Can IPS Counter the Patch-Lag Window?

Automated patch management and intrusion prevention have been getting a lot of attention lately. With patching, this is due in large part to Microsoft paying closer attention to potential exploits and publishing fixes more regularly and coherently.

Intrusion prevention system (IPS) vendors have been following patching trends and making the case that gaps in patch management create the need for something akin to IPS.

In June 2003, Gartner predicted that the intrusion-detection (IDS) sector would be dead by 2005 and advised companies to instead spend their security dollars on better network and application firewalls. Since that time, IDSs have morphed into IPSs, but has anything really changed?

“If you expect to solve all of your problems with patching or signature updates, you don’t understand the problem,” said Andre Yee, president and CEO of NFR Security, an IPS provider.

IPS vendors believe that firewalls, anti-virus systems, patch-management systems, and the like, are all deterministic and reactive. So, even with better automated patching solutions catching on and even with more comprehensive firewalls in place, there is still a strong case to be made for something that takes a more preventative approach to security.

Closing the Vulnerability Window

Yee explained that patching is a critical component of any enterprise security strategy, but the problem is that patching leaves open a “patch-lag window,” which is defined as the time between when a vulnerability is discovered and a patch is effectively deployed.

Many patches are released at the same time that a vulnerability is published, but even then an enterprise IT staff is not off the hook.

“The average time between when an exploit is identified and when a virus takes advantage of it has shrunk to about 5.8 days,” said Rob Shively, CEO of PivX Solutions, an IPS provider. “What we hear from system administrators is that even with automated patching, they don’t have enough time to do sufficient regression testing and deployment.”

Because of this, the automated patch management space has heated up. Start-up companies are pushing the technology, offering the most comprehensive, feature-laden products, but the major players also have an eye towards making patching easier for their customers.

Start-ups like Configuresoft, Opsware, PatchLink, and Shavlik all offer automated patching suites, while Microsoft’s Windows Update Service (WUS) is intended to smooth out the patching process for Microsoft’s own products.

First Things First

For IT managers evaluating potential patching solutions, the problem is that there is a good deal of work to be done before they even start worrying about patching or upgrading their perimeter security devices: security policies need to be defined, and processes must be put into place so this chaotic process is manageable.

“For an IT administrator, the first step in the patch-management process isn’t patching,” said Peter Firstbrook, an analyst with the Meta Group. “The first step is asset management. You need to figure out what devices and applications your enterprise actually has.”

In a global enterprise, this is no small task. Once you’ve figured out what exact assets you have, then you must match that up with a security strategy, said Firstbrook. “The second step is to correlate your assets with risk.”

Firstbrook cautioned that a single network scan is not enough. New devices and applications — authorized or not — pop up all the, so it’s important to continue scanning on a regular basis. A single rogue wireless LAN access point could compromise an otherwise solid security profile.

Spinning IPS

Following this logic, the story that IPS vendors spin is that patching proves their products. IPS systems look for traffic anomalies and block potentially malicious activities before the network is infected. However, there is some debate as to how effective these products are.

“Intrusion detection systems aren’t foolproof,” said Joseph Cupano, technical director at Solsoft, a provider of network security policy management software. “Issues like management overhead, false positives, and interoperability all give IT managers headaches.”

The problem with relying too heavily on firewalls, anti-virus, patching, and other point solutions is that all of these solutions overlook fundamental security questions.

“IT managers must ask questions like how do you identify the right security for your organization; how do you implement and manage security products so they meet the business goals of the organization; and how do you integrate each security product within an overall security posture?,” Cupano said.

In short, IT administrators have been thinking about security the wrong way: reactively.

Cupano argues that only a proactive approach that seeks to prevent incidents before they arise meets the needs of global enterprises.

This insight has not been lost on IDS providers so many have replaced the “D” in IDS (for detection) with a “P” for prevention.