Dan Sarel, Vice President of Products at Sentrigo (www.sentrigo.com), says:

Hedgehog vPatch is useful for data centers
It boils down to providing protection for databases during a crucial period of time. Patches are regularly issued by database vendors to address known vulnerabilities in their DBMS software. But for a variety of reasons, enterprises are not always able to install those patches in a timely manner; often, they are not installed at all. Yet, once the patch is released, hackers know about the weakness, and can exploit systems that are not yet patched, gaining access to sensitive records. That’s where vPatch comes in. It gives organizations a reliable way to protect their databases and bridge the security gap that exists between the issuance of vendor patch updates and the actual installation of those patches.

The Hedgehog vPatch
Hedgehog vPatch is based on database patching that Sentrigo pioneered in 2008 when it unveiled virtual patching technology. It combines a small non-intrusive sensor on each database server with a set of frequently updated rules to detect in memory any attempts to exploit known vulnerabilities as well as common hacking techniques. The system can be configured to respond in a variety of ways: issuing a real-time alert, terminating the session, placing the user in quarantine and updating the enterprise firewall to block access from the source IP address. Sentrigo updates the virtual patching rules when we discover new vulnerabilities, when new vulnerabilities are made public, and when each new vendor patch is released, to protect customer systems from the latest exploits.

Benefit for data center/IT managers
In addition to protecting databases during the critical period in between the issuance of vendor patches and the actual installation of those patches, Hedgehog vPatch solves two of the major problems that delay and often prevent the installation of vendor patch updates. Because the Hedgehog sensor is read-only and installed as a user process, it doesn’t make any changes to the DBMS software itself. Therefore, it does not require any database downtime, and does not require the same level of application testing that a physical patch requires – major reasons many organizations delay patching.

An additional benefit of virtual patching is that the system can protect older versions of databases that are still in use in the organization, yet are no longer supported by vendor patches. This can be a significant issue, as frequently the vulnerability discovered in the current release of a DBMS is also present in earlier versions, but without a patch the system is at risk.

We’ve seen two primary drivers that lead an organization to deploy Hedgehog vPatch. First, most organizations have a stated patching policy that dictates how soon the update must be applied. The policy is often a result of a law or other regulation, such as PCI-DSS or Sarbanes-Oxley that mandate timely patching. Often, for the reasons stated earlier, they simply cannot meet this policy, and it becomes a compliance issue. We have many customers who use virtual patching as part of their overall patching strategy and satisfy governance standards. The second driver is security – if a breach does occur, it is very likely to be well publicized, triggering the question: “How long will it take my company to recover from damaged reputation, potential fines and the loss of customers that often results from a breach?”

The best advice we can give Data Center POST readers is to apply vendor patches as soon as possible after they are released. But, we know from experience that this is not always possible, and this often becomes an issue during many compliance audits. Hedgehog vPatch is a quick and pain-free way to compensate for not being able to apply patches immediately, and can be used to meet compliance requirements.