Re: Definition of Zero Day Protection

[Joel Snyder <Joel.Snyder () Opus1 COM>]

> What is Zero Day Protection, I think I understand the definition of Zero
> Day Exploits.  But what is Zero Day Protection?  Another marketing blurb
> or it can vendors actually offer zero day protection?

Zero-day protection simply means that you are protected from a new 
exploit at the moment it exists.  Not 15 minutes after (since 15 > 0), 
but at that instant.  For example, if you had a device which could 
intelligently detect buffer overflows, then you could claim that this 
device offers "zero day protection" against buffer overflow attacks, 
even those which have not been created yet.  Contrast this, for example, 
to a device which relies on signatures matching specific characters to 
protect against known buffer overflow attacks.

In the world of virus scanners, the idea of zero day protection is 
promoted by folks who sell heuristic scanners (i.e., those which do not 
depend on specific matching of a signature).  The idea is that using a 
heuristic, you can determine whether a file has a virus or not, even if 
you've never seen the virus.  Thus, for certain classes of un-written 
viruses, this technology would offer "zero day protection."

A lot of people are MIS-using this term already.  They seem to think 
that if they empower you to do something very very very early in the 
cycle of problems, that this offers zero day protection.  It's not.  If 
you wanted to use a term for that, you could call it "Day One protection."

For example, IronPort has created a nifty thing called "Virus Outbreak 
Filters" which use anomaly detection to say "you know, there's something 
going around."  I would classify that as "Day One Protection;" it 
doesn't protect you BEFORE the problem, but it tracks the problem very 
early and lets you get a jump on the AV people before they have a 
signature to catch the exact new virus.  (I'm not saying that IronPort 
calls that Zero Day protection; I'm just using it as an example of Day 
One protection.)

In the IPS world, things which are anomaly based are often called Zero 
Day protection.  For example, if an internal system which has never made 
an outbound connect to TFTP suddenly starts doing 30 TFTPs a second, the 
IPS could shut it down.  The IPS people would love to call that 'Zero 
Day' protection, but it's not really that---after all, the system DID 
get compromised, ergo it wasn't protected.  I expect as the marketroids 
get ahold of the term, they'll push it as far to the limit as possible, 
since the concept of "zero day protection" is so clearly desirable.

jms


--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms () Opus1 COM    http://www.opus1.com/jms    Opus One


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------