Mitigating zero-day vulnerabilities in customers' environments

Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection.

Modern zero-day attacks spread at the speed of the Internet, infecting computers worldwide long before antivirus and IDS products (most organizations' first lines of defense) can close the window of vulnerability with a custom attack filter antidote. For example, in January 2009, the Conficker zero-day conflagration infected more than 1 million PCs in less than 24 hours. Such rapid propagation effectively relegates security scanners to merely performing cleanup after a zero-day strike has done its damage.

There is no foolproof defense against zero-day attacks; there are no signatures for security filters; behavioral techniques suffer from false positives; endpoints have too much variety for whitelists and reputation methods are too slow. While rapid, efficient patching does eventually close the vulnerabilities that are the lifeblood of exploits, solution providers must take proactive approaches to mitigate the effect of zero-day exploits on their customers. Here are a few strategies:

Focus on vulnerabilities more than exploits. Most zero-day exploits take advantage of known vulnerabilities, thus patching a single vulnerability can effectively block an entire class of exploits, even when AV signatures do not exist. For instance, the variants of Conficker can be defeated by applying the Microsoft Windows patch MS08-067. Organizations have become conservative with their patching re...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability and patch management Despite customer interest, channel struggles with threat management Portcullis Systems adds HP security products to Microsoft customers Agilex partners with HBGary to offer security forensic, assessment services Snort vs. Microsoft Security Bulletin MS08-068 Top security tips for solutions providers Top five security service provider tips of 2007 The true cost of offering patch management services Microsoft WSUS deployment guide Antivirus software patch management Should hotfix testing be performed by the QA department or by support? Information Security Threats Getting to know the NERC CIP standards UTM appliances bundle security, give VARs multiple revenue streams Remote vulnerability scanning: Process, roles and responsibilities Data breach prevention techniques: Helping customers avoid data breaches Full disk encryption: A hot opportunity for VARs Top security tips for solutions providers Common injection attacks Checklist: Five steps to assessing a customer's antivirus protection Polymorphic malware attacks and in-line scanning Use hosted email filtering for virus protection

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

gimens, only applying necessary patches after rigorous testing. Solution providers may need to be more aggressive in helping customers plug vulnerabilities on Internet-facing machines -- they often represent the most likely entry point for the next killer zero-day attack. Customers may grant solution providers permission to conduct periodic vulnerability scans, emergency scans when a vulnerability linked to a serious attack is identified, and to email links for recommended patches.

Audit everything. A zero-day attack -- including a worm, Trojan, infected iFrame, or denial-of-service effort -- that evades detection by traditional security mechanisms will cause damage and alter configurations in ways that cannot be predicted. Extensive audit logging of endpoint activity and network traffic is essential in reconstructing the destructive path of a zero-day attack. Inspection of logs gives IT a chance to recognize the presence of an attack in the network, estimate the scope of damage, and identify corrective action to prevent a recurrence.

Establish the capability to route traffic through an internal security service. Eventually information about a new attack is reported to security researchers for creation of a preventive filter to block the attack. Solution providers that can direct traffic through centralized security scanners in their own data center can update signatures in a few filters with the benefit of efficiently cleaning communications for all clients simultaneously. The zero-day attack then expeditiously moves onto the Gotcha List with less risk of a recurrence.

Build in recovery services. Client endpoints and hosted services must be refreshed if security software cannot completely recover from an attack. Customers may need snapshot backup and recovery services for software configurations and important business data in order to quickly bounce back from a zero-day attack. Security solution providers can provide assistance with these services for data and software protection, even to the extent of using a virtualized data center to run basic business applications while the organization recovers from a disaster.

Good, secure networks and remote endpoints will be vulnerable to a zero-day attack -- it is just a fact of computing life on the Internet. Solution providers can build a competitive advantage by doing all they can to ferret out vulnerabilities that zero-day attacks thrive on. Solution providers may also find new revenues with zero-day attack recovery services to help subscribers painlessly recover when the inevitable security incident occurs.