Information security expert Derek Brink of Aberdeen Strategy & Research sits down with Rimini Street’s Anne Plese to discuss the business case for virtual patching vs. vendor patching.

In this video, Brink likens applying software vendor security patches to being on a hamster wheel:

• vulnerabilities are discovered and publicly disclosed
• patches are (usually) made available by the vendor
• IT teams must decide if and when to implement the patches
• new vulnerabilities are discovered and publicly disclosed

Brink characterizes this as a complex, challenging, expensive, and ongoing process that includes security risks, high operational costs, business disruption, potential loss of revenue and productivity due to system downtime, and higher staffing needs.

Conversely, per Brink, a virtual patching approach substantially reduces — and in some cases substantially eliminates — these challenges.

Brink’s metrics alone, on the staggering number of vulnerabilities and the high percentage with no available vendor patches, are eye-opening.

Transcript excerpts

Anne Plese

Welcome, I’m Anne Plese with Rimini Street. We’re going to talk about why adopting virtual patching is a better option than traditional vendor patching.

Derek, the one thing that really intrigued me as a part of your research was how you contrast theory vs. practice, so why traditional patch oriented approaches fall short from the enterprise software vendors. And what I mean by that is Oracle and SAP. So let’s start here.

Derek Brink

Thanks Anne. Hi everybody. The theory vs. practice is such an interesting conversation to have.

The theory of patching is just that it’s basic blocking and tackling. We’ve got to be good at hygiene, and patching is a fundamental thing that everybody talks about.

If you look at a list of the top 5 things to do, that would be on the list. But there’s a reality then there’s practice. There’s a couple of dimensions we can mention. People can read the report too.

Vulnerabilities come, vulnerabilities are discovered, and then they’re publicly disclosed. That’s known as zero day. And then the patches are sometimes, often but not always, made available by the vendor. And then once it’s available it has to be implemented. So there’s that timeline aspect.

The other reality, the practice part, is that although it’s a very reasonable strategy, there are often a lot of practical challenges. You’ve got a more complex environment these days. You’ve got a lot of databases and apps and systems and networks, and you don’t even necessarily manage them all anymore like in the old days.

Then vulnerabilities are coming fast and furious so the volume and the frequency of those is very high. Then you’ve got this pressure of timing; you want to have better security, then you want to have things in place before the exploits can happen.

So it’s the hamster wheel. And the theory vs. practice. It sounds good to just do all these things and take care of it, but in reality, there are a lot of challenges to that.

I’m not going to go on record and say just never patch ever. But you can say, hey let’s be smart about it. Let’s consider the total cost to make a well-informed business decision about when and where it makes sense to use a virtual approach as opposed to this theory vs. practice we’re talking about.

The gap between the exploits being available and the patches existing, I would label that vendor risk. It’s pretty substantial. About 1 in 10 basically just don’t have a patch at all.

There is also patching risk. There are patches available, but they just haven’t been implemented yet. So that’s really where the virtual patching story comes in hard.


Derek E. Brink, CISSP is a vice president and research fellow at Aberdeen, focused primarily on topics in Information Security and IT GRC.

Anne Plese is senior director, product management, at Rimini Street.