Staff Writer, CNET News.com
The race to plug network holes before attackers use them is running system managers ragged—so they're throwing up more barriers to stop intruders.
In recent years, the common wisdom has been that keeping up-to-date on software patches is key to safeguarding a company's networks against viruses, worms and other pests. But with dozens of flaws being discovered each week, that approach has turned out to be a Herculean task.
That has network administrators, as well as providers of security products, looking beyond patch management for protection.
"Five years ago, patch management was not a (priority) for operations people. But then the worms came out, and it was patch everything you can and as fast as you can," said Gerhard Eschelbeck, chief technology officer at Qualys, a security information provider. "Now we've entered a phase of being more selective about patching."
These days, security professionals are returning to an older strategy, which calls for defensive measures on many levels of the network, from the gateway to the employee's PC.
The technique taps into a wide array of new security technologies to throw up multiple barriers to virus writers and online intruders. And there's a bonus: Widespread defenses like these will likely buy system administrators more time to test and apply software fixes.
In some cases, administrators using patch management have to move so fast to install a fix that they aren't able to test it beforehand.
"People often feel squeezed. Sometimes there are cases where they can't patch quickly enough. There may be an exploit out there before you can get your systems patched," said Jason Chan, a moderator of mailing list Patch Management.org who is also a consultant at security company Symantec.
That's despite the fact that patches have frequently caused additional problems within corporate networks by turning off needed functions, or because the fixes themselves have had flaws.
Back in 2004, Todd Towles, a network systems analyst for a medium-size retail chain, was overseeing 40 Windows NT workstations that were a low patching priority, since most security threats focused on Windows XP 2000. One time, he patched the systems before fully testing the fix and immediately encountered problems.
Security experts tend to take a multilevel approach to protecting the digital equivalent of a company's crown jewels, defending systems even after an intruder has gained access.
Network: Firewalls and intrusion detection systems protect a community of systems against attack.
System: Antivirus systems and personal firewalls limit attacks on individual PCs.
Data: Encryption, backups and integrity scanning all help to make sure data isn't accessed, changed or deleted by unauthorized users.
Identity: Strong passwords and a second ID check, such as smart cards, are increasingly used to keep attackers out.
Source: CNET News.com
"Five of them blue-screened on reboot, which didn't go over well with the professionals who were using them," Towles said.
He had to rebuild the operating systems on the five workstations himself—a task that convinced Towles to adopt the broader defense strategy.
In addition to patching, that strategy typically involves a combination of technologies, such as host-based firewalls, intrusion detection and prevention systems, antivirus software, and encryption, as well as configuring systems to be robust against attacks.
But there are trade-offs. Experts have argued that this "defense in depth" approach can lead to increased technology costs and complexity, seen as a major burden by IT professionals. "There has to be a focus on easing the administrator's experience," said Richard Threlkeld, an information engineer at Qualcomm, a San Diego-based digital-wireless-technology company. "A lot of tools that are out there are such a hassle to use."
Security product providers are doing their part to help the shift. Many are moving away from signature-based techniques, in which software recognizes specific threats, in favor of behavioral-based techniques, where certain activities are recognized as more threatening.
Increasingly, virus writers make small changes in their code, such as the subject header in an e-mail or the extension of the file, to confuse signature-based security. That means a more useful way to tune system defenses is to focus on the general behavior of a program to determine if it is a virus, Gartner analyst Mark Nicolett said.
In addition, system administrators are looking more intently at network access control to stop employees who are working remotely from spreading viruses, he said. This could also prevent attackers who hitchhike on those workers' systems from getting easy access to the corporate network.
"Companies want to get control of what is allowed on the network before they get full connectivity," Nicolett said. Many businesses increasingly have deals with suppliers and partners that give other companies access to some parts of their corporate network.
For example, Qualcomm is considering adding security to every device on a network as a way to stave off such threats, Threlkeld said.
"There is a higher percentage of mobile workers and contractors and sharing of data outside companies these days," he said. "So the next push in the future may be to get rid of corporate firewalls and replace them with a virtual firewall around each employee's system.
A personal firewall on each individual target system, such as a workstation or server, could give managers finer control over the security settings of each device, administrators said. However, the effort would require greater labor to install, or better automation.
Threlkeld noted that he is looking forward to Microsoft's Network Access Protection, which is designed to help companies fend off viruses and worms by checking devices before they dock onto the network. NAP, which will be part of Microsoft's Longhorn update to its server software, is not expected to be released until 2007.
Security sellers are also looking for ways to help administrators get enough time to test patches before they're installed. In February, for example, LANDesk Software launched a patch management product as part of its LANDesk Security Suite. The product is designed to enable system managers to queue up a patch across their network, so that once testing of a patch is completed, it can be deployed in minutes.
"Sales took off real fast and now comprise 12 percent of our revenues," said Dave Taylor, vice president of worldwide marketing for LANDesk, a Utah-based server management company that last year expanded into the security tools market.
Other technologies are on the horizon, Eschelbeck predicted. "In the next three or four years, we'll see a kind of virtual patching," he said. "These technologies will be able to protect a system automatically, based on some basic attributes of the vulnerability."
Not all technologies are looking to downgrade the importance of patching, however. Automating the patching process is another approach that is gaining popularity, said David Rice, a senior partner at Monterey, Calif.-based consultancy TantricSecurity.
Rice said the best solution for resolving security vulnerabilities lies with software makers, which should fix code before it's put on sale. Patching a bug after an application is released increases costs to the developer more than a hundredfold, Rice said.
"If you catch a bug when the software is in development, it's a $1 fix," he said. "But catch it afterwards, it's more like $100 to fix. It just makes sense in terms of cost to release secure code."