Why Oracle & SAP Security Patches Can Never Protect Your Systems
Oracle and SAP regularly provide security patches for their current product versions to protect their customers from new security vulnerabilities as they arise. In the past, this approach was “best practice” but largely because it was the only choice.
This method of security patching is hopelessly out of date; it is dependent on the vendor identifying loopholes within their code. Often, vendors identify these because one or more of their customers has suffered an attack. This is a very reactive approach. What’s more, the vendors only provide patches for the latest supported versions of their software. Almost all customers run a variety of older software versions and are quite happy with them, except of course for the lack of any security updates from the manufacturers. See recent critical security flaw in Oracle Identity Manager and critical PeopleSoft applications vulnerability articles published by Computing.
“Vendor security patching is like finding that you have a leaky dam and plugging the holes as and when they appear by sticking your fingers in them”
Mark Smith, CEO Support Revolution speaking at the Gartner Summit, on 21st September 2017 in London
Traditional software vendors have done their best for many years and provided fixes for many security vulnerabilities in their products. The trouble is that customers cannot possibly keep up with the speed that threats are appearing, otherwise they would need to constantly patch or upgrade every system that they have. This is not feasible; applying vendor patches to test systems, going through system testing, user acceptance testing and then rifling these changes through the various environments before they get onto the live system is a huge and onerous task.
But there is a solution. It’s obvious really when you think about it. You put in a new dam upstream of the old leaky dam.
In IT terms, this means putting protection all around your systems to protect them and then apply updates to that “fence”, therefore protecting everything within it. Simple.
Support Revolution’s “Advanced Security” is based on Trend Micro’s Deep Security solution which works in exactly this way. Deep Security was rated #1 in the Gartner 2017 Magic Quadrant for Endpoint Protection Platforms:
How It Works
Trend Micro Deep Security provides automated pro-active security designed to address the relentless onslaught of vulnerabilities on a daily basis. Deep Security is comprised of a security management component and a very small footprint agent which sits on each server. The manager holds a database of vulnerability signatures which it communicates to each agent. The agent monitors traffic on the network level and scans for known vulnerability signatures and either reports the incident or blocks the traffic.
As Deep Security is a rule-based system, new rules are published regularly, downloaded to a console with a “threat level” and the customer then chooses which updates to apply and when. The deployment of new rules has minimum impact on the production systems, which means the time between identifying a vulnerability to being protected is reduced from months to hours.
One example of this is the recent CVE- 2017-9805 Apache Foundation vulnerability which was identified as a vulnerability in March 2017. Trend Micro subsequently released a new protection rule the same month; it took one of the tier one vendors six months to release a security patch mitigating this vulnerability.
Trend Micro Deep Security provides comprehensive security in one solution that is purpose-built to provide virtual patching so there are no security gaps or performance impacts.
…and Support Revolution’s Advanced Security uses this solution and our expertise with Oracle and SAP software to provide a “best in class” solution for all of your major IT systems.