A virtual patch gives administrators the option of being able to review, test and schedule official patch updates without leaving the system at risk in the intervening period. Unlike traditional patching, it allows an application to be patched without touching it or its libraries, the operating system or even the system it is running on. Virtual patching aims to fix a problem by altering or eliminating the vulnerability by controlling either the inputs into or outputs from the application.
A common method of implementing a virtual patch is to place some type of a proxy or in-line packet manipulator in front of the application to control the inputs or outputs from the application, preventing or eliminating the dangerous behavior until the actual source code can be updated or fixed. An alternative approach is to change the application's runtime code, but this can introduce new risks or problems.
A benefit of virtual patching is that it can be crafted based solely on known safe behavior for an application. This kind of setting is really useful in those cases when nothing it known about how the actual attack works, such as when vendors are reluctant to discuss the specific nature of a particular threat. You can create virtual patches that both prevent the attack, as well as implement rules that define trusted behavior, thereby adding an extra layer of security. For example, an output patch could prevent an application from exposing sensitive information by dropping the connection or by allowing it to only output certain content.
There is no doubt that a virtual patch is an extremely valuable technique that can be used to provide immediate protection against identified vulnerabilities. To make the most of this patching approach, you need to stay up to date with vendor or public vulnerability disclosures and conduct your own code reviews and vulnerability assessments. Of course, if you actually suffer a security incident, virtual patching can prove to be invaluable as you have to respond to such an event immediately. Virtual patching, however, is not an alternative to patching. You will still have to deploy them whenever possible and practical, but it can provide reliable protection in the interim. Although it's probably not realistic to implement virtual patching across a large deployment of desktops, servers and data centers can certainly benefit from the quick fix it can provide.
Dig Deeper on Security patch management and Windows Patch Tuesday news
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.