StillSecure, After All These Years: Third party patches and the layered security model

As I expected, Ross Brown responded to my question on 3rd party patches. His answer both surprised me in that I think we actually agree on some things and disappointed me in that for the sake of pushing Blink (that does seem to be his latest crusade) he seems to have taken a very narrow approach to risk management and security that goes against a best practices, layered approach to security. For this reason Ross wins my book of the month club award.

First, why I was surprised and agree with Ross. Third party patches are as he says, not a great idea and a necessary evil that should be used sparingly. I agree and said as much in my earlier article. The reasons Ross cites are exactly the kind of things that I and others have said from the beginning. To many moving parts and to much risk, not familiar with the source code involved. Ross flat out says it is not worth the return from a business perspective. This of course is a little different than what we heard from eEye a few months ago, but to be fair, Ross was not CEO then. I wonder how much the rise of ZERT has influenced this decision, if at all. I will leave it to you all to decide. Here is my question to you Ross, if this is not a business you want to be in, why don't you promote and help ZERT in their efforts.

Where I disagree with Ross is his answer to the zero day problem (oh no, not another answer to the zero day problem), Blink. In a nutshell Ross's arguments for Blink are similar to those made most popular by Tipping Point, but by others as well. Namely, that patching is a losing battle, that other security technologies are rendered superfluous by their favored product and that they have the magic bullet. Tipping Point claims digital vaccines and all kinds of other zero day protection, that will allow you to apply patches in your spare time, when you get around to it. Now Ross is giving us the same spiel. Anytime I hear the magic bullet speech, the hairs on my neck stand up (my neck is one of the few places I still have hair near my head) and I fight back the urge to puke. Ross says that in fact Blink is so good they are coming out with server versions next. Geez, maybe they should change the name from Blink to Stare, you know, always on versus on and off.

Sounds to me like eEye wants to take on ISS and Cisco in the host-based protection market. However, what Ross appears to be missing or at least is not saying, is that host based protection alone is never going to be enough. The same way network based IPS is never enough by itself, which is why you see Tipping Point adding UTM type functionality to their line up. ISS positions host based protection as just one piece of the total security answer. Frankly, the host based market has several good products. ISS, Cisco and McAfee are but three vendors that have quality offerings. However, none of them claim it to be the be all and end all. Ross, there is no Santa Claus, there is no Tooth Fairy and there is no silver bullet in security. You can tout your product as a great selection in its class all you want, but when you over promise, you can only under deliver. A good layered security model is still the best bet for anyone serious about reducing their risk and securing their network.