Defensive Play: Virtual Patching, Intrusion Prevention Come Of Age

Patch management: It's the blight of companies that rely on software to make their businesses hum. And there's probably no greater drain on IT resources than the persistent need to patch vendor-announced flaws that place critical systems at risk to attack from viruses, worms and hackers.

That's why a growing number of solution providers are helping their clients heighten security--and slash the costs associated with patch management--by deploying intrusion-prevention and vulnerability-shielding security applications.

Despite companies having invested heavily in tools from the likes of BigFix, PatchLink and Shavlik Technologies, patch management remains a tedious and costly process. An enterprise's cost to manage patches varies widely, depending on its architecture. According to research firm Gartner, the price ranges from $100 to $300 per machine, which includes patch testing, remediation preparation, deployment and help-desk calls associated with failed patch deployments. That means a company with 500 desktops--even one with a high degree of automation--could rack up expenses of $50,000 or more per patch. So it should come as no surprise that companies are eyeing security tools that can both protect their systems and buy some time between patch deployments.

While virtual-patching and intrusion-prevention systems (IPSs) have been around for a while, they have matured notably in the past year.

id
unit-1659132512259
type
Sponsored post

"We're seeing an increased demand for these," says John Pescatore, a security analyst at Gartner. "Companies have deployed various types of IPSs, turned on the automated blocking and learned that they've increased security without losing legitimate network traffic."

To address the need, companies such as McAfee, 3Com's TippingPoint and Internet Security Systems (ISS) have unveiled host-based systems that look for potentially malicious behavior on networks, desktops and servers, and within applications and operating systems, then block any attacks.

More recently, security vendors Blue Lane Technologies and Determina have rolled out programs that they say shield systems by replicating the protective functions of a vendor's patch.

Blue Lane's PatchPoint system sits between corporate servers and end points, such as desktops and notebooks. Through its ActiveFix subscription, application-specific fixes are downloaded to the appliance; those "virtual patches" provide the functional equivalent of a vendor patch for the vulnerability.

"We're bringing order to the chaotic patching process, as well as reducing the cost and frequency of patching," says Fred Kost, vice president of marketing at Blue Lane. He says the PatchPoint appliance can patch a newly announced software vulnerability typically within a day.

Determina's software, LiveShield, is an add-on module to the company's intrusion-prevention Memory Firewall software, which runs on servers to protect systems against memory-based attacks, such as buffer overflows. As new threats surface that wouldn't be covered by the Memory Firewall, the company develops and publishes a fix, or what it calls a "shield," through its management software.

While Blue Lane's and Determina's systems work differently, the end result of each is a reduced reliance on patching and increased levels of security--and additional opportunities for solution providers, to boot. Both companies, in fact, recently unveiled partner programs.

"Security is going to be one of the top drivers in technology spending this year," says Shaq Khan, CEO of Fortifire, a security specialist based in Hayward, Calif., and one of the first partners to sign with Blue Lane's new channel program, launched in December. "And companies are going to increasingly seek ways to reduce the cost of patching."

Paul Graffeo, co-founder and vice president of sales and marketing at RBTi, a service and security solution provider in Atlanta, says he has seen an increased demand in the past year for IPSs aimed at boosting customer security and alleviating patch management.

"Currently, the methods that companies use to deploy patches are simply not working," Graffeo says. "Even with automated toolsets, it's tough to get the patches tested and deployed quickly enough."

One of RBTi's financial-services clients, which protects roughly 40 servers with the Proventia Server IPS from ISS, has managed to reduce the number of times it runs patches to once a year, Graffeo says.

Neither virtual patching nor host intrusion-prevention applications can eliminate the need for patching, but the technologies do promise to buy enterprises the extra time they need to properly test patches on a schedule that suits them.

"It's a no-brainier," Khan says. "If you can cut the number of times you need to patch while increasing the availability and security of systems, who wouldn't?"

One of the biggest hurdles to the adoption of these security technologies, according to Khan, is low end-user awareness. "Many companies simply don't realize that something like this is possible," he says. "So we'll install Blue Lane and show the client what it's capable of doing."

George V. Hulme is a freelance writer based in Eden Prairie, Minn.