Surviving 0-daysreducing the window of exposure

Andreas Lindh, 44Con 2013

About me

• Security analyst/architect

• Defender by day

• @addelindh on Twitter

The TL;DR

0-days

Disclosure Patch available Patch deployed

Out of our control In our control

Unknown

Discovery

The window of exposure

Common protection

• Patching

• Virtual patching

• Uninstall

How hard can it be?

Pretty hard!

What if you can’t patch?

• Legacy systems

• 3rd party systems

• Insufficient tools

Disclosure Patch available Patch deployed

Out of our control In our control

Unknown

Discovery

HD Moore’s law

Defense in depth

Concept

Implementation

Meanwhile...

Which leaves us with...

Are we on it?

"Put another way, n people want to fix

security holes, 10n people want to

exploit security holes, and 100000n

want Tetris.” (Dan Kaminsky)

What to do?

Root cause

• Over-reliance on patching

• Network-centric defense

architecture

• All about prevention

Firewall all the things?

Things to consider

• Exposure

• Attack likelihood

• History

• Patch status

Approach

• Prevention• Mitigation• ( Detection)

1. Build

Focus

• Proactive

• Inside -> out

• Onion style

• Reusable (ideally)

An example

Software

Sandbox

OS security features

Software restriction

policy

Intermediary channels

Endpoint protection

User permission

s

IPS

Pros and cons

• Pros– Improved security baseline

– Reduced impact

– Pro-active

• Cons– Generic

– Added complexity

2. React

INCIDENT!

React!

(disclos

ure)

Incident timeline

Focus

• Specific vulnerability

• Fast implementation

• Input to #1

Pros and cons

• Pros– Timely mitigation

– Focused approach

– Compliments #1

• Cons– Limited time

– Reactive

Wrapping it up

• Patching takes time

• Can’t patch the unknown

• Traditional controls are

often insufficient

Let’s build!

Thank you for listening!

Questions?