Business & Technology
One of the most critical tasks that most enterprise security teams struggle with on a continual basis is how to protect their organizations against new and existing vulnerabilities. The easiest solution is to patch enterprise assets against vulnerabilities with a vendor-issued patch designed to prevent any possible exploitation. When the FortiGuard Labs team produces threat research on a new exploit, their reports include the following information for that mitigation plan, along with mitigation recommendations that often refer to specific patches provided by vendors:
Affected platforms: (Operating systems or devices impacted)
Impacted parties: (Users of specific software versions, devices, etc.)
Impact: (Malware details)
Severity level: (High/Medium/Low)
But what happens when it’s not possible to patch the asset? For example, patching can sometimes break an application due to strict dependency control, meaning it can only support a specified release level of the operating system. Of course, there is always the possibility that the application developer can issue an update to support the new patch level. However, the effects can be more profound if an application running on an impacted operating system is custom or home grown and can’t be fixed.
An even more difficult challenge is when devices are integrated into critical infrastructure or sensitive OT systems, such as a massive boiler or open hearth furnace that cannot be taken offline for patching. In these and similar cases, the next best option is something called virtual patching.
Let’s look into why virtual patching can be a critical tool for security teams that need to respond quickly to new, and even existing threats.
As you read the FortiGuard Labs 2019 Threat Landscape Report for Q4, it is clear that growth in the exploitation of vulnerabilities is a direct result of the expanding attack surface resulting from digital innovation. Here is a brief look at the Top Platforms and Technologies targeted by exploit activity in the fourth quarter of 2019. They are plotted in Figure 1 according to prevalence (horizontal axis) and volume (vertical axis).
Prominent in the upper left-hand corner are attempts to exploit a vulnerability (CVE-2019-12678) in the Session Initiation Protocol (SIP) inspection module of Adaptive Security Appliances. These cyber incidents ranked highest on the volume scale, probably because successful exploitation results in a denial-of-service condition. In addition, four of the five most prevalent exploits targeted vulnerabilities in popular CMS applications.
One of the underlying themes that can be derived from the data above is that majority of exploits and malware target underlying vulnerabilities in enterprise grade software and applications.
Patching is an update provided by a developer for an application, operating system, or firmware code designed to fix a discovered vulnerability and prevent it from being exploited. For a patch to work, it has to be deployed on individual assets. A virtual patching is similar to a patch released by a vendor because it provides protection against a specific exploit. But in this case, the difference is that this patch is deployed at the network level using a IPS rule rather than on the device itself. It is sometimes also referred to as a proximity control as it stops a threat before it reaches its intended target.
An IPS system is designed to inspect traffic and look for and block malicious activities. And with the right signature, it can also be used to identify and stop attempts to exploit specific vulnerabilities. Because any exploit has to take a defined network path for execution, being able to identify a specific threat makes it is possible to interrupt or block the exploit by modifying the network rules. These specific IPS signatures, or virtual patches, can be deployed at the network level using the intrusion prevention (IPS) functionality built into an NGFW or a traditional standalone IPS appliance.
In today’s dynamically changing environments, the traditional patch cycle simply cannot scale to keep pace with the sophistication and frequency of attacks, and the rate at which new vulnerabilities are being discovered and exploited as a result of the expansion of the digital attack surface.
Virtual patching should be considered an integral component of every organization’s patch management strategy. They not only protect against new threats, but also provide an effective coverage for other scenarios, as discussed above. With virtual patching, business critical applications and data can better be secured as a virtual patch can quickly eliminate the window of opportunity and thereby minimize the risk for the business by shutting down the avenue to exploitation. This enables organizations to reduce their exposure to vulnerabilities across the board, and scale their responses and coverage accordingly with appropriate defenses that can be put in place within minutes or hours.
For more details on how the FortiGate IPS offers a replacement strategy for existing dedicated IPS download a copy of our whitepaper.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.