Who’s the best illusionist?

When asked who’s the best illusionist of all time, you’ll likely hear anything from Harry Houdini to David Copperfield to David Blane, but they don’t have anything on your IPS vendor.

I often hear the question, how big or how good is Palo Alto Networks’ vulnerability research team? If you look at the website or collateral for leading IPS vendors, you will see that most of them tout things like their premier research organization, dedicated team of researchers, research lab dedicated to vulnerability discovery and disclosure, network security experts working around the clock to discover, assess and respond to vulnerabilities, delivering preemptive security, etc.

As October’s monstrous Microsoft security bulletin was just released earlier this week, I decided to take a look at the number of Microsoft vulnerabilities found by leading IPS companies over the last 6 months.

Since Microsoft credits each one of the vulnerabilities to the discovering researcher and their organization, it would be easy to go back through the last 6 months of security bulletins to figure out who has been doing vulnerability research and who hasn’t. Often times these newly discovered vulnerabilities are submitted to Microsoft months in advance and though it’s impossible to tell how many or when they will be published as security advisories, you can quickly gather a trend of how much research is being done if you look at it over a period of time. The results were basically the same across the last 6 months as it was for all of 2009.

Over the last 6 months, Palo Alto Networks has discovered 6 vulnerabilities (4 critical and 2 important severity) published by Microsoft. Let’s compare that to the next closest IPS vendors. The ISS X-Force research team was credited with 3 Microsoft vulnerabilities (2 critical and 1 moderate severity). TippingPoint’s DVLabs, their in- house research team – not their Zero-day Initiative, which pays external researchers for contributed vulnerabilities – has published 2 vulnerabilities – 1 critical and 1 important severity. McAfee’s Avert Labs comes in with 1 critical Microsoft vulnerability published. And finally Juniper and SourceFire with no published Microsoft vulnerabilities not just for the past 6 months but for the past 2 years.

Now where are all those around-the-clock researchers in distributed locations around the globe that are discovering vulnerabilities? The illusion that a smaller more agile team is at a disadvantage in discovering and providing analysis for vulnerabilities is a fallacy.