New tools are starting to become available to IT managers who are looking for ways to protect their systems from worms and other attacks while they work to test and install security patches issued by software vendors.
For example, Blue Lane Technologies Inc., a startup in Cupertino, Calif., last week introduced a security appliance called PatchPoint that addresses specific vulnerabilities in Windows and other products. But instead of requiring users to install software on their systems, PatchPoint sits in front of servers and mimics the full functionality of vendor-issued patches. The approach is designed to let IT staffs "hold down the fort" until they"re ready to apply the actual patches, said Jeff Palmer, Blue Lane"s president and CEO.
Redwood City, Calif.-based Determina Inc. this week is due to announce software that has a similar goal. For the past year, Determina has been selling a "memory firewall" technology that"s designed to run inside an application"s memory and prevent any activity that"s deemed to be inconsistent with normal behavior.
Determina"s new Vulnerability Protection Suite combines the memory firewall with a real-time flaw-remediation tool. But unlike Blue Lane"s approach, Determina"s product works by applying very small bits of corrective code to fix the underlying vulnerability on the server. "The code is literally on the order of a couple of bytes," said Determina CEO Nand Mulchandani, adding that systems administrators can install and uninstall the code "at the click of a button."
Such products can buy IT managers the time they need to do the required amount of regression testing and analysis work on patches, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union in San Dimas, Calif. WesCorp is an early user of Blue Lane"s technology.
The credit union has suffered its share of problems with patches that failed to deploy properly or ended up impairing critical IT services, according to Hoff.
Avoiding Trade-offs
"The dilemma has been in deciding whether the risk associated with an unpatched vulnerability is greater than that associated with deploying an untested patch," Hoff said. He added that Blue Lane"s appliance saves him from having to make an either/or decision.
Although Determina"s approach requires users to install new code on production systems, the size of the added software is so small that it poses few risks, said the director of information security at a large oil company. The security director, who asked not to be named, tested Determina"s software at a previous employer and now wants to install it at his current company.
Richard Ptak, an analyst at Ptak, Noel & Associates Inc. in Amherst, N.J., said that with hackers taking advantage of new software flaws more and more rapidly, IT staffs are coming under increasing pressure to deploy patches as quickly as they can -- often without appropriate testing.
"On the one hand, you want to protect your resources," Ptak said. "On the other, you don"t want to run the risk of messing up your production environment."
Determina"s software supports only Windows servers, while Blue Lane"s appliance also works with Sun Solaris systems as well as Oracle databases and the Apache open-source Web server. PatchPoint pricing starts at US$30,500. Determina"s software starts at $750 for each protected server.
Pivx Solutions Inc. in Newport Beach, Calif., last week rolled out PreEmpt 2.0, another tool aimed at deferring the need for rapid patching. But instead of addressing specific exploits, the Pivx software is designed to enforce security controls on broad and frequently exploited classes of Windows vulnerabilities, such as buffer overflows.