Zero-day tracker a hit, but IT shops need better strategy

So it's no surprise that bloggers are reacting happily to news that Aliso Viejo, Calif.-based eEye Digital Security launched a new zero-day tracker to help IT administrators stay on top of things.

But as some security professionals noted, the tracker won't be of much use unless IT shops already have a system in place to deal with the growing threat.

Ross Brown, eEye's CEO, explained in his blog why the tracker was created and how it works.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Oracle answers its security critics Zango defying FTC agreement, researchers say Is the SANS Top 20 still useful?

"As a company that invests [its] primary research in security, we often have a unique perspective that transcends the typical analysis of malware trends or outbreaks," he wrote. That being the case, he added, it made sense to create a site that not only tracks information on zero-day threats but also investigates ways to defend against them.

He said another unique aspect of the site is how the research team dissects the zero-day flaws for exploitability to determine exactly how attackers are using the vulnerability. He said the analysis of the ASX Playlist and ADODB.Connection ActiveX flaws are a good example.

"In the case of the ASX Playlist, this zero-day is being actively used, but it was reported as a denial-of-service attack only," Brown said. "Our research team has investigated the exploit and found it to be remotely exploitable, which is obviously of a higher concern than just a denial-of-service attack."

Brown said the site will never provide proof-of-concept code or materials that would make it easier for attacks to occur. The goal is to investigate what has already been publicly disclosed "to understand the vectors of attack fully and give customers protection strategies."

Like Symantec Corp.'s DeepSight threat monitoring service and the Bethesda, Md.-based SANS Internet Storm Center Web site, blogger Andrew S. Baker wrote in his Talking Out Loud with ASB blog that the zero-day tracker is an example of online resources IT professionals should be taking advantage of.

"These information security resources can go a long way to improving your visibility of threats [and] enabling you to make better determinations of risk for yourself and your environment," he said.

A North Carolina-based blogger who goes by the online name cctech praised eEye for launching the tracker in his Technology, SEO and Web Design blog.

"In hindsight, this is such a great idea and I cannot figure out why no one did this already," he wrote. When mentioning the number of zero-days being tracked to date, he noted that Patch Tuesday is next week and that a few items may be crossed off the list. But, he added, more zero-day flaws may appear the day after Tuesday's patch release, as has been the trend this year.

That being the case, some bloggers lamented the fact that there are companies out there lacking a basic program to confront zero-day threats. Without that, they said, a daily tracker isn't of much use.

"Most organizations wouldn't know how to defend against a zero-day even if they knew about it," Mike Rothman, president and principal analyst of Security Incite in Atlanta, Ga., wrote in his Daily Incite blog. "These folks don't have the right defenses in place, they couldn't develop their own IPS signature [and] basically they are sitting ducks until their vendors update the products."

That, he said, is why a layered security model is so important. He directed his readers to a list of recommended actions security researcher Michael Wright put in his MCW Research blog.

The eEye tracker "is without a doubt a valuable service," Wright wrote. "But I doubt the vast majority of enterprise networks honestly have the resources and infrastructure in place to address zero-day mitigation."

To get there, Wright said IT shops need:

• User policies that are well known, well trained and well enforced;
• A user training program that teaches users how to safely surf, safely check email, etc.;
• Behavior-based NIPS and HIPS;
• An ability to block ActiveX controls enterprise-wide;
• Aggressive, near-draconian firewall rules;
• Patch management procedures that enable fast deployment when a zero-day fix is released; and
• A documented, tested incident response plan.