Lately; web based zero "0" day protection seems to be offered more and more within the industry. It's almost as if companies (no names mentioned, but you know who you are!) are shouting from the rooftops "GUARANTEED ZERO DAY PROTECTION, READ ALL ABOUT IT!" as if they're some kind of web-protection Gods, assuring you of safety from everything, "no matter what".
Firstly; lets look at the type of web-based zero day threat we face.
A zero day exploit is an exploitation that utilizes an attack that is not previously seen or known. These could be exotic buffer overflows, custom code attacks, traversal attacks etc. The clue to the issue as to why 0 days are so hard to detect is in the first sentence. If something is not previously seen or known... How can we adequately protect from it?
Companies offer web-based zero day protection under the guise that they "inspect web based content for known vulnerabilities based on originating IP and details, headers, DNS information, web content, server confidence and much more". But what are these checks really doing?
In short; they're scanning all the above and providing a threat risk accordingly. IP from Russia? 10 points. OOD PlugIn? 20 points. WordPress website? 30 points. Once you reach the pre-defined criteria of points your 0 day protection swoops in to action screaming "0 DAY DETECTED! 0 DAY DETECTED!" when, in reality, it's a Russian WordPress site with a slightly out of date plugin. Of course; the zero-day protection system doesn't work on such a basic point system, but you can see how the "zero day protection" works. It's simply assessing a bunch of pre-defined vulnerabilities, or known suspicious information, and when it gets to a point that it panics; it issues the 0 day warning. Hardly zero day protection.
Offering Zero Day Protection is like INSINIA saying "we can guarantee to protect you from being murdered". We know that murderers may use some kind of weapon to kill you, maybe even a weapon we've never seen before or even thought of! So we guard all your windows, guard your back door, monitor everything that enters your property via state of the art people-inspection etc. We even test your water supply for polonium 210, anthrax etc, in real time! We do everything we can to protect you. The only problem is that your super-smart murderer poisoned your water supply with an exotic, undetectable poison that he invented using techniques we've never seen before. Despite the fact that we were testing your water; we simply didn't know it existed, and therefore couldn't protect you from it.
So to break that analogy down; the people-inspection is your real-time Firewall (SPI etc), the inspection itself is the "zero day protection", and the poison is the exploit we didn't detect. As it was an exotic chemical, never seen before, it would be unreasonable to expect anything to adequately and successfully detect it, even a £200,000 piece of equipment ;-D
So ask yourself, before spending vast amounts of money, where was the "zero day protection" during Heartbleed? Hiding behind a quick fix, I'd imagine...
The same result as these zero day protection systems can be achieved by using your own definitions in your in-house systems, and simply being more active in monitoring your network.
So how can we protect ourselves from 0 day threats?
For example; use OpenDNS to resolve DNS queries. Use Norse to filter BotNet / BlackListed IP's. Enforce strict policies. Regularly update systems and hardware. Carry out frequent testing. Use TripWire to monitor vulnerabilities across your network in real time, and use an IDPS and data security system to monitor user behaviours and throughput. Even use the guaranteed 0 DAY protection software if you insist but, as a very minimum, understand that you are still NOT protected from 0 days, no matter what you read.
0 days are exactly as we know - dangerous, unknown, and often highly intricate and sophisticated attacks. Never be complacent in thinking one solution will protect you from 0 days. It won't.
"An ounce of performance is worth a tonne of promises"