Virtual patching is a security technique that uses policies, rules and security tools to block access to a vulnerability until it can be patched. It is a multilayered security system used to prevent cybercriminals from exploiting both known and unknown vulnerabilities. This is important in cybersecurity because delaying or deferring the application of patches can be risky. In 2019, 60% of breaches were due to unapplied security patches.
Table of Contents
What is Virtual Patching
Virtual patching bypasses the complex and time-consuming process of developing and deploying patches by using rules, mitigations and protective steps, often at the IPS or firewall level, to shore up networks to prevent attackers or malware from accessing these vulnerabilities. Virtual patches are similar to vendor patches in the sense that they protect against specific exploits. The main difference is that a virtual patch is deployed at the network level, typically using an IPS or firewall rule, instead of the device or asset that contains the vulnerability.
How Does Virtual Patching Work
Virtual patching works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability. It bypasses the complex and time-consuming process of developing and deploying patches by using rules, mitigations and protective steps, often at the IPS or firewall level, to shore up networks to prevent attackers or malware from accessing these vulnerabilities. Virtual patches are similar to vendor patches in the sense that they protect against specific exploits. The main difference is that a virtual patch is deployed at the network level, typically using an IPS or firewall rule, instead of the device or asset that contains the vulnerability.
Virtual patching can be particularly useful for zero-day threats and legacy systems where vulnerabilities can be created for which no patch may exist for some time, if ever. In those cases, security teams can block a potential attack path until a permanent fix can be found.
Why Use Virtual Patching
Virtual patching helps organizations overcome some of the challenges associated with traditional patch management. For example, regularly installing updates is a good practice, but many organizations find the patching process slow, disruptive, and costly. Some opt to postpone it or do away with it altogether to avoid operational downtime. Virtual patching can provide an additional layer of protection while the organization works on testing and deploying the necessary patches.
Virtual Patching Tools
Virtual patching can be done by using several different tools. For instance, intermediary devices such as web application firewall (WAF), intrusion prevention system (IPS), web server plugin such as ModSecurity, and application layer filter such as ESAPI WAF can be used for virtual patching. Examples of automated virtual patch creation tools are OWASP ModSecurity Core Rule Set (CRS) Scripts, ThreadFix Virtual Patching, and Direct Importing to WAF Devices provided by many vendors.
- Web Application Firewalls (WAF): WAFs can offer virtual patching capabilities by inspecting web traffic and applying rules to detect and block potential attacks. They can identify and filter out malicious requests targeting vulnerabilities in web applications.
- Intrusion Prevention Systems (IPS): IPS solutions can provide virtual patching functionality by monitoring network traffic and applying rules to detect and block known attack patterns. They can actively block or modify incoming packets that exploit vulnerabilities.
- Virtual Patching Appliances: These are specialized security appliances that focus on virtual patching. They sit between the vulnerable application or system and the network, intercepting and modifying traffic to block attacks targeting specific vulnerabilities.
- Virtual Patching Software: Some software solutions are specifically designed to provide virtual patching capabilities. They work by analyzing the behavior of applications and systems and applying temporary fixes or mitigations to known vulnerabilities.
- Runtime Application Self-Protection (RASP): RASP tools embed security mechanisms directly into applications or systems, providing real-time protection against attacks. They can detect and mitigate vulnerabilities as they are being exploited, effectively providing virtual patching.
Virtual patching is the process of creating and implementing a temporary policy to mitigate exploitation risks associated with new security vulnerabilities.
Virtual patching solutions like WAFs and IPSs work by analyzing transactions and intercepting attacks in transit, so malicious traffic never reaches the web application.
Virtual patching is useful in real-world scenarios where traditional patching is difficult or impossible, such as when developers are already allocated to other projects, when code cannot be modified by the user, or when changes would require a new project.
Common tools used for virtual patching include WAFs, IPSs, and web server plugins.
Virtual patching is an important tool in today’s cybersecurity landscape because it allows organizations to quickly and effectively protect their applications from known vulnerabilities without having to change the code. By using virtual patching, organizations can reduce their risk of exploitation and improve their overall security posture.
It’s important to note that virtual patching is not a substitute for timely patching and updates. It should be seen as a temporary measure to protect against immediate threats while waiting for official patches or fixes to be applied. Organizations should always prioritize applying official patches as soon as they become available to ensure long-term security.