I’ve spent the last two or three years focusing the lion’s share of my security energy on implementing proactive measures to reduce our dependence on Microsoft patches. To wit, here is what my Black Tuesday routine looks like:

Tuesday - I usually wait for the ISC to publish their overview, which is easily digested. I then check out Microsoft’s bulletins and see how they impact our environment. I also check out information received from our IPS vendor as well as other news groups I’m a member of.

Wednesday - I release a bulletin to our security group that summarizes information from all the sources I’ve read. We have a policy that all workstations be patched within one week of that bulletin and all servers be patched within thirty days. Each office is responsible for their networks and I prod them along with random checks for compliance.

I also go through and verify what level of protection our IPS and HIPS provides so that I can inform the team. Usually we get about 70% or better coverage from the IPS units, meaning they can detect and/or protect against 70% of the exploits directly through virtual patching and/or malicious behavior detection. Firewall best practices usually protect against another 10 - 20% of attacks. That includes the firewalls deployed through the HIPS to road warriors as well as network firewall appliancess in all offices.

I also investigate email filters on possible email-borne attacks. We filter email attachments based on MS KB262631 but attackers are increasingly using HTML email to bypass email gateway filters, so its getting trickier to protect your email clients.

That leaves about 10 - 20% exposure, which is usually in the form vulnerabilities we have to accept due to business impact. For example, images are a big part of our business model, therefore we can’t filter them from emails proactively and we can’t have over-zealous IPS units sniping them from web pages, web-based email, FTP transfers, etc. So in all cases where we can’t protect, we at least detect. That way in the event of a compromise, we know what hit us, where it hit us, and what damage it caused. Case in point; we had a laptop pwned while it was on a client’s network. We had the HIPS downgraded to HIDS mode for troubleshooting a problem so we were able to determine the extent of compromise easily and quickly.

We also harden hosts directly exposed to the Internet, such as public FTP servers, web servers, DNS servers etc. This serves several purposes; first it makes them harder to hack. Second it serves as damage control to minimize our exposure when one does get hacked. Third it makes forensics easier due to hyper-logging.

The main point you should take home from this is that defense-in-depth is the best course of action in reducing one’s dependency on Microsoft patches for network security. If your IT department looks like the Keystone Cops every four weeks trying to ensure your hosts are patched then you’re doing something wrong. Black Tuesday should be the start of a relaxed but controlled and methodical monthly routine of assessing your exposure to attack.