Feature

Hot Pick: Sana Security's Primary Response 3.0

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: With SSL VPNs on the offense, will IPSec VPNs eventually be benched?."

Download it now to read this article plus other related content.

Sana Security's Primary Response 3.0
Sana Security
Price: Starts at $875

@exb

    Requires Free Membership to View

Sana Security's Primary Response 3.0
@exe Host-based intrusion prevention is often regarded as more or less a point security technology for protecting critical servers. But the increasing threat posed by mobile devices gives new urgency to endpoint security, and improved management tools, agent technology and faster networks have made host IPS a more attractive enterprise proposition.

Sana Security has significantly enhanced the value of Primary Response by extending its heuristics-based protection to desktops (Windows 2000 Professional and XP Professional) in version 3.0. Server agents are supported on Windows 2000/2003 and Solaris 8. (Solaris 9 and Linux are in beta.)

The ability to centrally aggregate, correlate and respond to reports of anomalous behavior across multiple machines makes Primary Response more than a point tool for protecting individual hosts. For example, if a machine suddenly reports IRC traffic through TCP port 10087--indicative of a worm attack--the event would be logged. This gives other machines a point of reference for taking appropriate response action, even if there is no attack signature. Depending on policy, Primary Response can log, block, alert or ignore the anomaly on a global, group or individual basis. Alerts are delivered via e-mail or SNMPv1 and v2.

Primary Response complements signature-based AV, particularly for detecting and preventing the spread of zero-day worms. It prevented worms, Trojans, root kits, keyloggers and bots from executing on our systems.

Client agents collect anomalous events--such as new applications opening ports--and pass them to the management server for classification by severity.

Responses are set according to predefined policy.

Exec Summary
Blocks known and unknown exploits
Centralized correlation and response
Operates at the kernel level
Only Windows Professional desktops

This allowed us, for example, to run IM in a normal operating state. But when we attempted to infect the client machine with an IM-transferred keylogger, the executable was denied access at the kernel level; the behavior didn't match defined norms. Because Sana monitors executable behavior, it works particularly well with custom applications without extensive setup and policy creation.

Primary Response ships with default application policy templates for protective responses to common threats; policies can also be edited or created from scratch.

Highly granular policies can be created based on groups and permitted applications and processes. Machines in the same group can inherit policy from other machines in the group, and Active Directory groups can be imported.

The kernel lockdown feature is impressive. This prevents device drivers--such as portable storage devices--from loading. Because Primary Response functions at the kernel, policies can be created that protect the system and agent at a fundamental level from sophisticated attacks, such as code injections and registry updates.

The management server operates on Windows 2000/ 2003 servers and Solaris 8. The Java-based console is a tabbed environment for management server configuration, installation of the agents, policy configuration and assignment, creating and managing groups, and setting up alerts, logs and reports. There's an embedded database, and Oracle is supported for larger deployments and is required for Crystal Reports.

In 3.0, Sana applies sophisticated detection techniques to both servers and desktops to elevate its host-IPS to enterprise level.

-SANDRA KAY MILLER

This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: