Surviving 0-daysreducing the window of exposure
Andreas Lindh, 44Con 2013
About me
• Security analyst/architect
• Defender by day
• @addelindh on Twitter
The TL;DR
0-days
Disclosure Patch available Patch deployed
Out of our control In our control
Unknown
Discovery
The window of exposure
Common protection
• Patching
• Virtual patching
• Uninstall
How hard can it be?
Pretty hard!
What if you can’t patch?
• Legacy systems
• 3rd party systems
• Insufficient tools
Disclosure Patch available Patch deployed
Out of our control In our control
Unknown
Discovery
HD Moore’s law
Defense in depth
Concept
Implementation
Meanwhile...
Which leaves us with...
Are we on it?
"Put another way, n people want to fix
security holes, 10n people want to
exploit security holes, and 100000n
want Tetris.” (Dan Kaminsky)
What to do?
Root cause
• Over-reliance on patching
• Network-centric defense
architecture
• All about prevention
Firewall all the things?
Things to consider
• Exposure
• Attack likelihood
• History
• Patch status
Approach
• Prevention• Mitigation• ( Detection)
1. Build
Focus
• Proactive
• Inside -> out
• Onion style
• Reusable (ideally)
An example
Software
Sandbox
OS security features
Software restriction
policy
Intermediary channels
Endpoint protection
User permission
s
IPS
Pros and cons
• Pros– Improved security baseline
– Reduced impact
– Pro-active
• Cons– Generic
– Added complexity
2. React
INCIDENT!
React!
(disclos
ure)
Incident timeline
Focus
• Specific vulnerability
• Fast implementation
• Input to #1
Pros and cons
• Pros– Timely mitigation
– Focused approach
– Compliments #1
• Cons– Limited time
– Reactive
Wrapping it up
• Patching takes time
• Can’t patch the unknown
• Traditional controls are
often insufficient
Let’s build!
Thank you for listening!
Questions?