Real Time Protection (Virtual Patching)

Identification of vulnerabilities is only one part of the overall organizational problem of vulnerability management. With Vulnerability Manager, after loading vulnerability information in a structured format into a centralized data store the data can now be utilized to provide real-time protection while code-level fixes are in development.

A drawback of many network-centric IDS/IPS technologies is that they are not well-suited to protecting against application-level attacks. They are signature-focused and rely on an ongoing feed of signatures based on know vulnerabilities in infrastructure devices and packages software. Unfortunately, custom software applications are, by their nature, not deployed widely enough to have publicly-available signatures. However, given the detailed vulnerability information stored in the Vulnerability Manager it is possible to create specifically targeted rules and signatures that protect against attacks targeted at these custom-application-specific vulnerabilities.

Web Application Firewall (WAF) technologies are used to identify and block suspicious traffic to custom applications, however they can be very challenging to tune. By generating vulnerability-specific rules for WAFs, the Vulnerability Manager can help eliminate the need for the tuning process as well as false positive situations where legitimate traffic is blocked. These “virtual patches” are an emerging use case for WAF technologies, and Vulnerability Manager makes their generation automatic.

Currently-supported technologies include:

• Snort
• OWASP ESAPI WAF
• mod_security

Rule generation for new technologies can easily be supported by extending the Vulnerability Manager using well-defined software interfaces.

Please note that these rule generators are part of the Vulnerability Manager and are neither endorsed by nor supported by the associated WAF/IDS/IPS technology vendors at the current time.