RE: ISS - virtual patching

["Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>]

I work for ISS.

First, I will summarize ISS' QA lifecycle. After ISS develops a new
protection algorithm, it first tests it against a wide variety of
example traffic in its regression suite. If the algorithm appears
robust, it is then deployed on an array of special IDS sensors hosted by
select customers we have partnered with for this purpose. If it is still
robust it is packaged in the next content update. This update is
deployed on a select set (again specially selected customer-partners) of
IDS sensors within our Managed Services organization before the update
is made available to the general public. Finally, time permitting, the
algorithm will be initially released without blocking enabled. The
blocking is enabled in a subsequent content update. Once the algorithm
is deployed on IDS sensors it is being continually exposed to real
traffic on a wide variety of customer networks. So, the algorithm is "in
the wild" long before most customers receive it in a content update.

The 8 week measure is a generalization as the time to test each new
protection algorithm varies as it is determined by balancing the false
positive risk against the exposure our customers would face without the
algorithm. For example, ISS will take much longer testing a new protocol
anomaly algorithm before it enables blocking than it would a new exploit
signature. That is, a new protocol anomaly algorithm will likely have a
much higher false positive rate and much lower true positive rate
initially than an exploit-pattern signature. A new protocol anomaly
signature can easily go through 12 weeks of testing before ISS is
confident in enabling blocking. Virtual-patch/vulnerability-based,
algorithms fall in between. Also, there is less urgency with protocol
anomaly algorithms as they are not typically developed in response to a
known threat. Even with virtual patch algorithms, ISS typically develops
the algorithm weeks in advance of the public disclosure of the
vulnerability and the release of the vendor's patch.

So, the 8 week testing time estimate does not preclude ISS from enabling
blocking "Ahead of the Threat".

Paul 

-----Original Message-----
From: phb () gmail com [mailto:phb () gmail com] 
Sent: Tuesday, July 11, 2006 10:35 AM
To: focus-ids () securityfocus com
Subject: ISS - virtual patching

I was at an ISS event (but I guess it applies to all IPS vendors) where
they said after a signature is written they QA it to prevent false
positives, for about 8 weeks in the wild.
It sounded a little counter productive to the "virtual patching" claims,
since that often means the protection comes in after I've already
patched the system.
I agree I wouldn't deploy prevention prior to being sure it'll not cause
a DoS to the network (or at all until this technology matures a little
more), but with this attitude what is the IPS virtual patch hype all
about?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------