Mitigating the Exposure Window of Sasser with Host IPS

Mitigating the Exposure Window of Sasser with Host IPS.

One
of the things that drives me on a daily basis to build and refine our
Host-based Intrusion Prevention System (IPS) for the Windows platform
is that the Exposure Window of a vulnerability continues
to grow. New unknown threats to critical business resources continue to
expose businesses to larger risk across a greater timeline which is
just unacceptable. Recently I had the pleasure of sitting down to
dinner with Rob Clyde (CTO of Symantec) and listen to him talk about
the fact that the time between a patch release and a new attack pattern
utilizing the vulnerability is now 5.8 days from announcement. With
most patch management release cycles for businesses EASILY 30 days or
more (his stat, not mine), and antivirus signatures taking days after
the attack is understood, antivirus and patch management alone is NOT
an effective barrier to reduce the risk to acceptable levels for most
businesses.

PC World published an article last month on the case of Sasser. (Found through F-Secure's blog). What I found interesting was the timeline they produced.

Here are some interesting stats:

  • In 2003/2004, it took Microsoft 188 days from the point the vulnerability was reported to the point a patch was rolled out.
  • It took 18 days from the point the patch came out that the first attack occured that the public knew about.
  • It took 6 days after the attack occured that someone rolled
    over on his buddy and the original author was arrested by German
    police.
  • There was a 206 day “Exposure Window” where critical business
    resources were exposed to a threat that their antivirus could not
    protect against, which some people in the industry knew about. EEye
    (the original analysts that found the vulnerability) had posted on
    their Upcoming Advisory site anonymous info about this critical bug (without releasing real details). Heck as of today EEye has other advisories like EEYEB-20040802-C which are over 120 days.
  • It took approximately 220 days from the finding of the vulnerability to having most systems patched against this threat vector.

And you wonder why I am working on Host IPS? Resiliency in
systems needs to defend against the UNKNOWN, not just the known. We
have to throw out traditional thinking about how we patch and pray
while we are at risk. We have to have a higher level of thinking about
infosec and mitigate the risks by understanding how our systems work
and consider anything anomolous to be hostile until otherwise proven
not to be… and ALWAYS block such behaviour… reducing the impact of
threats in the Exposure Window. We need to apply least privilege
containment to processes to limit the damage that can occur on a
system, and ensure system and data integrity by protecting HOW the host
acts.

The result? A safer computing environment for our critical business
resources… the very Windows servers that run the IT infrastructure of
our organizations. Host IPS gives administrators a chance against the
Exposure Window to properly roll out their patches and get their
antivirus signatures in place.

And thats a good thing. And that is what drives me each and every day. 
[Dana Epp's ramblings at the Sanctuary]

Leave a comment