Closing the Vulnerability Gap
by Carol Baroudi, Partner
BlueLane Patches The Patch Problem
A vulnerability is announced. The clock begins to tick. The race is on. It?s the bad guys versus the good guys, and the bad guys have a head start. The scenario is all too familiar and it happens every few weeks.
Major software vendors, let?s take Microsoft and Oracle as examples, release a security patch to address a security hole that has been discovered. In so doing, they notify the bad guys that a new vulnerability exists. And in today?s world, there is no shortage of bad guys ready to seize the opportunity and exploit it ? much to the dismay of legitimate users everywhere.
The vendors have done what they can. They have released a patch to fix the known vulnerability. But for the IT users, the problem is not over. Patches sometimes fail ? sometimes they simply don?t work in the real life production environment. They can cause costly downtime. The more complex the environment, the less likely a patch can be installed safely.
In the real world, conscientious system administrators have to test patches in non-production environments, vetting a patch to make sure it won?t break anything. To make matter worse, security vulnerabilities are currently reported at the rate of over 300 a month. Even if you only need to patch for a small fraction of these, it isn?t practical to test every patch.
So operations staff wait until they can test a batch of patches together. A patch may be delayed for months before systems get the protection they need. And all the while the clock is ticking and the bad guys are preparing they worms and their hacks. And herein is created the vulnerability gap.
The vulnerability gap is the time between when vulnerability is announced and the time when administrators safely install a patch. Within this window, systems are extremely vulnerable. For any given problem, the vulnerability gap can be months and the bad guys don?t take months to introduce their exploits.
But administrators have had little choice. Simultaneously compelled to patch and not patch, they take a calculated risk and trust in luck. The potential loss is harrowing.
The BlueLane Solution
Cupertino, CA-based BlueLane Company?s PatchPoint System is dramatically shortening, and in some cases, all but eliminating, the vulnerability gap. Here?s how:
BlueLane uses a proxy server to mimic the effects of any patch. The PatchPoint proxy server doesn?t implement the patch, it implements software that traps and neutralizes any attempt to exploit a known vulnerability. If, for example, the problem is a specific buffer overflow, it examines all network traffic and detects any attempt to overflow that buffer ? and stops that piece of traffic.
In this way, vulnerabilities are closed before an attack can reach a vulnerable system. In effect a slightly different patch is installed ?outside? the targeted system, and for this reason, it cannot adversely affect a system environment.
The engineers of BlueLane are in a race too. Whenever a vulnerability is announced they have to analyze it and find a way to trap any exploit. But they do not operate under a handicap. Typically they have a ?proxy patch? written in a few days of a vulnerability being announced and distributed to their customers same day. These good guys are a lot faster than the bad guys.
In essence, BlueLane is creating the best of all worlds in our oh-so-imperfect world of contemporary IT. Users get the value of the patch very, very quickly without jeopardizing their stable environments. How cool is that?
The Hurwitz Take
Wow. Hurwitz & Associates is all too familiar with the risks associated with the vulnerability gap, the reality of malfeasance in our networked world, and the conundrum facing administrators everywhere. We are downright enthusiastic about the BlueLane approach.
We recognize it only solves the problem for server environments, but in the end that?s where most of the mission critical systems run. Its security patch solution has come not a moment too soon.