As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.
When he moved over to the other side of the firewall, Velazco — now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm — duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.
Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.
via Securing More Vulnerabilities By Patching Less — Dark Reading.
Hmm. This is, to me, a new take on patch management. It oddly falls in with a discussion I had almost two years ago, oddly in that my peers and I came up with the same concept for different but related reasons.
What do you think?