Traditional security measures are reactive in nature and fail to provide sufficient protection of web servers and web applications, leaving organizations exposed to unnecessary risk. They are based on the assumption that all vulnerabilities and attack methods are disclosed to the public.
But malicious hackers also investigate in vulnerabilities. Would you trust a malicious hacker to reveal his tools and tricks? Would you make it a prerequisite for your protection to be effective?
The solution: Think positive
In order to deal effectively with the growing threat from internet to your business you need to employ a positive security model which determines allowable requests, and inputs and disallows everything else. This approach provides protection against unknown threats, simply because they are not in the white-list and thus are disallowed.
The working basis of the positive security model is that everything is forbidden unless explicitly allowed. In the context of Profense™ this implies that only allowed requests are forwarded to the web system - that is: requests for web pages, applications, parameters etc. which you allow. This positive security approach is proactive because you base your protection on known information, the business content you want your web system to make available, not attack signatures and other potentially unknown or outdated information.
Food for thought
Patching is a reactive security process which only protects the organizations web systems from publicly known vulnerabilities. From the time a vulnerability is disclosed, a patch is developed and is actually applied, critical internet exposed systems are vulnerable. This is known as "window of exposure". Any attacker with the knowledge of the vulnerability or having a working exploit can gain unathorized access to vulernable systems and data. Vulernabilities can be exploited either by worms, viruses or through a targeted attack.
The network firewall is (a sophisticated) filter working on the network level. In this context it's primary function is to ensure that only systems meant to be internet exposed are accessible from the internet - eg. web servers. Traffic to web servers, benign or malicious, is indiscriminately passed through. Some firewall vendors claim to provide protection on the application level because they are able to inspect the payload of packets and identify attacks based on signatures or by other heuristic methods. However, network firewalls do not aggregate the packets into full requests to determine if each request is valid in the context of a particular application and hence cannot determine if a stream of packets together form an attack exploiting a specific vulnerability or misconfiguration of an application or application server.
Intrusion Detection Systems (IDS)
IDS' are truly reactive. IDS passively monitor network traffic and generate an alert when potentially malicious traffic is detected (based on attack signatures, heuristic methods and other statistic methods). IDS help you determine what happened.
Intrusion Prevention Systems (IPS)
IPS' are less reactive in the sense that they claim to block malicious traffic. IPS rely on detecting the malicious traffic based on attack signatures, heuristic and other methods. They suffer from the same shortcomings as all other signature based systems. They only protect against known attacks and require constant updating of the attack signatures. IPS are thus vulnerable to zero-day attacks exploiting undisclosed vulnerabilities for which no patches or workarounds are made available.