Product selection for virtual patching

sunhux used Ask the Experts™
We would like to do virtual patching for various CVEs that
were published early ie we can't wait for 1-3 months to
patch : ideally it's auto-deployed from the principal to
the device via Internet.

Is NIDS, HIPS (eg: Trendmicro's Deep Security) or WAF or
which product is most suited for virtual patching in terms of

a) lead time the vendor releases the signature/rules (the
    earlier the vendor releases it, the earlier we can deploy
    the mitigation)

b) the thoroughness the vendor/developer/principal tests
     the rules/signatures so as to minimize service disruption:
     had seen cases where the rules/signatures cause
     disruptions (eg: 'Repeated IIS Parameter'   and
     'Clickjacking' vulnerabilities)

c) we may not plan to do layered security ie not multiple
    devices of NIDS, HIPS plus WAF, but just  select one.
    So ideally the selected device could also do
    "Brute Force" (say 10 login attempts within 10 secs
     from same IP) & "Bad public source IP" blocking
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


Personally, if I have to choose between perimeter or end-point, I'd choose
perimeter as I've seen a lot more attempts (from bad source IP) at perimeter
NIDS vs NIDS that is placed further into the network
Exec Consultant
Distinguished Expert 2018
To do the VP, you need to minimally identify what sort of indicator of compromise (IOC) and assess if those security device can consume the IOC for the detect and block response. You need beyond just CVE and instead use the latter to direct you to surface the IOCs like IP address (network captures), hashes (file artefact dropped) and URL (callback). May need googling to map CVE with IOC, one mean is using the OTX to search for possible IOC or even try to search thru Virustotal on the CVE ID.

I see it more than just perimeter and endpoint as we need to strategise what to target, where to find and how to effect check on IOC. Overall it is to shorten the exposure windows and damage control on affected machine and device identified during this threat hunting.

  1. IP address - Enforcement will need to be at your gateway and proxies which likely be the Firewall and NIDS/NIPS. Blacklist of IP added.
  2. Hash - Enforcement will be at your AV and vulnerability mgmt server end.  Put on policy to threat hunt hash (MD5, SHA1 or SHA2) and consider quarantine hits on endpoints.
  3. URL - Enforcement will more be suited to target your DNS server which supposedly resolved all URL. Can send it to a sinkhole created to isolate the affected source for further triage and investigation


> identify what sort of indicator of compromise (IOC)
The primary ones we are looking at are the vulnerabilities published by
MS, Adobe monthly as well as those by Oracle & Redhat/Linux.

I know Deep Security used to release rules/signatures specifically
for MS & Adobe CVEs : not too sure if McAfee/Symantec does it
as diligently
btanExec Consultant
Distinguished Expert 2018

Both will have their respective vulnerability advisories or bulletin with the stated CVE but may not necessarily go into IOC. But should provide the release to customers with latest signature for detection of the threats. If there is any specific CVE or threat, always best to direct to their support for the signature required.

Their Central management console like MCAFEE EPO or Symantec SEPM will be the main point to push down policy and signature as required.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial