Interview With Blue Lane Technologies' Jeff Palmer

Where did the idea for the inline patch proxy come from?

The founder saw a lot of solutions that seemed to be exploit-centric, and exploits were multiplying like rabbits. So his first insight was to focus on the vulnerability instead of all the exploit variants.

The other insight he had was that you can resolve those vulnerabilities on the network, operating on the client-server protocols, consistent with behavior that a patch installed on the machine would achieve.

How does it work?We typically follow the security patches from the vendors. We focus on those applicable to servers and remotely exploitable over the network. Our design emulates, in a context-aware way, the detection logic and correction logic of the vendor's patch.

The correction logic can vary depending on the vulnerability. In the case of a buffer overflow, the vendor patch may truncate traffic; so we truncate traffic on the wire. In some cases the patch would terminate a session, so if that's the remedy we would do it as well. In some cases it's as simple as returning an error message.

So Blue Lane doesn't apply patches to servers?

We sometimes get confused with patch management or software distribution. We in no way handle the vendor patch. We remediate until it's realistic for the enterprise to deploy the patch on machines that can be patched. We are an adjunct to a healthy software update process.

Blue Lane was started around the time widespread worms were the No. 1 threat. But massive outbreaks have dropped as attackers move to SQL injection, phishing and other attacks. Does this dampen the imperative for a product like yours?We wouldn't say so. There's been year-over-year increases in the number of vulnerabilities. People pay attention to us because they have to secure an ever-increasing population of servers with an ever-increasing number of distributions of patches in a timely and cost-effective way.

Do you see Blue Lane as a security play or an IT management play?

A little of both. We are dealing with a couple of realities. One is enterprises, and their CISOs are being tasked to assure that they have mechanisms in place to secure the infrastructure. It's inexcusable if one of your vendors provides a patch to a known weakness that you haven't deployed in a timely way. That's the security imperative.

The operational reality is there are many factors that may impede an organization's ability to touch various machines in a timely way. Is that machine available? Is this patch compatible? Are we in a seasonal lockdown where we can't touch anything?

We let the enterprise decide their software maintenance windows versus having them thrust on them by the availability of new security patches. So on an IT operations front, if you have change-management controls, testing requirements, go ahead and do that on your schedule.One sign of a healthy market is the presence of competitors. As far as I can tell, Blue Lane is still the only one out there. Is this a sign of trouble?

On the messaging dimension, we aren't the only vendor talking about patching and remediation. Other security products argue they have a means to secure or remediate.

The technical approach, we agree, is novel, but it works. We clearly believe this is a better way to handle this problem. I'd be astounded if others don't do it too.