Re: ISS - virtual patching



You are making some assumptions here:

1. You find out about the vuln the same time ISS does. Due to excellent
threat intelligent and a top notch Research and Development team they are
likely to know about the threat long before you do.

2. The fact that a security vendor actually has the ability to test traffic
in the wild is pretty impressive and should be considered the standard.
Protocols are updated all the time, traffic changes constantly, the only way
to make sure you are hitting the bad traffic and not blocking the good is
real world testing. Since I use to be in R&D at ISS there I will say 8 weeks
is a bit much, but the sig soak in periods are more than enough to shake
alot of false positives out.

On 11 Jul 2006 14:34:41 -0000, phb@xxxxxxxxx <phb@xxxxxxxxx> wrote:
I was at an ISS event (but I guess it applies to all IPS vendors) where they said after a signature is written they QA it to prevent false positives, for about 8 weeks in the wild.

It sounded a little counter productive to the "virtual patching" claims, since that often means the protection comes in after I've already patched the system.

I agree I wouldn't deploy prevention prior to being sure it'll not cause a DoS to the network (or at all until this technology matures a little more), but with this attitude what is the IPS virtual patch hype all about?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------