When I speak to application owners, they often tell me that database servers are the most difficult servers to get a change window to apply application and OS level patches. While you can apply a number of load balanced servers more upstream in the application stack like the web tier, as you go further down towards the database tiers things aren't so easy. In fact I have had one security security architect tell me that the only time they can patch their database servers is Christmas Day.
Imagine if you could have a map of your applications showing what ports and services are in use. If that map could tell you that vulnerabilities did exist but those services are not being utilized, wouldn't it be a convenience to turn off access to that vulnerability by applying segmentation? Or if it is being used it would also be convenient to restrict connectivity to that vulnerable port to the servers that absolutely need it as opposed to everything inside the data center?
When you unwind the 20-30 years of muscle memory of enforcing policy in the network, move it to the server, add a map and your vulnerability scan results, you have a lot of power.
Microsoft and Oracle issued security updates with Redmond, Wash., company patching a single issue in Windows Defender Application Control while Oracle’s update covered over 100 products and dozens of vulnerabilities.