Patching vs. Intrusion Prevention.
I better start this entry off by stating that for a living (what puts bread on my table) I write computer security tools and technology, with my latest research into mandatory access control driven by providing “process rights management” through host-based intrusion prevention. Ya its a mouthful, but basically I have written code that grafts onto the Windows kernel to strengthen the Windows platform by providing application confinement and isolation from the rest of the system. The result is that I can apply the rules of least privilege to resources on a machine and provide a safe containment… isolating suspect or even hostile activities from destroying a system.
The reason I am telling you this is that today I noticed a debate on Network World called “Is patch mgmt. the best protection against vulnerabilities?” in which Shavlik Technologies (for) and Sana Security (against) face off. Its hard to say this without you snickering at me, but I HATE it when you square off two vendors to make an assessment for the information security profession when both have a stake in their position. (In case you didn't know Shavlik sells patch management software and Sana sells intrusion prevention software) lt is typically biased, and slanted towards their product.
Lets get real. The reality is BOTH are right, and BOTH are wrong for different reasons. Lets look at this from an infosec point of view while understanding the mindset of an administrator responsible for the critical infrastructure of an organization.
Patch management is only effective when actually completed on a timely manner to reduce the threat of exposure from attack. If you look at the the most recent trends most attack vectors are built AFTER a patch is released, as it is much easier for an attacker to disassemble a patch to find the vulnerabilities(s) in question, and create new hostile code to exploit it. The “for” camp in this argument state that application and OS vendors don't always tell you what the patch fixes, which means you need to patch against the unknown. Here is the problem with that argument. How can an administrator of a Fortune 100 company blindly patch a system with code he knows nothing about… especially if you KNOW the vendor isn't telling you everything? They can't. Which is why they typically do a staged roll out in a 'clean room' to do regression testing against their existing architecture. And in many cases.. the patches do more harm to their system than good. Countless avenues of attack are meanwhile generated, exposing the business to more risk. The time between patch release and exploit release is shortening, as attackers get smarter in their disassembly techniques.
On the other side, the “against” camp state that because customers are not aware of new vulnerabilities they cannot defend against the new exploits… but host-based intrusion prevention software will solve it. There is a catch they don't want to tell you. Most intrusion prevention systems use a combination of signature based techniques and whitelist databases to determine access control. Problem with this is that new 0 day attacks don't play by these rules, and they can typically get around such techniques. More over, if you use a stringent set of rules of “don't”… you end up with an administrative nightmare trying to tune the IPS to work in your environment.
Proof is in how signature based solutions have failed in other security verticals. Look at antivirus and personal firewalls as an example. The latest CSI/FBI Computer Crime and Security Survey shows that of those organizations that reported breaches in the last 12 months, 98% had firewalls in place, and 99% had antivirus. Yet they were still breached. Does that mean we throw the technology out? No. It just means that they don't work alone, in isolated environments. And how much MORE extent would the breach have been WITHOUT the technology in place?
To properly defend against the digital divide, we need to use a layered defensive posture which includes it all. We should have firewalls, antivirus, network IDS, host-based IPS and patch management. Our decisions have to be of a BIGGER process in the security management lifecycle. (This is why Schneier says security is a process, not a product) Remember when I was talking about the 8 rules of Information Security last year? Using a defensive posture like this touches on almost every rule:
- You need to control change management. (Rule of Change Management) You cannot blindly apply patches, but you need to be vigilant and ensure all systems are up to date. Staged roll out is one way to test the change management process and fully understand the implications of the changes.
- Its not just about applying technology and leaving it alone. (Rule of the Three-Fold Process). You must include monitoring and administration to ensure you keep up to date. Patch management systems are great for this.
- You must consider everything hostile, and then slowly allow things to happen on your systems. (A combination of the Rule of Least Privilege and the Rule of Trust). Host-based intrusion prevention is perfect for that, when properly tuned and in force.
- Keeping up with patches ensure that you are strengthening your weakest points at all time. (Rule of Preventative Action)
- Host-based intrusion prevention not only DETECTS attacks, it can PREVENT them. Thats the whole point of them. As such, you can immediately respond to threats as they occur in a sane manner using the logs/reports to provide forensic audits of the attack. (The Rule of Immediate and Proper Response). Hell, my IPS system will even go so far as to terminate the attack in mid-execution if it matches certain criteria (defined by the adminstrator of course)
My point here folks is that as vendors, we sometimes seem to use FUD or “tainted” messeging to sell out products. Don't buy into it. (And if you ever see my company do it, please email me with stern warning and point me to this entry) Always consider the bigger picture in your security management lifecycle when evaluating technology. After all… technology is simply an enabler. Its not the solution!
Oh… and if you ARE going to roll out host-based intrusion prevention on Microsoft Windows servers, contact me. I might be able to help you out. 
[Dana Epp's ramblings at the Sanctuary]