Virtual patching uses policies, rules and security tools to block access to a vulnerability until it can be patched.
Zero-day threats and legacy systems are two ways that vulnerabilities can be created for which no patch may exist for some time, if ever. In those cases, security teams can block a potential attack path until a permanent fix can be found.
Cyber criminals rush to exploit vulnerabilities, bugs, errors, misconfigurations, and unchecked code before patches become available and security teams are able to test and deploy them, so security teams must respond with equal speed to close off potential attack paths to those vulnerabilities until they can be patched. Those defensive steps are referred to as virtual patching. We’ll focus here on how security teams deploy those defenses.
How Virtual Patching Works
Also known as external patching or just-in-time patching, the term virtual patching was coined by intrusion prevention system (IPS) vendors several years ago. Virtual patching bypasses the complex and time-consuming process of developing and deploying patches by using rules, mitigations and protective steps, often at the IPS or firewall level, to shore up networks to prevent attackers or malware from accessing these vulnerabilities.
Virtual patches are similar to vendor patches in the sense that they protect against specific exploits. The main difference is that a virtual patch is deployed at the network level, typically using an IPS or firewall rule, instead of the device or asset that contains the vulnerability.
IPS solutions are built to monitor and inspect traffic while blocking malicious activities. Using virtual patches, IPS can identify and stop attempts targeting a specific vulnerability. This creates a layer of protection around the vulnerable asset instead of patching the asset itself. IPS signatures or virtual patches can be deployed at the network level using the intrusion prevention (IPS) functionality built into a next-generation firewall (NGFW), a web application firewall (WAF) or a traditional standalone IPS appliance.
Virtual patches must work to prioritize business-critical network traffic, be effective in their ability to shield a vulnerable asset, and be coded for rapid and correct deployment on different environments: mobile, cloud, hybrid, or web. Virtual patching must also be able to run deep packet inspection to shut down malicious packets and attempted attacks hiding in web and network traffic.
Virtual Patching Best Practices and Phases
Virtual patching requires several phases to be done correctly: preparation, identification, analysis, virtual patch creation, implementation and testing, and recovery and follow-up.
Virtual patching should be part of a continuous offensive security approach. This means it should not react to vulnerability exploits but prevent them before they happen. The security groundwork is done in the preparation stage.
A critical step is ensuring you get all updates, patches, and vulnerability alerts set up. Additionally, to avoid authorization delays, virtual patches can be pre-authorized. Virtual patches do not affect the asset’s code itself, so exhaustive tests on the affected app are not needed. It can also help protect an asset as the real patch is being developed and tested.
“Categorizing virtual patches in the same group as Anti-Virus updates or Network IDS signatures helps to speed up the authorization process and minimize extended testing phases,” recommends the Open Web Application Security Project (OWASP).
Virtual patching tools must be deployed and operational. For tools like ModSecurity WAF for Apache servers (which works on non-Apache services as well) or OWASP’s ESAPI WAF, it’s best to have them installed and enabled. That way, when you need them they’re ready to go.
There are two methods for identifying vulnerabilities: proactive and reactive. Proactive identification approaches are recommended. In this method, organizations conduct penetration tests and vulnerability scanning and use other tools to identify weaknesses before attackers can exploit them. Reactive identification comes in late when the vulnerability is already disclosed by vendors, commercial application software developers, or a security incident.
Once a vulnerability has been identified, it needs to be analyzed before the patch is deployed. Organizations need to ask themselves what the exposure is, where it is found, what systems it affects, and how it can be exploited. Analyzing whether the flaw affects business-critical assets is also crucial.
Secondly, security teams must determine if the virtual patching tool can detect the flaw. Using the vulnerability information, the bug tracking system can also monitor and inform on the incident. The vulnerability identifier (CVE name/number) must also be double-checked.
Additionally, an inventory of the software and systems impacted must be done, and configurations that trigger the problem must be listed. Vulnerability announcements also usually reveal the exploit code; this data can be used to develop and test virtual patches.
Virtual patch creation
The identification phase will help you determine the priority, risk, and time-to-fix parameters. Sometimes complete fixes cannot be applied due to high risks in real-time settings. Partial fixes can buy you enough time to develop more comprehensive patches. A virtual patch is about risk reduction, so be prepared to compromise if necessary.
