Virtual Patching: What Is It and Why Is It Foundational for Keeping Home and Small Business Networks Secure?

Nadav Liebermann|

Virtual Patching: What Is It and Why Is It Foundational for Keeping Home and Small Business Networks Secure?

Nadav Liebermann|

Security vulnerabilities are the cause of most cyber security attacks. Hackers exploit vulnerabilities in software to propagate malware, steal information, and infiltrate computer networks.

Vulnerabilities arise from errors in software implementation. While these errors mostly cause bugs which are merely an inconvenience for users, some open a door to malicious activity. The most severe vulnerabilities allow attackers to gain complete control over computers, servers and devices.

Vulnerabilities are present in almost any software at one point or another. Even large well-established vendors are not immune. For example, Microsoft is known to release a monthly patch for vulnerabilities, known as “Patch Tuesday.” Apple constantly releases security updates for their software, with the latest iOS release, iOS 14.6, fixing at least 43 different vulnerabilities [1].

There is a critical window between the time a vulnerability is detected and an update is released by the vendor when attackers can exploit the vulnerability. Virtual patching solutions were created as a response to the challenges that network administrators face of having to keep up with monitoring potential vulnerabilities as numerous products are deployed, particularly in large organizations.

Virtual Patching
Virtual patching is a method used by security vendors to protect devices against the latest vulnerability threats, without patching the application itself. Usually, an IPS or a next-gen firewall will scan network traffic to detect attacks and block them before they reach the vulnerable application. Thus, even though the application is not actually updated against the latest threats, it is still protected from them.
Most commonly, virtual patching is deployed in larger organization and enterprise network environments.

A few of the benefits include:
  • Additional time for developers to effectively and permanently fix vulnerabilities
  • Minimal costly business downtime
  • Another level of security that covers legacy systems and other areas where fixes are no longer issued [2]
 
Vulnerabilities in IoT devices

Over the past few years, home and small business networks have grown significantly, today resembling a network comparable to those of small organizations. There are more than 20 devices on average per household, and an average of 7 smart connected devices.
Similar to software, IoT devices are susceptible to vulnerabilities that come with some unique challenges:

  • Relatively low quality of code and subpar security practices.
  • Many devices do not update automatically, and the user is unaware when an update is available. Sometimes even critical security vulnerabilities are left unpatched by the vendor for years [3].
  • Lack of central management and visibility.

 

Vulnerabilities in IoTs mostly appear when a device exposes one or more services to the network. Examples of such services include:

  • Management – Smart devices will often include a web-based interface for basic management and configuration. These web interfaces are the most common vector of attack on IoT devices.
  • Video Streaming – Network cameras will expose a streaming service, (using RTSP protocol or similar) to enable users to view the camera’s feed in real time.
  • Voice – IP phones use the SIP protocol to deliver phone calls over the network.
  • Discovery – Smart devices use auto-discovery protocols such as UPNP to discover each other’s presence on the network.

 

To date, vulnerabilities have been discovered in all of the above services. According to our analysis of IoT vulnerabilities from the past years, 40% allow complete takeover of the device, and 30% more reveal sensitive information or allow bypassing authentication.

Mirai malware continues to attack IoTs

The Mirai malware has been targeting IoT devices since 2016. Variants of the malware have popped up several times, each time targeting a different set of devices. A variant from 2020 called “Mozi” is targeting routers and DVRs [4], while a more recent variant is targeting routers, NAS, and other unknown IoT devices [5].

Virtual Patching for IoT devices

Traditionally virtual patching has been used to secure larger enterprise networks; however, it can also be applied to IoT devices on unmanaged networks. The benefits include:

  • No need to manually update IoT devices when an update becomes available.
  • Protection against zero-day attacks which are not yet publicly known.
  • Protection for older IoT devices that are no longer supported by the vendor.

 

As part of SAM’s security solution, we provide IoT-focused virtual patching. Our solution is unique in the following ways:

  • Detection of zero-day vulnerabilities in addition to hundreds of known ones.
  • Automatic device discovery and identification. Our device fingerprinting, automatically discovers and identifies all IoT devices on the network. The virtual patching mechanism then applies protection on a per device basis, giving greater granularity and control over blocked vulnerabilities.
  • Lightweight. Major optimizations were implemented to allow the virtual patching solution to run on low-end gateways such as the ones found on smaller networks. As an example, our solution uses 4-times less RAM memory than Suricata, a popular open source IPS solution.

 

Sources
[1] https://support.apple.com/en-il/HT201222
[2] https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-virtual-patching
[3] https://securingsam.com/hackers-erase-user-data/
[4] https://blog.lumen.com/new-mozi-malware-family-quietly-amasses-iot-bots/
[5] https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

Skip to content