to demonstrate to an auditor the effectiveness of the program. We will discuss the 7 components of a risk based program I look for as an auditor in organizations that use this approach.