Buying risk down when a patch doesn’t exist

How SecOps and IT can work together when a reboot is a four‑letter word. Another confession off my plate.

When the world gives you a zero‑day at midnight

Some nights I dream of a world where vendors ship perfect code and the Ops team cheerfully green‑lights a 2 a.m. reboot. Then my pager reminds me we live elsewhere. If you’ve ever stared at a fresh CVE with “no patch available” in the advisory, you know the feeling: heartburn served in JSON.

The math of un‑patchable exposure

• 53% of widespread threat vulnerabilities in early 2024 were exploited before a vendor fix existed, according to Rapid7’s Attack Intelligence Report.
• CSO Online puts the cross‑industry average closer to 24%.
• Meanwhile, ITIC’s 2024 survey says 90% of large firms lose > $300K for every hour of unplanned downtime—and many chase a 99.999 % uptime target (≈ 5.26 minutes a year).

Translation: every unscheduled reboot is a six‑figure conversation and attackers often get a double‑digit‑day head start.

Enter patchless protection

How Security and IT shake hands on this

1. Agree on risk triggers. Exploit‑in‑the‑wild? Critical asset?—fire the shield immediately.
2. Separate compensating from permanent. Label everything “temporary” in the CMDB so nobody forgets to yank it later.
3. Automate evidence. Dashboards and logs show auditors you managed risk even without the vendor patch.
4. Schedule the real patch. Use the next approved window to replace the band‑aid with the vendor’s code.
5. Celebrate with coffee, not champagne. You’ll need the caffeine for the next zero‑day.

Business case in a single slide

• Downtime avoided: If one critical database outage would cost $500 K an hour, a patchless control that buys 48 hours saves real money.
• Risk reduced: Shrink attacker dwell time from weeks to hours even when you can’t reboot.
• Team harmony: Ops keeps uptime SLAs, SecOps keeps the Board off the front page.

Five‑step blueprint you can steal

1. Map “can’t reboot” assets. Think point‑of‑sale clusters, trading platforms, healthcare devices.
2. Pre‑stage patchless agents. They do nothing until you flip the switch—but they’re already trusted and signed.
3. Define auto‑deploy rules. Example: Exploit POC seen on GitHub ⇒ apply virtual patch within one hour.
4. Attach expiry dates. Every compensating control gets a sunset date equal to the next maintenance window.
5. Drill, don’t hope. Run tabletop exercises: “Patch not available, restart forbidden—go!”

Final thoughts (served with tahini)

I treat patchless protection like good tahini: it binds the dish until the rest of the ingredients are ready. Automate the shield, respect the reboot veto, and keep the board focused on risk math instead of vendor lead times. See you in the maintenance window—bring coffee and maybe some pita.