Virtual Patching

By Mark Webb-Johnson, Chief Technology Officer, Network Box

From the time a vulnerability is announced, a race starts between developing, testing, releasing, and installing the patches to fix it; and the attackers developing their exploits to take advantage. Virtual Patching aims to deploy early patches ‘virtually.’ Sometimes on the affected devices themselves, but more often at the gateway, before formal patches can be released or installed, and before the attackers can compromise protected systems.

The Technology

Virtual patches target network tra­ffic attempting to exploit a known vulnerability. They often start with signatures to detect the vulnerability, or exploit behaviors, and then actively interrupt the tra­ffic and block it before it affects the target system. They are a ‘quick-and-dirty’ solution to a complex problem, as they can usually be deployed without reboot or interruption to services. Due to limitations inherent in the technology, they are often only short-term stop-gaps, gaining time for formal patches to be deployed.

Think of the vulnerability akin to a leaky pipe, the exploit being the resulting flood, and the virtual patch being a temporary tape to fix the leak. The permanent solution would be to replace that part of the broken pipe, but the virtual patch gains you time and avoids the damage that a flood would cause. It is certainly better than having to turn off the water.

Virtual Patching allows the user to maintain their own patching cycle, not dependent on the various manufacturers of equipment, systems, and applications that they run. They are much simpler to deploy, as they are typically installed at just a few centralized/gateway locations, rather than on every potentially affected device.

Limitations of Virtual Patching Technology

  • The virtual patch must be deployed between the attacker and the attacked device or service.

For it to be effective, this protection must be inline or at least able to block malicious tra­ffic with very little latency. Encrypted tra­ffic may need special handling to be accurately analyzed for exploits.

  • A virtual patch must be accurate.

It must detect exploits of the vulnerability without affecting legitimate traffi­c while being broad and comprehensive enough to detect new emerging variants of exploits (not just an initial specific one). In cases where the exploit is non-trivial and in particular, where it involves multiple requests in a network tra­ffic session, this may not be possible, and the virtual patch only partially effective.

  • False positives may be a problem.

As the virtual patches need to be deployed quickly, there may not be adequate time for testing. Depending on the severity and impact of the vulnerability, this may be considered an acceptable risk to the alternative of shutting down all services until formal patches can be deployed. Deployment of manufacturer patches is also not without risk. Virtual Patching is not a perfect solution and cannot protect every vulnerability from every possible exploit. However, it is a good solution that is effective in most cases, particularly those identified as high severity. The technology does provide a comprehensive and effective first line of defense against network-based exploits and is valuable as one tool of many in your arsenal.

Mark Webb-Johnson is the co-founder and Chief Technology Officer of Network Box. It is Mark’s technical genius that drives the cybersecurity innovation at Network Box. He and his team constantly come up with solutions that keep Network Box ahead of the rest. Over the years, Mark has taken on numerous projects and extremely difficult technology problems, and always come up with an elegant solution. It is hardly any wonder he won the Lord Hailsham Prize for Computer Science.

Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.