I *heart* my IPS
Last year I vowed to do whatever I could to get myself weaned off as much dependence on Microsoft patches as I could. To wit; I started purchasing IPS and UTM devices for our offices. The main offices got the IPS units behind the beefcake firewalls and the satellite offices got UTM devices in lieu of a firewall. I also aggressively ramped up our HIPS deployment to try to get as close to 100% of our laptops covered as possible.
All that hard work and capital is paying off now. Today I sent an internal advisory about Tuesday’s patch release and on all the patches that are critical to our environment I was able to say that we already have strong (though not complete) protection for most attacks.
IPS isn’t dead nor useless. When leveraged correctly it can help take some of the pressure off of patch Tuesday and reboot Wednesday. Granted, nothing replaces patches in your security regimen, but IPS technology can give you more time to test thoroughly before deploying to production.
What do you guys use to distribute patches if you don’t mind sharing?
By Jon Robinson on 04.12.07 3:45 pm
Unfortunately I can’t share the details. I can say we use a server-based solution and also some hosts go directly to Windows Update (namely our laptops).
Through the server we automatically deploy patches to a small, select group of test users so that we begin testing patches almost immediately.
We then follow-up with MBSA sweeps to ensure we have an acceptable level of compliance across all networks.
In a rush we can get all hosts patched within a week. But we average 2.5 – 3 weeks to an acceptable compliance level.
By Michael on 04.12.07 4:05 pm