sunhux
asked on
Product selection for virtual patching
We would like to do virtual patching for various CVEs that
were published early ie we can't wait for 1-3 months to
patch : ideally it's auto-deployed from the principal to
the device via Internet.
Is NIDS, HIPS (eg: Trendmicro's Deep Security) or WAF or
which product is most suited for virtual patching in terms of
a) lead time the vendor releases the signature/rules (the
earlier the vendor releases it, the earlier we can deploy
the mitigation)
b) the thoroughness the vendor/developer/principal tests
the rules/signatures so as to minimize service disruption:
had seen cases where the rules/signatures cause
disruptions (eg: 'Repeated IIS Parameter' and
'Clickjacking' vulnerabilities)
c) we may not plan to do layered security ie not multiple
devices of NIDS, HIPS plus WAF, but just select one.
So ideally the selected device could also do
"Brute Force" (say 10 login attempts within 10 secs
from same IP) & "Bad public source IP" blocking
were published early ie we can't wait for 1-3 months to
patch : ideally it's auto-deployed from the principal to
the device via Internet.
Is NIDS, HIPS (eg: Trendmicro's Deep Security) or WAF or
which product is most suited for virtual patching in terms of
a) lead time the vendor releases the signature/rules (the
earlier the vendor releases it, the earlier we can deploy
the mitigation)
b) the thoroughness the vendor/developer/principal
the rules/signatures so as to minimize service disruption:
had seen cases where the rules/signatures cause
disruptions (eg: 'Repeated IIS Parameter' and
'Clickjacking' vulnerabilities)
c) we may not plan to do layered security ie not multiple
devices of NIDS, HIPS plus WAF, but just select one.
So ideally the selected device could also do
"Brute Force" (say 10 login attempts within 10 secs
from same IP) & "Bad public source IP" blocking
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> identify what sort of indicator of compromise (IOC)
The primary ones we are looking at are the vulnerabilities published by
MS, Adobe monthly as well as those by Oracle & Redhat/Linux.
I know Deep Security used to release rules/signatures specifically
for MS & Adobe CVEs : not too sure if McAfee/Symantec does it
as diligently
The primary ones we are looking at are the vulnerabilities published by
MS, Adobe monthly as well as those by Oracle & Redhat/Linux.
I know Deep Security used to release rules/signatures specifically
for MS & Adobe CVEs : not too sure if McAfee/Symantec does it
as diligently
Both will have their respective vulnerability advisories or bulletin with the stated CVE but may not necessarily go into IOC. But should provide the release to customers with latest signature for detection of the threats. If there is any specific CVE or threat, always best to direct to their support for the signature required.
Their Central management console like MCAFEE EPO or Symantec SEPM will be the main point to push down policy and signature as required.
https://www.symantec.com/security-center/vulnerabilities
https://www.mcafee.com/enterprise/en-sg/threat-center/product-security-bulletins.html
Their Central management console like MCAFEE EPO or Symantec SEPM will be the main point to push down policy and signature as required.
https://www.symantec.com/security-center/vulnerabilities
https://www.mcafee.com/enterprise/en-sg/threat-center/product-security-bulletins.html
ASKER
perimeter as I've seen a lot more attempts (from bad source IP) at perimeter
NIDS vs NIDS that is placed further into the network