Intrusion-prevention start-up touts 'memory firewall'

Computerworld - The growing speed at which malicious hackers can exploit new vulnerabilities is creating a need for intrusion-prevention technologies capable of proactively detecting and blocking attacks even before software fixes become available for them.
With that need in mind, Determina Inc., a Redwood City, Calif.-based start-up being launched today, is introducing new technology that it claims offers a better way to head off attacks than other intrusion-prevention products.
The company's "memory firewall" SecureCore software is based on technology developed by researchers at MIT and has so far attracted $19 million in funding from venture capital firms.
Determina's CEO, Nand Mulchandani, said the product eliminates the need for signatures, policies or human intervention for dealing with memory-based attacks caused by mass worms such as Blaster and Slammer. Unlike other intrusion-prevention products, SecureCore is designed to protect applications and data operating in computer memory at the time of attack.
The technology works by running inside an application's memory and enforcing compliance with basic program conventions that all applications need to follow at all times. Any time an application does something that isn't consistent with those basic conventions, the activity is instantly shut down and administrators are alerted of the problem, Mulchandani said.
The technology consists of two components: a SecureCore agent that installs on servers and keeps an eye on the operating system, Web server, database, messaging server, and other systems software; and a management console for centralized agent deployment, logging and event management.
The memory firewall acts almost like a security guard standing next to a bank teller watching every transaction and knowing instantly when something is wrong, Mulchandani said.
Other host intrusion-prevention products, by comparison, work more like security guards posted at the door to check people going in and out of a bank, he said. "The person outside has no visibility into what's going on inside the bank."
Thermo Electron Corp., a $2 billion supplier of scientific equipment, has been beta-testing Determina's SecureCore technology for a couple of months. So far it has proved to have been very effective in stopping attacks such as those from the recent Sasser worm, said Michael Kamens, global network security manager at the Waltham, Mass.-based company.
Previously, the company had to shut down servers to deploy patches every time a critical vulnerability was announced. SecureCore's ability to detect and block even unknown attacks means Thermo can keep its servers running and deploy patches only during scheduled maintenance, Kamens said.
"It buys us time. It gives us the luxury of not having to take downa critical server in the middle of the day," said Kamens, who is looking at deploying the technology on more than 500 servers.
Determina's technology addresses an important need, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "Host-based intrusion prevention is a no-brainer. The opportunity to address this right now is wide open."
While Determina's approach is different from those adopted by more established rivals such as Sana Security Inc., it is too soon to say which approach is best at providing host intrusion prevention, he said.
A lot will depend on how easy the software is to deploy and how well it interacts with other security products already in place, he said.