Patty Long has a thousand reasons to deploy host-based intrusion prevention: 1,000 DMZ servers, database servers and application servers.

"We were looking across the organization and trying to touch every single application, every server where data--participant data, sponsor data, plan data--would transverse our environment, to make sure we have every point where it's at rest or could pass through covered," says Long, who is with ING's Secu- rity and Risk Management Department. She deployed Third Brigade Deep Security at CitiStreet, which was acquired by ING Group this year (now part of ING Wealth Management).

Most people still think in terms of the original host-based intrusion prevention systems (HIPS) technologies, which monitored OS system calls for anomalous behavior. The best known were Okena's StormWatch, which evolved into Cisco Systems' Cisco Security Agent (CSA), and Entercept Security Technologies, whose products became McAfee Host Intrusion Prevention.

Today, HIPS encompasses many technologies to protect servers and/or desktops and laptops. Many experts and analysts use it as an umbrella for everything from traditional signature-based antivirus/antispyware and host firewalls to behavior analysis.

Long is certainly not unique, but while host-based intrusion prevention systems are moving into the mainstream of information security, they are not generally well understood by most organizations.

"It's still a new frontier for them. We have to explain what it is, what it's doing," says Ed Skoudis, co-founder and senior security consultant of Intel-guardians. "What a lot of them remember is Okena and Entercept; that's a piece of it, but today it goes way beyond that."

Faced with signature-defying malware and regulatory demands for tighter controls over corporate systems and data, traditional AV vendors have been scrambling to add HIPS, both standalone and as part of endpoint suites. And, HIPS vendors are bundl

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

So, you have vulnerable servers open to all HTTP traffic and roaming, hard-to-control laptops, and a smorgasbord of host protection options.

When Information Security first wrote about HIPS in 2002, signature-based AV was still king. Most attacks were what one security expert recently referred to as "Internet hooliganism" rather than profit driven. Antispyware was a consumer-oriented cottage industry.

Today, signatures ain't enough.

"The bad guys are completely overwhelming signature-based antivirus," says Skoudis. They're appropriate for the threat model we faced five to 10 years ago. Some vendors brag that they're getting 90 percent detection. If you give the vendors the benefit of the doubt, that's awful. If my machine has 100 exposures a week--that's on the low side--it still means I'm infected 10 times."

So, we have a wide range of protection technologies, offered in different combinations by numerous vendors--but no silver bullet. To make intelligent buying decisions, it's important to understand the ways these technologies detect attacks. Each has its strengths, limits and, in some cases, risks.

JOINED AT THE HIPS
Everything that can run on your server or PC is either a known bad app, a known good app or--and this is where things get really dicey--unknown. Traditional signature AV pretty much does the trick against the stuff we know is bad. Known good is an authorized application. (Or, if it's benign but not part of your company's standard build, you can ban or limit its use by policy.) The unknown--the zero-day attacks, the multitude of malware variants--is where criminals live large.

The early HIPS models waited for the code to start executing, attempted to determine if it was making legitimate system calls, and blocked them if it was not.

Today, you can attempt to detect an intrusion when it attempts to penetrate a system, when it's on the system but hasn't executed, or when it executes. This applies to remote network-based attacks or ones that require a Web surfer's download or clicking on an email link or attachment.

So, HIPS technologies can be generally categorized by what they look for, how they look for it, and at what stage they attempt to detect it. Neil MacDonald, VP and Gartner fellow, draws this up into a nice matrix of nine styles of protection. He cross-references the three states of our knowledge about the code (known bad, known good, unknown) and three stages at which they can be detected--network-based, when the code is attempting to penetrate the system; application-based, when it is on the system; and behavioral, when it executes.

MacDonald calls the latter "the last line of defense," because the code is already executing. Some solutions mitigate the risk by allowing the code to run in a sandbox, so its behavior can be analyzed without putting the system at risk, or using an emulator to model what it would do if allowed to run unfettered.

Some sort of behavior-based detection is key to assessing unknown code. One technique uses behavioral "signatures"--it identifies common bad behavior, such as misuse of memory or modifying OS files. Instead of specific malware signatures, it looks for the common techniques of a given class of exploits. Or, it may look for attack behavior designed to exploit known vulnerabilities. Others monitor behavior and create a baseline of normal activity.

In addition to the inherent risk of allowing code to execute, behavioral techniques tend to produce false positives and eat up more system resources.

In the worst cases, they can destabilize and crash systems. MacDonald refers to this as a potential denial of service for the underlying system.

"The downside of behavior-based techniques is that while they can detect unknown attacks, which signature antivirus can't, their tight coupling with system API calls makes them brittle," says Josh Corman, principal security analyst with IBM, which sells Proventia Desktop Endpoint Security and Proventia Server Intrusion Prevention System.

This is especially true for servers, Corman says, "where availability is king."

"It depends on environment," says Intelguardians' Skoudis. "If your environment is very constrained, if you can be fairly draconian, if you don't need your users to run all kinds of crazy apps, whitelisting solutions are very nice.

"For environments that need to be more flexible, behavior-based is a good way to go--in addition to signatures, of course."

None of these has to be an either-or decision. The key is choosing the right combination of technologies for your environment--for the least money. AV vendors are packaging multiple technologies in addition to signature detection, either through development, acquisition or OEM; meanwhile, some HIPS vendors are bundling signature-based AV.

"Incumbent AV providers increasingly understand and are aware that signature-based protection is not sufficient," says MacDonald, "so they've been supplementing their AV with other styles of protection. The line between point solutions and what, say, Symantec or McAfee can do is pretty blurry."

[TABLE]