Federal Computer Week has a story about the Air Force’s efforts to patch faster:
Officials’ ultimate goal is to have software patches implemented
across the Air Force in minutes. During the next few months, they hope
to cut the time from tens of days to just days, said Col. Ronnie
Hawkins, director of communications operations in the Office of the
Deputy Chief of Staff for Installation and Logistics.
Also in recent news, Microsoft will be providing Air Force specific windows builds. Also recently, EDS took down between 40,000 and 80,000 computers in the UK’s Department for Work and Pensions, in an attempt to roll out a patch. That’s the downside to a monoculture.
The upside is that you have far fewer configurations to test on when your builds and configurations are tightly locked down, and that saves a lot of money. If your MTTR is low because you can roll out images to an affected system, then you may be willing to take that risk. At the DWP, clearly, the MTTR was not low.
Low MTTR and fast patching shouldn’t be your only goal. Systems hardening, either by your local experts, or from companies like PiVX, Sana, or Immunix can reduce the need to patch against various attacks. I hope these companies start publishing a running list of what patches you need to install if you have their systems. (And warranting that the list is correct.)
So a low time to patch isn’t what the Air Force should be chasing: Its a low exposure time. But then, they need to balance that with expected downtime for patching. And from here, I’d just be repeating myself with what we’ve already said in the time to patch paper (PDF).