Can IPS Counter the Patch-Lag Window?

By Jeff Vance

(Back to article)

Automated patch management and intrusion prevention have been getting a lot of attention lately. With patching, this is due in large part to Microsoft paying closer attention to potential exploits and publishing fixes more regularly and coherently.

Intrusion prevention system (IPS) vendors have been following patching trends and making the case that gaps in patch management create the need for something akin to IPS.

In June 2003, Gartner predicted that the intrusion-detection (IDS) sector would be dead by 2005 and advised companies to instead spend their security dollars on better network and application firewalls. Since that time, IDSs have morphed into IPSs, but has anything really changed?

"If you expect to solve all of your problems with patching or signature updates, you don't understand the problem," said Andre Yee, president and CEO of NFR Security, an IPS provider.

IPS vendors believe that firewalls, anti-virus systems, patch-management systems, and the like, are all deterministic and reactive. So, even with better automated patching solutions catching on and even with more comprehensive firewalls in place, there is still a strong case to be made for something that takes a more preventative approach to security.

Closing the Vulnerability Window

Yee explained that patching is a critical component of any enterprise security strategy, but the problem is that patching leaves open a "patch-lag window," which is defined as the time between when a vulnerability is discovered and a patch is effectively deployed.

Many patches are released at the same time that a vulnerability is published, but even then an enterprise IT staff is not off the hook.

"The average time between when an exploit is identified and when a virus takes advantage of it has shrunk to about 5.8 days," said Rob Shively, CEO of PivX Solutions, an IPS provider. "What we hear from system administrators is that even with automated patching, they don't have enough time to do sufficient regression testing and deployment."

Because of this, the automated patch management space has heated up. Start-up companies are pushing the technology, offering the most comprehensive, feature-laden products, but the major players also have an eye towards making patching easier for their customers.

Start-ups like Configuresoft, Opsware, PatchLink, and Shavlik all offer automated patching suites, while Microsoft's Windows Update Service (WUS) is intended to smooth out the patching process for Microsoft's own products.

First Things First

For IT managers evaluating potential patching solutions, the problem is that there is a good deal of work to be done before they even start worrying about patching or upgrading their perimeter security devices: security policies need to be defined, and processes must be put into place so this chaotic process is manageable.

"For an IT administrator, the first step in the patch-management process isn't patching," said Peter Firstbrook, an analyst with the Meta Group. "The first step is asset management. You need to figure out what devices and applications your enterprise actually has."

In a global enterprise, this is no small task. Once you've figured out what exact assets you have, then you must match that up with a security strategy, said Firstbrook. "The second step is to correlate your assets with risk."

Firstbrook cautioned that a single network scan is not enough. New devices and applications -- authorized or not -- pop up all the, so it's important to continue scanning on a regular basis. A single rogue wireless LAN access point could compromise an otherwise solid security profile.

Spinning IPS

Following this logic, the story that IPS vendors spin is that patching proves their products. IPS systems look for traffic anomalies and block potentially malicious activities before the network is infected. However, there is some debate as to how effective these products are.

"Intrusion detection systems aren't foolproof," said Joseph Cupano, technical director at Solsoft, a provider of network security policy management software. "Issues like management overhead, false positives, and interoperability all give IT managers headaches."

The problem with relying too heavily on firewalls, anti-virus, patching, and other point solutions is that all of these solutions overlook fundamental security questions.

"IT managers must ask questions like how do you identify the right security for your organization; how do you implement and manage security products so they meet the business goals of the organization; and how do you integrate each security product within an overall security posture?," Cupano said.

In short, IT administrators have been thinking about security the wrong way: reactively.

Cupano argues that only a proactive approach that seeks to prevent incidents before they arise meets the needs of global enterprises.

This insight has not been lost on IDS providers so many have replaced the "D" in IDS (for detection) with a "P" for prevention.IDS v. IPS

Historically, IDSs could be unmanageable. They tracked and logged network activity, but they generated too many false alarms and too much information to be useful.

Next-generation IPSs are said to remedy these problems, but before you run out to buy one for your company, you should realize that IPSs themselves are already evolving into very different products.

"What we do is analyze root-cause vulnerability," said Shively of PivX. "Our IPS looks at critical functions and literally blocks or shuts down an infection vector."

In developing their product, Shively says that PivX looked at security from a hacker's perspective. For instance, how would a hacker gain control of a PC? As opposed to signature approach, they came up with as many answers to that question as possible and built the responses into their IPS.

"An example is RPC-DCOM," Shively said. "It is enabled by default in 100% of Microsoft operating systems, but only about one-tenth-of-one-percent of users need the feature enabled. And an RPC-DCOM vulnerability is what led to Blaster. What our system does is go in and disable this by default. The small percentage of users who need RPC-DCOM enabled can go in later and enable it."

Shively refers to this approach as "active system hardening," and he believes that it plugs many of the holes that firewalls, anti-virus systems, patching, and older IDSs leave open.

Martin Roesch, one of the heavy hitters in the IDS world, has a similar take. One of the most widely used IDSs is the open-source Snort software, which Roesch created. Now, he's the CTO of Sourcefire, a provider of IPS and "real-time network awareness" (RNA) products.

Roesch argues that IDSs have not really evolved at all, and he predicts that many IPS products will soon to fall victim to the same old problems that IDSs faced.

"Most IPSs don't do anything differently than IDSs did," he said. "They're only sitting on a different place in the network."

He argues that they've solved the problem of information overload and false alarms by ignoring much of the data they previously collected. In other words, they've simply become a different kind of firewall.

"Enterprises need firewalls, certainly, but firewalls don't 'prevent' unknown attacks," Roesch added.

Roesch believes that before IPSs can be successful, organizations must understand the nature of their networks and the behavior of acceptable traffic. But perhaps Roesch's most interesting point about how the IPS segment is evolving, is one about interoperability.

"If security products don't work together, you're bound to have problems," Roesch said. "However, if you can use your various security products holistically to better see and understand your network, you are better off.

"Attacks will always evolve, but change in a network is hard to mask, and if you can identify and act on change, your organization will be much better protected."

It's a pitch for more open products and an old developer's argument that, unfortunately, usually falls on deaf ears.