Zero day protection and IPS

Klaus Majewski writes about a security solution that secures without the need for updates

There is a lot of talk about the supposed “Zero Day Protection” from several security vendors at the moment. But what does it mean? Basically it is a name that some industry analysts have coined to position various security solutions. It means that a security device or product doesn’t necessarily need an update to allow it to be secure from an attack—an attack which has not been seen before and is effectively brand-new. So rather than rely on something like anti-virus which must be updated frequently, a security product doesn’t need so many updates to be secure.

Not The Whole Truth

Does it work? Nah, not really. For example, the Microsoft Windows Metafile (WMF) exploit became public on December 27, 2005. After that all security vendors rushed to make detection updates for it. If there were truly working zero day those updates would be unnecessary, right?

Anti-virus products are often used as an example of why updates don’t work. But in reality they do. All of the leading AV vendors have developed their solutions to support identification of potential threats as well as ones which have yet to be seen outside of a lab environment. Other than a few notable exceptions, 95 percent of all new viruses will be detected without the need for an update from the vendor. The reason why virus attacks are so successful is that many organisations just don’t update their AV products at all, or are running outdated versions. Many vendors use the “Zero Day” marketing line in their positioning and as a result try to place themselves as a different security solution from others. Typically, we are talking IDS/IPS solutions, but it can be in many different areas.

Relying On Standards

A security solution is there to enforce a policy as well as allow a business or system to operate without disruption. By implementing a “Zero Day” system the product you are relying on requires everything to be 100 percent correct—what I mean by this is that all of your web applications adhere to the HTML standards and your applications use all of their protocols and systems in 100 percent compliance with standards. Unfortunately, almost nothing to do with IT works like this. Everyone does things ever so slightly different and as a result sticking to standards isn’t quite as simple as people might think. Consider the fact that many web pages don’t display correctly in Mozilla Firefox vs Microsoft’s Internet Explorer. Ok, a web page is one thing. But what happens if it’s your corporate accounts system, or your sales processing system or even your online ordering system? It becomes much more critical and sticking to standards much more important.

Imagine a scenario where an emergency patch must be applied to your sales order processing system. This patch is to fix a major problem with it and must be carried out ASAP. Unfortunately, it introduces some small changes to the way it operates and now isn’t 100 percent standards compliant. Normally this would not be an issue and most organisations would virtually never know. But with a “Zero Day Protection” system it may just get triggered—blocking network traffic and raising high priority alerts. What would you do? Roll back the critical patch or disable your security system until it can be corrected? It is a tough call and one that no one really wants to make. “Zero Day Protection” really isn’t what it is cracked up to be; it is a bit of marketing.

Going Beyond An Impulsive Reaction

So how does an organisation react to such instances? By making use of a class-leading solution which is flexible and effective. In many cases you may choose to do nothing in response to such emergencies. However, the choice should be the organisation’s and not the supplier’s or the security solution’s. The ability to monitor, log, alert and react is critical here—just simply reacting may not be the best course of action! For example, a passing vandal throws a stone at your office. Do you shoot him, close your office and lock all of the doors? Or do you observe, track and inform the relevant authorities? I know which I would choose.

The author is IPS Product Manager CISSP Stonesoft Corp