Regarding the Qualys Patch Management event that took place yesterday.
I liked:
✅ Cool report by Eran Livne about Patch Management capabilities in Qualys. 👍 Especially about creating linked patching tasks (first for a test scope, and a week later for a full scope) and about the ability to isolate hosts as a mitigation option (access remains only from the Qualys cloud). The part about new TruRisk Eliminate was also interesting.
✅ Adam Gray beautifully justified the need for mandatory patching (since prevention doesn’t really work 🤷♂️).
I didn’t like:
❌ Most speakers focused on other information security topics rather than patch management. I think it would have been possible to select more thematic reports for this event.
❌ I simply can’t accept theses like “you don’t need to patch all vulnerabilities”. 🤷♂️ My position: you need to patch everything. And workarounds are good for a while UNTIL a patch is installed.