Guest blog by Chris Van Den Abbeele – Global Solution Architect Datacenter en Cloud Security, Trend Micro
Automated virtual patching raises your security level and lowers your operational expenses.
Updating can be a painful process. It takes a lot of time, isn’t without risk and inherently leads to downtime. Virtual updates are just as safe, immediately available and best of all, free of complications. Physical updates remain a necessity, but in order to address the most urgent issues, you’re better off going virtual.
Every IT administrator kindles a love-hate relationship with software upgrades. On the one hand, security patches provide necessary protection against hackers looking to misuse private company data. On the other hand, updates can be the harbinger of a great many problems. You might lose compatibility with mission-critical software, downtime is inevitable, and it is nearly impossible to roll back once disaster strikes.
The moment security researches reveal a newly discovered zero day vulnerability, all bets are off. We all start to run around in a panic as if our hair was on fire. Who can patch the leak? When can we test the patch? Do we even have a maintenance window available? What systems and applications are vulnerable?
If you do manage to apply a patch to a critical zero-day leak in your infrastructure, you can count yourself among the fastest patchers out there. Despite your best efforts, you’ll nonetheless have been too slow. Hackers try to exploit a zero-day vulnerability as soon as they get wind of it. For every hour your system is vulnerable, the question is not if you’ll be targeted, but rather how many times hackers wil gain entrance. One company I monitored during five days after the reveal of the ShellShock-vulnerability got targeted no less than 766 times by attacks using the zero-day backdoor.
Luckily, the company had additional protection in place, even without ShellShock-updates installed. The solution that managed to stop the slew of attacks is called ‘virtual patching’, although I personally think ‘vulnerability shielding’ is a better name. A virtual patch is in essence a virtual cocoon wrapped around a potentially vulnerable application or server. All network traffic passing trough the cocoon gets analyzed thoroughly. It might not be possible to patch a newly found vulnerability immediately, but you can try to find out how hackers are exploiting it. Every attack leaves a digital signature inside of the network traffic. A virtual patch looks for these telltale signatures. Any suspicious activity gets stopped at the edge of the cocoon, before an attack can reach the vulnerable application or server.
Imagine a house with a broken front door lock. The locksmith would love to come by, but he only has time to do so a couple of weeks from now. In the meantime, when a thief reaches the front door, he can sneak inside unimpeded. If the owner of the house were to place a giant fence around his property, and if he were to hire a guard to look after the fence, the broken lock all of a sudden becomes a non-issue. Any thief attempting to gain entrance to the house using the vulnerable door, will be stopped by the guard and the fence before he ever reaches his target. Virtual patching is a digital implementation of such a fence and guard.
As such, a virtual patch doesn’t address zero-day vulnerabilities directly. It does provide an additional layer of protection. That in turn brings new possibilities to the table. You can for instance automate the entire virtual patching process. Imagine a routine scan of your IT-infrastructure, looking for new vulnerabilities, happening every day. From the moment the scan identifies an issue, you can add additional detection rules looking for attacks trying to exploit that issue. Since neither the application nor the server need to go offline for the new rules to be implemented, there is no downtime.
Zero day vulnerability? Not an issue
The best scenario is a virtual patching system connected directly to a database of vulnerabilities that is entirely up to date. Researchers from the Zero Day initiative for instance look for new zero-day leaks all day, every day. Whenever they find one, standard protocol is to allow the provider of the vulnerable system enough time to develop a patch. They only go public with their findings after this initial grace period. If the provider of your virtual patch solution is part of this initiative, the database powering the detection rules gets updated even before the existence of the zero-day issue is made public. That way, your IT environment is protected before the threat really escalates.
Just like real patches, virtual patches aren’t immune to false positives. In some very rare cases, it’s possible for the traffic detection algorithms to block valid network traffic. This can cause an application to malfunction. When an issue like this occurs after a regular software patch, you’re in trouble. Rolling back to a previous version of an application is a cumbersome process requiring new downtime. Virtual patches provide IT administrators with an alert detailing which rule is responsible for blocking traffic. The admin can easily change the behavior of the rule and set it to detect-only mode. That way, critical business processes remain unaffected while there is still some layer of protection in place.
A typical patch cycle consists of a monthly window in which security updates are applied. Microsoft’s Patch Tuesday is a great example of this approach. Every six months, a bigger window exists for applying larger functionality upgrades. Automated virtual patching makes a hacker think your IT infrastructure gets the newest updates on a daily basis.
This dramatically limits the ‘window of opportunity’ for a hacker. Instead of months, he only has days or even just hours in which he can try to exploit new vulnerabilities. Furthermore, the easy automation of the entire process gives you the opportunity to cut back operational expenses. All in all, you’ll get a greatly increased security posture while IT has to invest less time in keeping the infrastructure safe. That’s what I call a win-win scenario.