When high profile zero-day vulnerabilities hit the headlines, security professionals around the world scramble to patch and remediate the damages. Zero-days such as ImageTragick, Shellshock, and most recently, Meltdown and Spectre, showed how even complex, modern infrastructures are susceptible to highly impactful security issues. Meltdown and Spectre, in particular, also signaled a shift in focus towards security issues at deeper levels of the computing ecosystem.
The Problems with Software Patches
As with most things, the allure of quick fixes did not live up to reality. The patches and remediation strategies, while important, are neither quick, nor a fix, and in some cases, add to the pile of problems instead of helping solve them. While it is unambiguously better to be invulnerable to these issues, their full impact cannot be seen or patched up. Software patches are slow-to-install roadblocks in the arms race of attacker vs defender. While you’re trying to patch, and often even if you already have, they’ll get around it. And you need to know the second they do.
Deciding Between Zero-Day Attack Detection and Patches
While no one would recommend not applying important mitigations as fast as reasonably possible, to do so across entire enterprise environments takes significant attention and time. This complexity allows more agile attackers to take advantage of these vulnerabilities, possibly even using readily published proofs-of-concept, while defenders are still performing their own risk analysis. As CloudFlare’s analysis of Shellshock exploitation activity in the wild showed, attackers were much quicker to begin attacking than defenders could even hope to patch. Protections based on zero-day attack detection can be deployed much quicker than mitigations based on patching alone.
Performance impact is another major consideration for why relying on patching may not be as effective as detection. For some situations, if the workload doesn’t execute untrusted code and is fairly locked down, then the performance hit of the mitigations seems like a high cost for little to no benefit. Additionally, much of the infrastructure affected by Meltdown and Spectre ran on older kernels that are a challenge to upgrade — doing so would result in huge cost and stability risk. Existing mitigations (kernel upgrades and recompiling software) will also fall well down the priority list, as the risk of a successful attack will be outweighed by the cost of the remediation. That’s not even including other potential costs such as that added by additional performance overhead or potential false positives.
Remediation vs. Zero-Day Attack Detection
There is a very long tail in remediation; it’s not going to happen quickly and it’s not a panacea. That’s why companies need to think critically about zero-day attack detection as part of their strategy for dealing with these high-profile vulnerabilities. If a workload seems unlikely to be practically exploitable without other major failures, detection makes much more sense than relying on mitigation and/or remediation. Even in cases where there’s legitimate risk, zero-day attack detection is still a viable alternative if you can automate the detection and shut down of an offending process before sensitive information is fully exposed. High-risk environments also need to investigate a hybrid approach where both mitigation and detection are involved as mitigation alone is not enough.
In the end, organizations do not have to choose completely between one approach or the other. Mature and advanced environments combine both to utilize each for their strengths. Eliminating the underlying cause of a vulnerability is the most effective, but also takes the highest amount of time, effort and money to fix. Detecting exploitation of broad classes of vulnerabilities and attacks against your infrastructure through advanced security monitoring and automating real-time responses provide protection while known vulnerabilities are in the process of being eliminated. They can also provide valuable signals of malicious activity while also revealing exploitation of yet- unknown vulnerabilities.
To learn about preparing for zero-day attacks, download our infographic here!
Capsule8 is the only company providing high-performance attack protection for Linux production environments – whether containerized, virtualized, or bare-metal. Capsule8 liberates SecOps from managing a high volume of manual tasks, while being safe for even the busiest workloads, on the busiest networks.