IDS mailing list archives
RE: ISS - virtual patching
From: "Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>
Date: Sat, 22 Jul 2006 10:36:48 -0400
I work for ISS. First, I will summarize ISS' QA lifecycle. After ISS develops a new protection algorithm, it first tests it against a wide variety of example traffic in its regression suite. If the algorithm appears robust, it is then deployed on an array of special IDS sensors hosted by select customers we have partnered with for this purpose. If it is still robust it is packaged in the next content update. This update is deployed on a select set (again specially selected customer-partners) of IDS sensors within our Managed Services organization before the update is made available to the general public. Finally, time permitting, the algorithm will be initially released without blocking enabled. The blocking is enabled in a subsequent content update. Once the algorithm is deployed on IDS sensors it is being continually exposed to real traffic on a wide variety of customer networks. So, the algorithm is "in the wild" long before most customers receive it in a content update. The 8 week measure is a generalization as the time to test each new protection algorithm varies as it is determined by balancing the false positive risk against the exposure our customers would face without the algorithm. For example, ISS will take much longer testing a new protocol anomaly algorithm before it enables blocking than it would a new exploit signature. That is, a new protocol anomaly algorithm will likely have a much higher false positive rate and much lower true positive rate initially than an exploit-pattern signature. A new protocol anomaly signature can easily go through 12 weeks of testing before ISS is confident in enabling blocking. Virtual-patch/vulnerability-based, algorithms fall in between. Also, there is less urgency with protocol anomaly algorithms as they are not typically developed in response to a known threat. Even with virtual patch algorithms, ISS typically develops the algorithm weeks in advance of the public disclosure of the vulnerability and the release of the vendor's patch. So, the 8 week testing time estimate does not preclude ISS from enabling blocking "Ahead of the Threat". Paul -----Original Message----- From: phb () gmail com [mailto:phb () gmail com] Sent: Tuesday, July 11, 2006 10:35 AM To: focus-ids () securityfocus com Subject: ISS - virtual patching I was at an ISS event (but I guess it applies to all IPS vendors) where they said after a signature is written they QA it to prevent false positives, for about 8 weeks in the wild. It sounded a little counter productive to the "virtual patching" claims, since that often means the protection comes in after I've already patched the system. I agree I wouldn't deploy prevention prior to being sure it'll not cause a DoS to the network (or at all until this technology matures a little more), but with this attitude what is the IPS virtual patch hype all about? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- ISS - virtual patching phb (Jul 12)
- Re: ISS - virtual patching David Maynor (Jul 24)
- Re: ISS - virtual patching Stefano Zanero (Jul 27)
- <Possible follow-ups>
- Re: ISS - virtual patching john (Jul 21)
- Re: Re: ISS - virtual patching David Maynor (Jul 24)
- Re: ISS - virtual patching thunking (Jul 21)
- RE: ISS - virtual patching Palmer, Paul (ISSAtlanta) (Jul 24)
- RE: ISS - virtual patching Palmer, Paul (ISSAtlanta) (Jul 24)
- RE: ISS - virtual patching Palmer, Paul (ISSAtlanta) (Jul 25)
- Re: ISS - virtual patching David Maynor (Jul 24)