There are two rules for virtual patch development: positive (allow) and negative (block) approaches. A virtual patch should never block legitimate traffic or miss an attack, even when malware is coded to evade detection.
In positive manual virtual patches, models are coded with valid inputs such as character set, length and others, while the rest is denied access. In contrast, in negative security blocks, list patch rules detect specific attacks and only block those. Negative patches are easier and faster to code but can be more easily evaded. Positive patches, on the other hand, may not be feasibly deployed in time in large environments since they are manually coded.
Companies can also benefit from automated virtual patch creation tools that use the XML report created by automated vulnerability detection tools. These automated patches are created by auto-converting vulnerability data into virtual patches. Examples of automated virtual patch creation tools are OWASP ModSecurity Core Rule Set (CRS) Scripts, ThreadFix Virtual Patching, and Direct Importing to WAF Devices provided by many vendors.
Implementation and testing
There are different tools to implement virtual patches. These include web browsers, command-line web clients such as Curl and Wget, local proxy servers, and ModSecurity AuditViewer.
Regarding testing, if you used a vulnerability scanning tool or detected a flaw with a penetration test, you should rerun the scans and tests to check that the virtual patch is working. To ensure you are not blocking any normal traffic, you should initially set a log-only configuration when implementing virtual patches.
Recovery and follow up
Virtual patching does not end with implementation and testing. Cyber criminals update attacks with evolving malware exploit versions. The virtual patch must be followed up and monitored. Organizations should also document the entire process in case they need to restart the cycle.
Virtual patch performance must also be controlled, making sure traffic is not being affected improperly. Additionally, virtual patches are often temporary fixes, so they must be checked to see if the original asset patch has been released and installed.
What Can Happen to Unpatched Vulnerabilities?
Cyber criminals are constantly searching for vulnerabilities to execute attacks. Zero-day attacks are becoming increasingly common and dangerous. Furthermore, ethical hackers working in bug bounty programs, such as HackerOne, also reveal vulnerabilities every day. All of these issues are exploited by attackers.
The consequences of not patching business-critical security flaws are severe. They range from massive sensitive data leaks, data theft, ransomware, fines, reputation and financial losses, to shutdown of operations due to compromised systems. Many top vendors offer virtual patching services. These can be effective for businesses that do not have the in-house resources to develop their virtual patches.
Developers and technology companies will often release temporary patches or mitigation steps to plug vulnerabilities until official patches can be released, so security teams have some help in their virtual patching programs.
- Vulnerability Management as a Service: Top VMaaS Providers
- Best Patch Management Service Providers
- Best Patch Management Software & Tools
Pros and Cons of Virtual Patching
Undeniably, virtual patching is critical due to the rapid evolution of the threat landscape. However, virtual patching is designed to be a temporary fix. It does not patch the vulnerability itself but prevents traffic from accessing and exploiting it.
One of the most significant benefits of virtual patching is that it buys security teams and developers the necessary time it takes to create real patches. Virtual patches also accelerate testing and deployment by gathering information on the threat. Fixing and coding software or applications can be time-consuming endeavors, but creating a shield that prevents traffic flow by allow-or-block rules is much easier and can be done rapidly.
On the other hand, while virtual patching gives organizations time to prevent the risk of cyberattacks, they can be tricked through evasion and deception techniques. Virtual patching also creates a long-term risk for organizations when they delay or choose not to move forward with more permanent security patches and solutions.
Regarding privacy and data compliance laws, virtual patching can help organizations better meet requirements, such as GDPR and PCI DSS.
Older legacy systems that have reached their end for support and security updates can also benefit from virtual patching. Vulnerability best practices and a complete understanding of their benefits and limitations can help companies keep up to date with security in the new era of digital transformation, acceleration, and modernization.
Bottom Line: Virtual Patching
Hackers can exploit new vulnerabilities within days, while it can take weeks or months for vendors to develop and release an official patch. Virtual patching, then, is a creative way to fill that gap until an official fix is available — or in the case of a legacy system, in case one never becomes available. In a time of increasingly dangerous cyberattacks, that’s a skill every cybersecurity team needs.
Read next: Patch Management Best Practices & Steps
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.