Why Virtual Patching is Essential for Vulnerability Mitigation

One of the most critical tasks that most enterprise security teams struggle with on a continual basis is how to protect their organizations against new and existing vulnerabilities. The easiest solution is to patch enterprise assets against vulnerabilities with a vendor-issued patch designed to prevent any possible exploitation. When the FortiGuard Labs team produces threat research on a new exploit, their reports include the following information for that mitigation plan, along with mitigation recommendations that often refer to specific patches provided by vendors:

Affected platforms:    (Operating systems or devices impacted)
Impacted parties:       (Users of specific software versions, devices, etc.)
Impact:                       (Malware details)
Severity level:             (High/Medium/Low)

But what happens when it’s not possible to patch the asset? For example, patching can sometimes break an application due to strict dependency control, meaning it can only support a specified release level of the operating system. Of course, there is always the possibility that the application developer can issue an update to support the new patch level. However, the effects can be more profound if an application running on an impacted operating system is custom or home grown and can’t be fixed. 

An even more difficult challenge is when devices are integrated into critical infrastructure or sensitive OT systems, such as a massive boiler or open hearth furnace that cannot be taken offline for patching. In these and similar cases, the next best option is something called virtual patching.

Let’s look into why virtual patching can be a critical tool for security teams that need to respond quickly to new, and even existing threats. 

Exploits and Malware use Vulnerabilities to Propagate and Spread

As you read the FortiGuard Labs 2019 Threat Landscape Report for Q4, it is clear that growth in the exploitation of vulnerabilities is a direct result of the expanding attack surface resulting from digital innovation. Here is a brief look at the Top Platforms and Technologies targeted by exploit activity in the fourth quarter of 2019. They are plotted in Figure 1 according to prevalence (horizontal axis) and volume (vertical axis).

Prominent in the upper left-hand corner are attempts to exploit a vulnerability (CVE-2019-12678) in the Session Initiation Protocol (SIP) inspection module of Adaptive Security Appliances. These cyber incidents ranked highest on the volume scale, probably because successful exploitation results in a denial-of-service condition. In addition, four of the five most prevalent exploits targeted vulnerabilities in popular CMS applications. 

One of the underlying themes that can be derived from the data above is that majority of exploits and malware target underlying vulnerabilities in enterprise grade software and applications.

Guard Against Exploits with Virtual Patching

Patching is an update provided by a developer for an application, operating system, or firmware code designed to fix a discovered vulnerability and prevent it from being exploited. For a patch to work, it has to be deployed on individual assets. A virtual patching is similar to a patch released by a vendor because it provides protection against a specific exploit. But in this case, the difference is that this patch is deployed at the network level using a IPS rule rather than on the device itself. It is sometimes also referred to as a proximity control as it stops a threat before it reaches its intended target. 

An IPS system is designed to inspect traffic and look for and block malicious activities. And with the right signature, it can also be used to identify and stop attempts to exploit specific vulnerabilities. Because any exploit has to take a defined network path for execution, being able to identify a specific threat makes it is possible to interrupt or block the exploit by modifying the network rules. These specific IPS signatures, or virtual patches, can be deployed at the network level using the intrusion prevention (IPS) functionality built into an NGFW or a traditional standalone IPS appliance.

Here are some cases where virtual patching is critical:

• Virtual patches offer enterprises a critical level of coverage until a vendor releases a software patch to cover a new vulnerability.
• Many large enterprises using traditional patch management strategies do not deploy the patches immediately. For example, many IT teams need to validate whether or not a patch will introduce new problems in environments where lots of applications and workflows need to interact. This validation testing introduces additional delays once a vendor releases software patch. Virtual patching provides critical coverage during the initial “warm” phase of an active malware campaign to protect known vulnerabilities from exploitation while the enterprise is testing the patch from the vendor.
• Virtual patching is even more critical for mission-critical assets which require significant planning and downtime for a traditional patch to be put in place. These can include systems that are deployed remotely, such as a pipeline monitoring system; devices running sensitive systems that play a critical role in, say, a manufacturing environment (for example, monitoring a valve or thermostat on a vat containing thousands of gallons of caustic materials); or even critical infrastructure such as electrical grids or hydroelectric dams that cannot be taken down.

Fortinet Offers Virtual Patching Through FortiGate IPS

• FortiGate IPS: Fortinet customers can leverage their FortiGate NGFWs to deploy and deliver a virtual patch at the network level. This can be done using the integrated IPS capability within the NGFW, or by deploying FortiGate as a standalone IPS. FortiGate NGFWs, with their unique hardware design and architecture, have a proven track record of being successfully deployed as dedicated IPS solutions. 
• FortiGuard Labs: FortiGate NGFWs leverage the industry’s leading threat intelligence team, FortiGuard Labs. This premier research team not only discovers vulnerabilities but also creates signatures for the known vulnerabilities and exploits. With over 860+ zero day vulnerabilities discoveries attributed to the team – more than the next several competitors combined – they are able to create virtual patches to protect organizations against new and existing vulnerabilities long before a manufacturer or developer releases a patch. And to make that protection even easier to deploy, virtual patches are automatically uploaded to FortiGate devices every single day.

Conclusion

In today’s dynamically changing environments, the traditional patch cycle simply cannot scale to keep pace with the sophistication and frequency of attacks, and the rate at which new vulnerabilities are being discovered and exploited as a result of the expansion of the digital attack surface.

Virtual patching should be considered an integral component of every organization’s patch management strategy. They not only protect against new threats, but also provide an effective coverage for other scenarios, as discussed above. With virtual patching, business critical applications and data can better be secured as a virtual patch can quickly eliminate the window of opportunity and thereby minimize the risk for the business by shutting down the avenue to exploitation. This enables organizations to reduce their exposure to vulnerabilities across the board, and scale their responses and coverage accordingly with appropriate defenses that can be put in place within minutes or hours. 

For more details on how the FortiGate IPS offers a replacement strategy for existing dedicated IPS download a copy of our whitepaper.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. 

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.