• 2010
• 2009
• 2008
• 2007
• 2006
• March
• February
• January

IPS and Zero Day Protection

There is a lot of talk about the supposed "Zero Day Protection" from several security vendors at the moment. But what does it mean? Basically it is a name that some of the industry analysts have coined to position various security solutions. It means that a security device or product doesn't necessarily need an update to allow it to be secure from an attack - namely an attack which has not been seen before and is effectively brand-new. So rather than the reliance on something like Anti-Virus where it must be updated frequently, a security product doesn't need so many updates to be secure for corporate customers.

Does it work? Nah, not really. For example Microsoft Windows Metafile (WMF) exploit became public on 27 ^th of December 2005. After that all security vendors rushed to make detection updates for it. If there were a truly working zero day or preemptive protection solution those updates would be unnecessary, right?

Anti-Virus products are often used as an example on why updates don't work. But in reality they do. All of the leading Anti-Virus vendors have developed their solutions to support identification of potential threats as well as ones that have yet to be seen outside of a lab environment. Other than a few notable exceptions, 95% of all new viruses will be detected without the need for an update from the vendor.

The reason why virus attacks are so successful is that many organizations just don't update their AV products at all, or are running out of date versions.

Many vendors use the "Zero Day" marketing line in their positioning and as a result try to place themselves as a different security solution from others. Typically we are talking IDS / IPS solutions, but it can be used in many different areas.

A security solution is there to enforce a policy as well as allow a business or system to operate without disruption. By implementing a "Zero Day" system the product you are relying on requires everything being 100% correct - what I mean by this is that all of your web applications adhere to the HTML standards and that your applications use all of their protocols and systems in compliance with the standards 100%. Unfortunately almost everything to do with IT doesn't work like this. Everyone does things ever-so-slightly different and as a result sticking to standards isn't quite as simple as people might suggest.

Take a look at the fact that many web pages don't display correctly in Mozilla vs Microsoft's Internet Explorer. Ok, a web page is one thing. But what happens if it’s your corporate accounts system, or your sales processing system or even your on-line ordering system! It becomes much more critical and sticking to standards much more important.

Imagine a scenario where an emergency patch must be applied to your sales order processing system. This patch is to fix a major problem with it and must be carried out ASAP. Unfortunately it introduces some small changes to the way it operates and now isn't 100% standards compliant. Normally this would not be an issue and virtually all organizations would never know. But with a "Zero Day Protection" system it may just get triggered - blocking of network traffic and high priority alerts. What would you do? Roll-back the critical patch or disable your security system until it can be corrected? It’s a tough call and one that no one really wants to make. "Zero Day Protection" really isn't what it is cracked up to be; its a bit of marketing.

So how does an organisation react to such instances?
By making use of a class-leading solution which is flexible and effective. In many cases you may choose to do nothing in response to such emergencies. But the choice should be the organisations and not the supplier or the security solution.

The ability to monitor, log, alert and react is critical here - just simply reacting may not be the best course of action! For example, a passing vandal throws a stone at your office. Do you shoot him, close your office and lock all of the doors? Or do you observe, track and inform the relevant authorities? I know which I would choose.