Rational Survivability

(On the advice of someone MUCH smarter than Ptacek or me [my wife] I removed the use of the F/S-bombs in this post.]

Holy crap.  Thomas Ptacek kicked me square in the nuts with his post here in regards to my commentary about Blue Lane’s PatchPoint.

I’m really at a loss for words.  I don’t really care to start a blog war of words with someone like Thomas Ptacek who is eleventy-billion times smarter than I’ll ever hope to be, but I have to admit, his post is the most stupid frigging illustration of derivate label-focused stubborness I have ever witnessed.  For chrissakes, he’s challenging tech with marketing slides?  He’s starting to sound like Marcus Ranum.

Thomas, your assertions about Patch Point (a product you’ve never seen in person) are innaccurate.  Your side-swipe bitch-slap commentary about my motivation is offensive.  Your obvious dislike for IPS is noted — and misdirected.  This is boring.  You assail a product and THEN invite the vendor to respond?  Dude, you’re a vendor, too.  Challenging a technology approach is one thing, but calling into question my integrity and motivation?  Back the hell up.

I just got back from an awesome gathering @ BeanSec!2 and Bourbon6 — so despite the fact that I’m going to hate myself (and this post) in the morning, I have to tell you that 4 of the people that read your post asked "what the hell?"  Did I piss in your corn flakes inadvertenly?

Let me just cut to the chase:

1) I worked with Blue Lane as a customer @ my last job while they were still in stealth.  That’s why the "start date" is befor the "live date"
2) When they went live, I bought their product.  The first, in fact.  It worked aces for me.
3) Call it an IPS.  Call it a salad dressing.  I could care less.  It works.  It solves a business problem.
4) I have ZERO interest in their company other than I think it solves said BUSINESS problem.
5) This *is* third party patching because they apply a "patch" which mitigates the exploit related to the vulnerability.  They "patch" the defect.
6) Your comment answers your own question:

You see what they did there? The box takes in shellcode, and then, by
“emulating the functionality of a patch”, spits out valid
traffic. Wow. That’s amazing. Now, somebody please tell me why that’s
any improvement over taking in shellcode, and then, by “emulating the
functionality of an attack signature”, spitting out nothing?

…ummm, hello!  An IPS BLOCKS traffic as you illustrate…That’s all. 

What if the dumb IPS today kills a valid $50M wire transaction because someone typed 10 more bytes than they should have in a comment field?  Should we truncate they extra 10 bytes or dump the entire transaction? 

IPS’s would dump the entire transaction because of an arbitrary and inexact instantiation of a flawed and rigid "policy" that is inaccurate.  That’s diametrically opposed to what security SHOULD do.

[Note: I recognize that is a poor example because it doesn’t really align with what a ‘patch’ would do — perhaps this comment invites the IPS comparison because of it’s signature-like action?  I’ll come up with a better example and post it in another entry]

Blue Lane does what a security product should; allow good traffic through and make specifically-identified bad traffic good enough.  IPS’s don’t do that.  They are stupid, deny-driven technology.  They illustrate all that is wrong with how security is deployed today.  If we agree on that, great!  You seem to hate IPS.  So do I.  Blue Lane is not an IPS.  You illustrated that yourself.

Blue Lane is not an IPS because PatchPoint does exactly what a patched system would do if it received a malicious packet…it doesn’t toss the entire thing; it takes the good and weeds the bad but allows the request to be processed.  For example, if MS-06-10000 is a patch that mitigates a buffer overflow of a particular application/port such that anything over 1024 bytes can cause the execution or arbitrary code from executing by truncating/removing anything over 1024 bytes, why is this a bad thing to do @ the network layer?

This *IS* a third party patch because within 12 hours (based upon an SLA) they provide a "patch" that mitigates the exploit of a vulnerability and protects the servers behind the applicance WITHOUT touching the host. 

When the vendor issues the real patch, Blue Lane will allow you to flexibly continue to "network patch" with their solution or apply the vendor’s.  It gives you time to defend against a potential attack without destroying your critical machines by prematurely deploying patches on the host without the benefit of a controlled regression test.

You’re a smart guy.  Don’t assail the product in theory without trying it.  Your technical comparisons to the IPS model are flawed from a business and operational perspective and I think that it sucks that you’ve taken such a narrow-minded perspective on this matter.

Look,  I purchased their product  whilst at my last job.  I’d do it again today.  I have ZERO personal interest in this company or its products other than to say it really is a great solution in the security arsenal today.  That said, I’m going to approach them to get their app. on my platform because it is a fantastic solution to a big problem.

The VC that called me about this today seems to think so, too.

Sorry dude, but I really don’t think you get it this time.  You’re still eleventy-billion times smarter than I am, but you’re also wrong.  Also, until you actually meet me, don’t ever call into question my honor, integrity or motivation…I’d never do that to you (or anyone else) so have at least a modicum of respect, eh?

You’re still going to advertise BeanSec! 3, right?

Hoff