David Endler, Providing True Zero-Day Exploit Protection

A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Ordinarily, after someone detects that a software program contains a potential exposure to exploitation by a hacker, that person or company can notify the software company and sometimes the world at large so that action can be taken to repair the exposure or defend against its exploitation. Given time, the software company can repair and distribute a fix to users. Even if potential hackers also learn of the vulnerability, it may take them some time to exploit it; meanwhile, the fix can hopefully become available first.
With experience, however, hackers are becoming faster at exploiting a vulnerability and sometimes a hacker may be the first to discover the vulnerability. In these situations, the vulnerability and the exploit may become apparent on the same day. Since the vulnerability isn't known in advance, there is no way to guard against the exploit before it happens. Companies exposed to such exploits can, however, institute procedures for early detection of an exploit.

Name: David Endler
Title: Director of Security Research
Likes to be called: Dave
Company: TippingPoint, a division of 3Com

Increasingly, an ecosystem is developing around technical security research knowledge concerning zero-day vulnerabilities. I believed that one effective way to capture this data was by establishing a best-of-breed incentive program.  The program was dubbed the Zero Day Initiative (ZDI).  The information is then used to deliver vulnerability filters that protect against these flaws to our customers of TippingPoint Intrusion Prevention systems.

Through the program, 3Com rewards researchers who responsibly submit vulnerability information to us instead of publicly announcing their discovery, putting organizations at risk. We give this information to the affected vendor to develop a patch, while protecting our customers with intrusion-prevention technology. The information is not made public until a patch is available. This background information provides the context in which we support rewards for security research.

There is a misperception that all security researchers are malicious hackers looking to do harm. In reality, there is a growing security research community that has evolved dramatically over the last few years. Today, those with the level of expertise needed to discover a vulnerability and recognize its significance is a global and sizable group. A very small minority are malicious hackers. It is not uncommon for security researchers to stumble onto a new flaw while doing their day-to-day security work. Why shouldn't the well-doers be rewarded for responsibly handling this sensitive information?
Rewarding researchers can be compared with rewarding reporters who uncover a story. If a freelance reporter stumbles upon a great story, why shouldn't he or she offer it to a publication for payment? Much like the way a publication checks facts in the story, 3Com validates the issues to find out if they are legitimate vulnerabilities. Most stories, like vulnerabilities, will eventually be uncovered. It's best that the vulnerabilities are given to a group that will ensure they are handled responsibly.
Security researchers who work with vendors to alleviate a flaw are not malicious. Those with malicious intent can inflict damage by exploiting a vulnerability or selling it on the black market without notifying the vendor.

With zero-day vulnerabilities on the rise and the window of time before exploits shrinking, it is increasingly important to provide next-generation security. This means that by 3Com acquiring these zero-day vulnerabilities from independent security researchers:

• It ensures responsible disclosure of vulnerabilities, giving affected vendors the opportunity to issue solutions/patches to end users
• It makes the general Internet and technology community safer for computer users
• It gives participating security researchers the positive recognition they desire
• It gives 3Com and TippingPoint the ability to provide customers with zero-day protection through Intrusion Prevention technology.

We launched the program in August of 2005 and have since had over 300 security researchers sign up at http://www.zerodayinitiative.com

To date, we have disclosed critical vulnerabilities in vendor’s products from Microsoft, Apple, Symantec, Novell, and others. A full list is available at http://www.zerodayinitiative.com/advisories.html We were able to provide true zero-day exploit protection for all of these issues while the vendor was still working on a patch, in some cases this amount of time equaled months.

David Endler is the director of security research for 3Com's security division, TippingPoint. In this role, he oversees 3Com's internal product security testing, VoIP security center, and TippingPoint’s vulnerability research teams. Endler is also the chairman and founder of the industry group Voice over IP Security Alliance (VOIPSA). VOIPSA's mission is to drive adoption of VoIP by promoting the current state of VoIP security research, testing methodologies, best practices, and tools.  Prior to TippingPoint, Endler led the security research teams at iDEFENSE. With 10 years experience and in previous lives, he has performed security research working for Xerox Corporation, the National Security Agency, and Massachusetts Institute of Technology. Endler is the author of numerous articles and papers on computer security and holds a Masters degree in Computer Science from Tulane University. Dave’s hobbies and interests include a plethora of activities but predominately running, hiking and mountain biking.

TippingPoint, a division of 3Com
7501 North Capital of Texas Highway
Building B
Austin, Texas 78731 USA
Main: +1 512 681 8000
Sales: +1 888 TRUE IPS (+1 888 878 3477)
Support: +1 866 681 8324 (International: +1 866 681 8524)
Fax: +1 512 681 8099

Recommend this to others: