Yesterday I attended course (VM, PC and WAS). I found somewhat philosophical question, so I decided not to take course time and ask community.
Imagine we are in big enterprise (let it be 20k+ PCs under control). Why do we need VM? To my mind PC should be enough.
All IT activities in such company should comply to policy: patches can not be installed only because they're missing. Moreover, installing patches right after they've appeared economically unprpfitable - too many man-hours to just install patches. Security is tradeoff, so it's always compared with economic of this or that security control. So in that big enterprise there is a line "acceptable rist level" that actually has "acceptable vulnerability level" - not all vulnerabilities have to be fixed. This is a level for compliance.
Once configured (and properly approved with business-owners and management, becuse vulnerability fixing may cause downtime) this compliance level my further task is just find systems that do not comply and fix what's wrong. This is how compliance module works.
Why do I need VM module? I don't need all patches be installed and all vulnerabilities be fixed (this is too expencive and unneeded inside LAN, because we have other security controls like perimeter security, intrusion detection, etc), I need my infrastructure _comply_ with my Acceptable security level (my security baseline).
What is your opinion about this?
Thanks a lot