A Different Approach To PC Immune Systems

The field of host-based intrusion prevention systems is getting crowded. Here's a look at what some of the different HIPS products can do.
I wrote in this space last week that Sana Security, a software firm, had released Primary Response 3.0. This is the first version of the company's "host-based intrusion prevention system" (HIPS) that installs on desktop PCs as well as corporate servers. Version 3.0 observes the activity taking place on a PC and attempts to shut down Trojan horses and "root kits" that may have infected a machine.

The security program, which works in addition to and not as a replacement for an antivirus program, acts as an immune system that looks for unusual behaviors. For example, company officials say, a hidden process that executes from the Windows directory is very likely to be up to no good and should be terminated.

This isn't the only approach that's currently being used to add immune-system functionality to PC networks, however. In fact, the field of HIPS is getting a mite crowded. Your company may well benefit from one product much more than another, depending on your needs.

From The Network To The Protocol

One vendor that's well-regarded for its offerings is eEye Digital Security. Its HIPS product, known as Blink, was just upgraded last month to version 2.0.

In a telephone interview, eEye COO Firas Raouf explained the evolution of the company's protection strategy:

Protecting the network layer. Blink 1.0 was designed to provide defenses against hacker attacks -- without relying on signatures from old threats -- at the network level. "We did that by hooking into the NDIS [Network Driver Interface Specification] and TDI [Transport Driver Interface] layers, below the process layer or application layer," Raouf says. "You need to intercept the attack before it gets up to the application."

Defending the protocol layer. Even if hackers can't get through the corporate network layer, however, their handiwork can still get inside a company. That's because an end user may bring an infected laptop into the building or click "OK" at a Web site that silently plants a Trojan horse on a PC. "In Blink 2.0, we decided to tackle spyware and phishing," Raouf says. "Blink 1.0 already protected against these things by denying that [malicious] application from connecting through the Internet. Blink 2.0 prevents that application from installing in the first place."

Testing for vulnerabilities. eEye also recommends that, in addition to a HIPS program such as Blink 2.0, corporations should also check their networks for weaknesses using vulnerability-assessment tools, such as eEye's Retina scanner.

A Question Of Choosing The Best Approach

eEye's methodology to protect a company's electronic assets is different from that of Sana Security and other vendors in the competitive space, such as Cisco Systems. Blink, for example, monitors Windows APIs (application programming interfaces) rather than intercepting system calls to learn which behaviors are considered appropriate.

"CSA [Cisco Security Agent] uses only the process layer," Raouf asserts. "And so does Sana."

In response, Jeff Platon, vice president of market management for Cisco, says his company's product is a "converged agent" that includes both a behavior-blocking program plus a personal firewall. "There is no difference in architecture," between what Cisco does and eEye does, Platon states. "CSA does work at both the file system layer and the network layer."

Tim Eades, senior vice president of marketing for Sana, says, "The complexity of malware has just begun. You have to have a model of what is known bad and a way to know what is new that is bad."

Taking issue with eEye's approach, Eades replies: "I don't believe you can do that through packet inspection and protocol analysis as the only means of detection. You have to have a behavioral heuristics model that can detect and prevent malicious code from executing."

Threats Are Evolving And So Are The White Hats

With hacker attacks growing stronger by the day, information technology executives need the best tools they can get to keep their corporate data assets secure. Products in the intrusion-prevention category promise to help you with this job, but at this point it's a difficult task just to determine which application best fits your particular network.

In a white paper by eEye co-founder Marc Maiffret on "Understanding Kernel Level Host-Based Intrusion Protection," the company makes a case for its method of stopping "zero-day threats," attacks that have never been seen before. The company contrasts "static behavior protection," using rules that recognize bad behavior, and "learning-mode behavior protection: 

Static behavior protection. "If one analyzes a majority of the attacks that plague networked systems today, one will find common characteristics that comprise nearly 90% of the known vulnerabilities," the company says. "Some of the common terms for these attack classes include buffer overflows, format string attacks, directory traversal attacks, and parser logic bugs." Defending against all possible exploits of these types provides good protection beyond signature-based products, in the company's view. For example, no legitimate program uses a buffer overflow to communicate with another program (with the exception of vulnerability-assessment tools that are used to test a network's defenses).

Learning-mode behavior protection. Security programs that attempt to "learn" the appropriate behaviors for a network or a PC are intellectually attractive. "Tuning" these programs to permit legitimate behaviors that may only seem unusual, however, can require a large amount of staff time, eEye notes. "Because of the significant time investment, personnel resource commitment, and intrusive nature of these systems, behavioral-based systems are best utilized for securing critical servers and not for protecting all the host-based assets across an entire enterprise," the company's white paper states.

If your company isn't evaluating intrusion prevention systems, and your network assets are exposed to the Internet, you should start a pilot project as soon as possible. For more information, see the product pages on Blink 2.0, Cisco Security Agent 4.0, and Primary Response 3.0.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.