Patching is currently the most widespread means of preventing intrusions, and it's failing miserably. The number of security incidents reported to CERT has grown exponentially over the past six years, reaching an all-time high of 137,529 in 2003, which was also the year that the Blaster and MS-SQL Slammer worms caused widespread devastation. Patch management seeks to address these issues through automation that lets patches be installed rapidly and without Herculean human effort. But patch management is of limited benefit. Consider the following:
- Faulty patches can bring down critical servers and cost more to an organization than a security breach.
- Sometimes vendors do not develop a patch because they mistakenly regard a vulnerability as unimportant or they do not have the time and resources to do so. As of June 2003, there were 19 unpatched vulnerabilities in Microsoft's Internet Explorer. Many of these were serious and resulted in costly breaches and inconvenience to users.
- Some vulnerabilities cannot be fixed by patching. Patch management will not correct vulnerabilities caused by misconfiguration, such as default settings that allow access to systems that should be restricted.
- Vendors cannot develop a patch if they are unaware of the vulnerability.
- New hacker tools are reducing the patching window.
There is an effective alternative to patch management: host-based intrusion-prevention systems (IPS). IPSs that reside on host computers monitor the behaviour of running software and block any deviations from a profile of normal or allowed behaviour, requiring no prior knowledge of vulnerabilities. IPSs overcome all the limitations of patch management: They block attacks against unpatched vulnerabilities and provide protection immediately, so there is no window of opportunity for the attacker. Patch management is a useful tool for reducing the cost and time involved in patching, but it is a flawed security solution, that offers limited protection. For comprehensive protection, IPSs are a much better answer.
Steven Hofmeyr is founder and chief scientist with host-based IPS company Sana Security