Making a case for virtual patching

The period during which businesses work to install security patches to protect IT systems from attack undeniably remains one of the most vulnerable timeframes for many companies — but a recently-launched startup selling a virtual patching alternative claims to have found a solution to the problem.

Dubbed Sentrigo and launched in Nov. 2006, the Israeli firm contends that by adding a layer of host-based activity monitoring and intrusion protection technology on top of almost any commercial database, it can beat back attempts to take advantage of both known vulnerabilities and so-called zero day flaws in the systems.

Rather than struggling to deploy the latest patch from Oracle, IBM, or any other database vendor quickly — and potentially throwing business-critical systems offline in the process — Sentrigo executives say that the virtual patching functionality built into its Hedgehog Enterprise package allows companies to stay protected while assessing their options.

While the company is only in the process of signing up its initial customers, its leaders maintain that the firm can quickly become a major player in the database security market simply through the addition of virtual patching to other more traditional tools.

Because the technology sits on top of the database itself and becomes conditioned to the type of activity such a system experiences on a daily basis, the product can easily spot any suspicious commands and block attacks in real time, Sentrigo officials said.

Sophisticated database hacks, often delivered in the form of hard-to-notice Trojan threats, are frequently able to circumvent security systems by laying low until the moment they have been programmed to strike.

By using virtual patching to defend the very flaws such attacks try to take advantage of at the time they are being exploited, said Slavik Markovich, the company’s CTO, the problem can be essentially defeated.

“Turnaround of database patch deployment within enterprises can take months as everything is tested, and we also see a lot of vendors re-issuing patches, so there is a lot of grey area that hackers can take advantage of, and we see them actively trying to do this,” Markovich said. “Because our technology sits in the database monitoring transactions, it can respond immediately and use virtual patching to contain any vulnerabilities right as they’re being attacked.”

At least one other company, Blue Lane Technologies, has also begun offering virtual patching tools, but unlike Sentrigo, the vendor has not pieced the application together with other database security applications, such as vulnerability scanning and auditing.

Hedgehog’s virtual patching technique works by using a database’s operating system to access the machine’s shared memory, which it then scans directly, rather than using APIs to query the system, as many rival technologies would.

Selling virtual patching

Markovich said that he completed a straw poll of database administrators at a recent Oracle customer meeting and found that many enterprises were taking months and even years to get security patches in place, which he cited as a serious trend that has not yet received much publicity.

“During the downtime when the patch is out there but not deployed is one of the most dangerous situations you can think of, the hackers have all the information they need to break in and companies store most of their sensitive information in these databases,” he said. “We don’t see ourselves as an alternative to patching, you have to deploy those whenever possible, but we can provide reliable protection in the meantime.” Hedgehog was official released in June 2007 and is already being tested at several hundred firms, according to Sentrigo officials. The company is planning to release an extension to the product to help further protect database applications sometime in Sept. 2007.

At least one industry analyst said that they’ve been impressed by the additional layer of protection that virtual patching can offer on the database, particularly when toed together with other applications that broaden the technology’s footprint.

Eric Ogren, a longtime security analyst and founder of the Ogren Group, said that Blue Lane may struggle to find a market for its standalone virtual patching technology, which is marketed as an appliance, but he believes that the integrated approach being offered by Sentrigo could lure some interest from enterprise customers.

“This is like a database intrusion protection system, someone like Oracle won’t likely support its use, but some customers will run it, and with all the compliance demands out there that’s a pretty good idea,” Ogren said. “Especially when you combine the virtual patching with vulnerability scanning and auditing, it could be a nice differentiator for Sentrigo.”

The analyst said that along with Blue Lane, Sentrigo will likely compete with rival database security products offered by Imperva, Guardium, and Symantec, and that its technology remains a “nice to have,” rather than a “must have” for most organizations.

However, he said that there likely will be interest from the types of companies that have become traditional early adopters of newer security tools, including those companies under pressure from data security regulations, such as those in the retail, healthcare, and financial services industries.

“You can’t put something like this in every office around the world if you’re a large enterprise, but it would be nice to have in the data center,” Ogren said. “At the end of the day, customers still need to do patching, but this is just one more thing that can help them manage that arduous process.”