Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection.
Modern zero-day attacks spread at the speed of the Internet, infecting computers worldwide long before antivirus and IDS products (most organizations' first lines of defense) can close the window of vulnerability with a custom attack filter antidote. For example, in January 2009, the Conficker zero-day conflagration infected more than 1 million PCs in less than 24 hours. Such rapid propagation effectively relegates security scanners to merely performing cleanup after a zero-day strike has done its damage.
There is no foolproof defense against zero-day attacks; there are no signatures for security filters; behavioral techniques suffer from false positives; endpoints have too much variety for whitelists and reputation methods are too slow. While rapid, efficient patching does eventually close the vulnerabilities that are the lifeblood of exploits, solution providers must take proactive approaches to mitigate the effect of zero-day exploits on their customers. Here are a few strategies:
Focus on vulnerabilities more than exploits. Most zero-day exploits take advantage of known vulnerabilities, thus patching a single vulnerability can effectively block an entire class of exploits, even when AV signatures do not exist. For instance, the variants of Conficker can be defeated by applying the Microsoft Windows patch MS08-067. Organizations have become conservative with their patching regimens, only applying necessary patches after rigorous testing. Solution providers may need to be more aggressive in helping customers plug vulnerabilities on Internet-facing machines -- they often represent the most likely entry point for the next killer zero-day attack. Customers may grant solution providers permission to conduct periodic vulnerability scans, emergency scans when a vulnerability linked to a serious attack is identified, and to email links for recommended patches.
Audit everything. A zero-day attack -- including a worm, Trojan, infected iFrame, or denial-of-service effort -- that evades detection by traditional security mechanisms will cause damage and alter configurations in ways that cannot be predicted. Extensive audit logging of endpoint activity and network traffic is essential in reconstructing the destructive path of a zero-day attack. Inspection of logs gives IT a chance to recognize the presence of an attack in the network, estimate the scope of damage, and identify corrective action to prevent a recurrence.
Establish the capability to route traffic through an internal security service. Eventually information about a new attack is reported to security researchers for creation of a preventive filter to block the attack. Solution providers that can direct traffic through centralized security scanners in their own data center can update signatures in a few filters with the benefit of efficiently cleaning communications for all clients simultaneously. The zero-day attack then expeditiously moves onto the Gotcha List with less risk of a recurrence.
Build in recovery services. Client endpoints and hosted services must be refreshed if security software cannot completely recover from an attack. Customers may need snapshot backup and recovery services for software configurations and important business data in order to quickly bounce back from a zero-day attack. Security solution providers can provide assistance with these services for data and software protection, even to the extent of using a virtualized data center to run basic business applications while the organization recovers from a disaster.
Good, secure networks and remote endpoints will be vulnerable to a zero-day attack -- it is just a fact of computing life on the Internet. Solution providers can build a competitive advantage by doing all they can to ferret out vulnerabilities that zero-day attacks thrive on. Solution providers may also find new revenues with zero-day attack recovery services to help subscribers painlessly recover when the inevitable security incident occurs.About the author
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.