The makers of Blink say it takes a new approach to intrusion prevention, but competitors disagree. Who can you believe?
A Choice Of Where To Draw The Line
Intrusion-prevention software (IPS) has been available to enterprises for some time. I wrote, for example, on June 7 about a new release of Sana Security's Primary Response IPS, contrasting it with Cisco's Security Agent and McAfee's Entercept.
• The Process Layer. The "process layer" is the conceptual area where software applications run, whether on a corporate server or in a PC. "Host-based" intrusion-prevention software (HIPS) can monitor the processes within machines and attempt to detect and halt unusual behavior that suggests a possible hacker attack.
• The Network Layer. The "network layer" is the portion of an operating system that is closest to a machine's hardware connection to the Internet or a local area network. Blink carefully monitors activity in this layer to stop attacks, Raouf says, before they ever get a chance to interact with processes and applications.
• The Hardware Layer. Every machine that's connected to a network has some kind of networking card that handles the physical tasks of communication. "Network-based" intrusion-prevention systems (NIPS), which defend at the hardware layer, usually take the form of a physical appliance that's installed between the Internet and the networking card on corporate servers. Although they can be effective against external attacks, network-based defenses can't protect against rogue applications that may be running within a corporation's PCs or insiders who seek unauthorized access.
The new Blink software, which was first released last month, protects the network layer of the operating system against unusual activity — without relying on a list of attack "signatures," Raouf says. This preventive capability, plus eEye's new application- and system-level software firewalls, plus its Retina vulnerability assessment tool (which has been available in some form since 2000), have been combined to form Blink.
Guarding Against Behaviors Rather Than Signatures
Blink installs onto every server and client PC in a company. While a deployment this broad may be a daunting task for some large corporations, once Blink is widely installed it offers enterprise-wide managability with centralized dashboards and policy setting, eEye says. Adding these capabilities throughout a company, Raouf explains, offers the following benefits:
• Defense Against "Zero-Day" Attacks. Blink's behavior-monitoring approach means that PCs running it are protected against new assaults, known as zero-day attacks, that take advantage of previously-unknown vulnerabilities for which no vendor patch is available. Using this technique, eEye's software was able to hold off such widespread exploits as Code Red and LSASS, Raouf says.
• No More "Panic Patching." When patches for newfound security holes do become available from software publishers, it may not be necessary for enterprises running Blink to install those patches ona crash basis to prevent a successful intrusion. If Blink is already guarding against a particular hacker exploit, installation of the new patches can wait for the next regular maintenance cycle, saving labor and downtime costs.
• Protecting Roaming Laptops. A mere "security perimeter" approach to defense is flawed because corporate workers routinely take their laptops and other portable devices outside the perimeter. When these devices return onsite and are again plugged into the local network, any Trojan-horse software they may have caught has an opportunity to probe across the LAN for vulnerabilities. Installing Blink on mobile devices defends them from attack when they're off the network.
eEye officials believe their new software approach offers better overall protection than other intrusion-prevention software. Enterprises seem to echo this confidence, with clients such as Citigroup, Prudential, the U.S. Dept. of Defense and many others filling eEye's roster. "Fifty percent of our revenue [from eEye's earlier products] comes from deals that are $100,000 and above" for first-year contracts, Raouf says.
The Battle Is Joined
To underline its belief in the superiority of its products, eEye has created a comparison chart that pits Blink against its competitors. The chart shows that eEye ranks Blink strongly vs. Cisco Security Agent, McAfee Entercept, ZoneLabs Integrity, ISS RealSecure, and four other products that vie for market share.
Jason Coombs, director of forensic services for security vendor PivX Solutions, disagrees that Blink has the best approach. PivX is not listed in eEye's competitive chart because its new IPS offering, Quik-Fix Pro, just began shipping on Aug. 16. But Coombs says his company's product has advantages over the layered approach Blink uses.
"In order to block the attack, Blink has to identify the attack," he explains. "We have the ability to solve the underlying vunerability that hackers would take advantage of." Quik-Fix Pro, Coombs says, acts like a series of patches for Microsoft Windows and numerous Windows applications that otherwise would be susceptible to stealthy intrusions.
Blink 1.0 has some of the rough spots associated with a new release, according to an Aug. 16 review by eWeek.com. Reviewer Cameron Sturdevant found that Blink had trouble installing and reporting back to central management, and lacks integration with antivirus and other security software.
Blink lists for $56 per device on an annual basis, which drops to about $40 per device for installations of 500 or more. eEye is marketing Blink at this time only to customers with more than 500 machines, but a package for companies who want to protect as few as 10 machines will be available by the first quarter of 2005, Raouf adds. For more information, see eEye's Blink product page.
Quik-Fix Pro lists for $60 per PC and $500 per server. More information is available at PivX.com.
In this space next week, I'll bring you responses from other Blink competitors who have their own views of this rapidly changing field.