In-Depth

Auto-Update for Outdated Defenses

Infrequent updates in security products themselves can be dangerous

• By Rich Weiss
• 08/30/2005

Do you use antivirus or IDS products that provide infrequent or long delayed updates? Of course not. So why do you rely on other security products that get updated maybe once a year?

Maybe you haven’t had a choice. Most firewalls and intrusion prevention appliances provide hard-coded defenses that address established classes of vulnerabilities and exploits. You can often write rules to defeat new exploits that fall within these classes. You can usually patch flaws in the operation of those products. But you typically haven’t been able to quickly add new protection mechanisms that address new classes of vulnerabilities. Examples of such vulnerabilities include those associated with VoIP and other newer protocols, and flaws in certain commercial or open source software applications such as VNC.

Even the best packet-inspection technologies and IPS heuristics occasionally need code-level upgrades to maintain their effectiveness. Yet it can be months before a security vendor releases a new version of their software or firmware that addresses a new vulnerability. It can also be months (or longer) before you install the new release in your environment. In the meantime, you can try to locate and patch every instance of a vulnerable application or try to develop a workaround based on firewall and/or IPS rules. Despite your best efforts, though, hackers may still exploit the vulnerability and cause a costly security breach.

The challenge of keeping your network security infrastructure current is only going to increase, due to the shrinking window between the discovery and exploitation of new vulnerabilities. The day is rapidly approaching when your security staff literally won’t have enough time to figure out how to configure your security solutions to mitigate new risks and implement the changes before your organization is attacked. A faster and more automated approach is needed.

Luckily, security technology is evolving to address this growing challenge. An innovative enhancement has been made to certain firewalls and security appliances that enables rapid, preemptive upgrading of those products’ defense mechanisms when a new class of vulnerability is discovered. Software updates are automatically delivered online from the vendor to the customer within hours of the discovery. Administrators can review the code changes, decide if the update is needed for their environment, and implement the update with a mouse click if desired. The process is much like applying a patch, except that the update adds new security defenses instead of fixing a bug.

Even if a vendor doesn’t offer this smart-update technology, it should at least have a service that delivers timely, step-by-step instructions for how best to configure its products to thwart the latest vulnerability or threat. If the vendor sells multiple products that can address a vulnerability at different security layers, the remedy should be consistent across those products. The vendor also needs to have a global team of security researchers who can provide 24 hour analysis and response.

The next time you evaluate a network security gateway or appliance, ask the vendor how many times in the past year it delivered functionality upgrades that didn’t involve reinstalling the product. At the least, you’ll know whether you’re getting protection that will be up-to-date or out of date a few months after deployment.