Product selection for virtual patching

We would like to do virtual patching for various CVEs that
were published early ie we can't wait for 1-3 months to
patch : ideally it's auto-deployed from the principal to
the device via Internet.

Is NIDS, HIPS (eg: Trendmicro's Deep Security) or WAF or
which product is most suited for virtual patching in terms of

a) lead time the vendor releases the signature/rules (the
    earlier the vendor releases it, the earlier we can deploy
    the mitigation)

b) the thoroughness the vendor/developer/principal tests
     the rules/signatures so as to minimize service disruption:
     had seen cases where the rules/signatures cause
     disruptions (eg: 'Repeated IIS Parameter'   and
     'Clickjacking' vulnerabilities)

c) we may not plan to do layered security ie not multiple
    devices of NIDS, HIPS plus WAF, but just  select one.
    So ideally the selected device could also do
    "Brute Force" (say 10 login attempts within 10 secs
     from same IP) & "Bad public source IP" blocking
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
Personally, if I have to choose between perimeter or end-point, I'd choose
perimeter as I've seen a lot more attempts (from bad source IP) at perimeter
NIDS vs NIDS that is placed further into the network
btanExec ConsultantCommented:
To do the VP, you need to minimally identify what sort of indicator of compromise (IOC) and assess if those security device can consume the IOC for the detect and block response. You need beyond just CVE and instead use the latter to direct you to surface the IOCs like IP address (network captures), hashes (file artefact dropped) and URL (callback). May need googling to map CVE with IOC, one mean is using the OTX to search for possible IOC or even try to search thru Virustotal on the CVE ID.

I see it more than just perimeter and endpoint as we need to strategise what to target, where to find and how to effect check on IOC. Overall it is to shorten the exposure windows and damage control on affected machine and device identified during this threat hunting.

  1. IP address - Enforcement will need to be at your gateway and proxies which likely be the Firewall and NIDS/NIPS. Blacklist of IP added.
  2. Hash - Enforcement will be at your AV and vulnerability mgmt server end.  Put on policy to threat hunt hash (MD5, SHA1 or SHA2) and consider quarantine hits on endpoints.
  3. URL - Enforcement will more be suited to target your DNS server which supposedly resolved all URL. Can send it to a sinkhole created to isolate the affected source for further triage and investigation

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
> identify what sort of indicator of compromise (IOC)
The primary ones we are looking at are the vulnerabilities published by
MS, Adobe monthly as well as those by Oracle & Redhat/Linux.

I know Deep Security used to release rules/signatures specifically
for MS & Adobe CVEs : not too sure if McAfee/Symantec does it
as diligently
btanExec ConsultantCommented:
Both will have their respective vulnerability advisories or bulletin with the stated CVE but may not necessarily go into IOC. But should provide the release to customers with latest signature for detection of the threats. If there is any specific CVE or threat, always best to direct to their support for the signature required.

Their Central management console like MCAFEE EPO or Symantec SEPM will be the main point to push down policy and signature as required.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.