Host-based intrusion prevention is often regarded as more or less a point security technology for protecting critical servers. But the increasing threat posed by mobile devices gives new urgency to endpoint security, and improved management tools, agent technology and faster networks have made host IPS a more attractive enterprise proposition.
Sana Security has significantly enhanced the value of Primary Response by extending its heuristics-based protection to desktops (Windows 2000 Professional and XP Professional) in version 3.0. Server agents are supported on Windows 2000/2003 and Solaris 8. (Solaris 9 and Linux are in beta.)
The ability to centrally aggregate, correlate and respond to reports of anomalous behavior across multiple machines makes Primary Response more than a point tool for protecting individual hosts. For example, if a machine suddenly reports IRC traffic through TCP port 10087--indicative of a worm attack--the event would be logged. This gives other machines a point of reference for taking appropriate response action, even if there is no attack signature. Depending on policy, Primary Response can log, block, alert or ignore the anomaly on a global, group or individual basis. Alerts are delivered via e-mail or SNMPv1 and v2.
Primary Response complements signature-based AV, particularly for detecting and preventing the spread of zero-day worms. It prevented worms, Trojans, root kits, keyloggers and bots from executing on our systems.
Client agents collect anomalous events--such as new applications opening ports--and pass them to the management server for classification by severity.
Responses are set according to predefined policy.
 |
|
|
|
|
|
|
|
|
|
Exec Summary |
|
|
|
|
|
|
 |
|
|
Blocks known and unknown exploits |
|
|
|
|
Centralized correlation and response |
|
|
|
|
Operates at the kernel level |
|
 |
|
|
Only Windows Professional desktops |
|
|
This allowed us, for example, to run IM in a normal operating state. But when we attempted to infect the client machine with an IM-transferred keylogger, the executable was denied access at the kernel level; the behavior didn't match defined norms. Because Sana monitors executable behavior, it works particularly well with custom applications without extensive setup and policy creation.
Primary Response ships with default application policy templates for protective responses to common threats; policies can also be edited or created from scratch.
Highly granular policies can be created based on groups and permitted applications and processes. Machines in the same group can inherit policy from other machines in the group, and Active Directory groups can be imported.
The kernel lockdown feature is impressive. This prevents device drivers--such as portable storage devices--from loading. Because Primary Response functions at the kernel, policies can be created that protect the system and agent at a fundamental level from sophisticated attacks, such as code injections and registry updates.
The management server operates on Windows 2000/ 2003 servers and Solaris 8. The Java-based console is a tabbed environment for management server configuration, installation of the agents, policy configuration and assignment, creating and managing groups, and setting up alerts, logs and reports. There's an embedded database, and Oracle is supported for larger deployments and is required for Crystal Reports.
In 3.0, Sana applies sophisticated detection techniques to both servers and desktops to elevate its host-IPS to enterprise level.
-SANDRA KAY MILLER
