I wrote in this space last week that Sana Security, a software firm, had released
Primary Response 3.0. This is the first version of the company’s “host-based
intrusion prevention system” (HIPS) that installs on desktop PCs as well as
corporate servers. Version 3.0 observes the activity taking place on a PC and
attempts to shut down Trojan horses and “root kits” that may have infected a
machine.
The security program, which works in addition to and not as a replacement for an
antivirus program, acts as an immune system that looks for unusual behaviors.
For example, company officials say, a hidden process that executes from the
Windows directory is very likely to be up to no good and should be terminated.
This isn’t the only approach that’s currently being used to add immune-system
functionality to PC networks, however. In fact, the field of HIPS is getting a
mite crowded. Your company may well benefit from one product much more than
another, depending on your needs.
From The Network To The Protocol
One vendor that’s well-regarded for its offerings is eEye Digital Security. Its
HIPS product, known as Blink, was just upgraded last month to version 2.0.
In a telephone interview, eEye COO Firas Raouf explained the evolution of the
company’s protection strategy:
• Protecting the network layer.
Blink 1.0 was designed to provide defenses against hacker attacks — without
relying on signatures from old threats — at the network level. “We did that by
hooking into the
NDIS [Network Driver Interface Specification] and
TDI [Transport Driver Interface] layers, below the process layer or
application layer,” Raouf says. “You need to intercept the attack before it gets
up to the application.”
• Defending the protocol layer. Even if hackers can’t get through
the corporate network layer, however, their handiwork can still get inside a
company. That’s because an end user may bring an infected laptop into the
building or click “OK” at a Web site that silently plants a Trojan horse on a
PC. “In Blink 2.0, we decided to tackle spyware and phishing,” Raouf says.
“Blink 1.0 already protected against these things by denying that [malicious]
application from connecting through the Internet. Blink 2.0 prevents that
application from installing in the first place.”
• Testing for vulnerabilities. eEye also recommends that, in
addition to a HIPS program such as Blink 2.0, corporations should also check
their networks for weaknesses using vulnerability-assessment tools, such as
eEye’s Retina scanner.
A Question Of Choosing The Best Approach
eEye’s methodology to protect a company’s electronic assets is different from
that of Sana Security and other vendors in the competitive space, such as Cisco
Systems. Blink, for example, monitors Windows APIs (application programming
interfaces) rather than intercepting system calls to learn which behaviors are
considered appropriate.
“CSA [Cisco Security Agent] uses only the process layer,” Raouf asserts. “And so
does Sana.”
In response, Jeff Platon, vice president of market management for Cisco, says
his company’s product is a “converged agent” that includes both a
behavior-blocking program plus a personal firewall. “There is no difference in
architecture,” between what Cisco does and eEye does, Platon states. “CSA does work at
both the file system layer and the network layer.”
Tim Eades, senior vice president of marketing for Sana, says, “The complexity of
malware has just begun. You have to have a model of what is known bad and a way
to know what is new that is bad.”
Taking issue with eEye’s approach, Eades replies: “I don’t believe you can do
that through packet inspection and protocol analysis as the only means of
detection. You have to have a behavioral heuristics model that can detect and
prevent malicious code from executing.”
Threats Are Evolving And So Are The White Hats
With hacker attacks growing stronger by the day, information technology
executives need the best tools they can get to keep their corporate data assets
secure. Products in the intrusion-prevention category promise to help you with
this job, but at this point it’s a difficult task just to determine which
application best fits your particular network.
In a
white paper by eEye co-founder Marc Maiffret on “Understanding Kernel Level
Host-Based Intrusion Protection,” the company makes a case for its method of
stopping “zero-day threats,” attacks that have never been seen before. The
company contrasts “static behavior protection,” using rules that recognize bad
behavior, and “learning-mode behavior protection:
• Static behavior protection. “If one analyzes a majority of the
attacks that plague networked systems today, one will find common
characteristics that comprise nearly 90% of the known vulnerabilities,” the
company says. “Some of the common terms for these attack classes include buffer
overflows, format string attacks, directory traversal attacks, and parser logic
bugs.” Defending against all possible exploits of these types provides good
protection beyond signature-based products, in the company’s view. For example,
no legitimate program uses a buffer overflow to communicate with another program
(with the exception of vulnerability-assessment tools that are used to test a
network’s defenses).
• Learning-mode behavior protection. Security programs that attempt
to “learn” the appropriate behaviors for a network or a PC are intellectually
attractive. “Tuning” these programs to permit legitimate behaviors that may only
seem unusual, however, can require a large amount of staff time,
eEye notes. “Because of the significant time investment, personnel resource
commitment, and intrusive nature of these systems, behavioral-based systems are
best utilized for securing critical servers and not for protecting all the
host-based assets across an entire enterprise,” the company’s white paper
states.
If your company isn’t evaluating intrusion prevention systems, and your network
assets are exposed to the Internet, you should start a pilot project as soon as
possible. For more information, see the product pages on
Blink 2.0,
Cisco Security Agent 4.0, and
Primary Response 3.0.