Erasing the myth of zero-day protection
It sounds like a clever theory, but there are obvious indicators that zero-day protection simply does not work, writes Paul Brettle
‘Zero-day protection’ is an impressive phrase that is used by several security vendors at the moment, but what does it mean?
It refers to technology that is able to detect vulnerabilities caused by clumsy programming in systems, predict what sort of code a malicious hacker could theoretically design to exploit such vulnerabilities and then proactively protect and block these exploits before they even exist. This means products such as anti-virus software or firewalls could be updated to cope with threats before they are in the wild.
It is clever in theory, but zero-day protection is far from fool-proof and there have been obvious indicators that it doesn’t work. For example, on 27 December last year the notorious Microsoft Windows Metafile exploit became public, quickly followed by the launch of a raft of detection updates to combat the exploit from security vendors. But if these vendors had genuine zero-day protection in place, those reactive updates would surely have been unnecessary. Whereas in reality, these updates were vital for the protection of end-users.
Anti-virus products are often used as an example of why regular security updates don’t offer sufficient protection, but they offer the best form of protection. Leading anti-virus vendors already develop solutions to support identification of potential threats and ones that have yet to be seen outside of a lab environment. Other than a few notable exceptions, this means that 95 per cent of all new viruses will be detected without the need for an update from the vendor. The reason why virus attacks remain so successful is that many organisations don’t update their anti-virus products regularly, if at all, or they are running out-of-date versions.
A security solution is there to enforce a policy and ensure good practice, and to allow a business to operate without disruption. By implementing a zero-day protection system, customers have to make the sizeable assumption that all systems running onsite are 100 per cent correct. For example, all web applications must adhere to HTML standards, and all applications, protocols and systems are compliant with industry standards.
Imagine a scenario where an emergency patch must be applied to a sales order processing system as soon as possible to fix a major problem, but this patch introduces some small changes that mean the system is no longer 100 per cent standards compliant.
A reactive security update would take account of the change, but reliance upon a zero-day protection system could easily see unnecessary security measures triggered by the unknown patch, blocking off network traffic and high-priority alerts. What would the business do in this event? Roll back the critical patch or disable the security system until it could be corrected?
So how should an organisation react to such instances? Well, by making use of class-leading solutions that are flexible and effective. In many cases, they may even consider doing nothing in response to such a situation, but that choice should always be up to the organisation and not the security supplier.
The ability to monitor, log, alert and react to security vulnerabilities is critical, and simply reacting without informed consideration is rarely the best course of action. If for example, a passing vandal throws a stone at a company’s windows, should they eliminate him, close their offices and lock all of their doors? Or would they be better served observing, tracking and alerting the relevant authorities? I know which course of action I would recommend.
Paul Brettle is the UK and Ireland country manager at Stonesoft Corporation.