The Perennial Problem with Patches

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
"Internet Stalls After Worm Breaches Security of Servers" - The Boston Globe, 1/26/2003

According to The Boston Globe, the attack by a worm targeting a well-known vulnerability in Microsoft SQL Servers had widespread ramifications, affecting information and transactions across the world and shutting down Bank of America's 13,000 ATMs for hours.

Although the exploit was well known, being over six months old at the time of the attack, a significant population of SQL Servers (in this example) were unpatched and unprotected. Yet despite the bad press Microsoft has garnered in the past year about its software security, this outbreak wasn't Redmond's fault. The vulnerability was well known, and the patches were available. This outbreak shouldn't have happened.

The humbling truth is that this outbreak was caused by human error in letting unprotected systems stay that way, and enterprises being unaware of the problem until it was too late. Although this time it was a Microsoft application that was exploited, who's to say that next time it won't be Oracle or Siebel or DNS? Will it be your IT infrastructure that goes down while you struggle to fix the problem? How can you be sure?

False Security

Patches cannot be relied upon to deliver effective front-line security, because they simply aren't applied in a consistent, effective and timely fashion. Indeed, many industry best practices preclude applying patches in an ad hoc manner: changes to production environments need to be tested and proved safe before deployment. This frequently leaves a large window of opportunity when a vulnerability can be maliciously exploited.

Moreover, it's all too easy for more important deadlines, issues or simply the crisis du jour to interfere, potentially pushing the fix forever to the bottom of the list and leaving your systems perpetually vulnerable.

Intrusion detection systems would have picked up the attack (assuming that the signature updates were less than six months old), but few operations centers are listening to the threats their IDS detect because they are notorious for creating false positives. So even with effective sensors, this incident shows that having basic perimeter security sensors deployed is not enough to prevent significant economic damage from occurring.

Network Security Event Management

Here's the dilemma: Odds are your systems are not as well protected as they ought to be, and your IDS are up to date but being ignored. The volume of false alarms the IDS produces frequently is so great that rules are set to allow only the most important alerts through. This yields false negatives, where lower-risk but valid threats are not flagged. Life gets a whole lot easier for the operator -- until a low-risk attack takes advantage of an unprotected server, and all the systems you must protect are suddenly vulnerable.

Security event management allows you to keep your current practices and procedures while simultaneously improving your ability to detect valid threats. Data from IDS is analyzed automatically and false positives removed at the source, so that your operators can handle a much greater volume of sensor data more effectively.

Secondly, it's correlated: data from multiple sensors (IDS, firewalls, anti-virus) are linked together looking for patterns. This helps escalate false negatives, by identifying "wide footprint" attacks that individually are relatively meaningless, but together amount to a persistent and potentially devastating effect.

The best systems perform these tasks in real-time, link security data to network events like router CPU overload or platform reboots, which then allows them to identify potential compromises in process from unknown (or "day zero") threats -- and they link to vendor knowledge bases so that third-shift operators can still understand the context and risk any given threat poses. And by delivering timely, accurate and actionable alerts, security event management solutions significantly reduce the risk that an unpatched system will be compromised before you contain the attack.

The result: greater security by detecting threats in real time without swamping your emergency teams. And that means greater confidence that the systems you deploy will remain safe, by linking your perimeter and host-based security sensors to identify, correlate and contain attacks.

Phil Hollows is vice president of product marketing for OpenService, a real-time network and security event management vendor.