"Our sales went up eight times between July and September — that's a pretty big spike," he said. "None of those people were doing patch management before. MS03-026 [the advisory highlighting the MSBlast flaw] comes out, that changed the market for us." - Mr. Shavlik
from article: Microsoft moves beyond patches
Conceding that its strategy of patching Windows holes as they emerge has not worked, Microsoft plans next week to outline a new security effort focused on what the company calls "securing the perimeter," a company executive said in an interview.
Although Microsoft will continue to devise ways to improve the means by which Windows users apply upgrades, or patches, to their software, the company had realized that too many customers don't upgrade quickly enough to thwart hackers.
"From our side, (it) has been a little naive to think that all of those customers are going to do patches," said Orlando Ayala, Microsoft's former sales chief, who now heads its sales push to small and midsize businesses. "It's just hard."
Until now, Microsoft's efforts have largely centred on improving the way it writes its code and then fixing holes as they emerge.
"The strategy on security has been very [much] based on patch management," Mr. Ayala said in a telephone interview on Wednesday.
However, recent worm and virus attacks have repeatedly shown that many customers remain vulnerable long after patches have been released, he said.
Mr. Ayala declined to detail Microsoft's new approach, or say whether the plans include getting further into the market of providing antivirus software. He did say that part of the effort will be a deeper relationship with firewall providers.
"We are going to start putting more emphasis on what we call securing the perimeter," he said. "That speaks of a deep partnership with the firewall world."
Mr. Ayala said that although the company has made some gains with its Trustworthy Computing effort, it is now trying to take a new approach.
"The first question is how can you secure stuff so you don't [let attacks] get in," he said. "It's kind of a shift in the strategy. It's very important; that's all I can say."
The Slammer worm that hit companies in January and the recent MSBlast worm highlighted the failure of companies to patch their systems quickly. It's extremely hard for any company to keep up, said Bruce Schneier, chief technology officer for network monitoring service Counterpane Internet Security.
"The patch treadmill is endless — you have to keep going faster and faster to keep up," he said.
Microsoft executives have recently hinted that a change of course might be needed.
Speaking to a crowd of Silicon Valley executives last month, Microsoft CEO Steve Ballmer said that the recent security issues represented a threat to innovation. At the time, he said that Microsoft was developing what he called "shield technology."
"The most important technology area we are focused on is shield technology," Mr. Ballmer said in the Sept. 15 speech. "We know bad guys keep writing viruses. The goal is to block them before they get on PCs."
At that time, Microsoft declined to comment further on what Mr. Ballmer meant.
Finding a way to deal with the avalanche of patches that come in, not just from Microsoft but from other software makers, has become a key focus of information-technology managers, said Ryan McGee, director of product marketing for McAfee System Protection Solutions at security and antivirus company Network Associates.
"This is a topic of conversation in every customer conversation that we have," he said. "We talk about how to mitigate the vulnerabilities that are in the environments because they haven't been able to patch."
The recent MSBlast worm that hit companies in August and September likely infected more than one million computers. From the time information about the vulnerability was released to the start of the attack, companies had 26 days to patch their systems. And the times are decreasing, according to a recent study. For companies with tens of thousands of systems, keeping up with the race is hard, Mr. McGee said.
"We hear customers telling us there is a problem," he said, adding that several companies offer patch management automation as a solution. "I wish I were announcing a [patch management] product or acquisition because it's a market where we could make money."
Many companies are already in the market of detecting and cataloguing vulnerable computer and network devices and then automating patching. A recent study by one such company, Qualys, found that a significant portion of security vulnerabilities remain on computers connected to the Internet. read on