Patching is supposed to secure your organization from the latest batch of malicious code. But try telling that to the state of Alaska's IT department. Staffers were working diligently to stay up-to-date on patching, despite the sheer size of the territory they serve and the limited bandwidth available in remote areas. But what if no patches existed?
"We were expending a huge amount of effort cleaning up the infections in our machines," says Darrel Davis, chief security officer for the state. "Some exploits were out there yet no patches were available."
Image Credit: Richard Downs
Like a growing number of IT security managers, to address those problems, Davis deployed host-based intrusion-prevention system (HIPS) software on 19,000 desktops scattered throughout the state. This relatively immature technology brings the concept of defense right to the desktop. Its definition hasn't been settled upon, however, and several vendors advocate very different approaches.
At this point, no one knows if HIPS will do away with the need for the traditional security perimeter or become just one more element of an ever-expanding security arsenal. Is it the answer to so-called zero-day attacks -- those incursions that exploit vulnerabilities not yet known to security professionals? At a practical level, what kind of HIPS tool is best?
"Desktop HIPS is still evolving rapidly," says Natalie Lambert, an analyst at Forrester Research Inc. in Cambridge, Mass. "The ultimate point we are heading toward is to prevent all zero-day attacks. But no vendor is there quite yet."
Catching Fire
A year ago, the hot debate in security was how intrusion-detection systems (IDS) were giving way to the broader concept of intrusion-prevention systems (IPS). At that time, network-based IPS was all the rage, whereas HIPS had an estimated 1% market-penetration rate, according to Gartner Inc. in Stamford, Conn.
But new attack routes into the enterprise -- such as the recent Windows Metafile (WMF) vulnerability -- have forced IT organizations to rethink their tactics. In a recent Forrester survey of 150 enterprise technology decision-makers, 28% of respondents said they plan to purchase desktop HIPS during the course of the year, says Lambert.
Alaska, however, is ahead of the game. It is most of the way through an implementation of Cisco Security Agent (CSA) from Cisco Systems Inc. Along with the 19,000 desktops -- primarily Windows-based ones, with a few Linux and Macintosh systems -- CSA also protects about 2,000 servers across dozens of data centers.
"We needed something to protect our desktops and buy us additional time to deploy patches," says Davis. "Our major selection criterion was that the tool had to be heuristics- not signature-based, so that it would analyze behavior with no need to download signatures."
CSA never needs updating, and Davis reports no trouble at all from recent exploits such as the Zotob worm. Software like CSA watches for behavior that would indicate spyware activity, such as a program opening a file in a temporary folder. It intercepts system calls between applications and the operating system, correlates them, compares the calls against a set of behavioral rules and decides whether to allow the action.
But that is by no means the only way such tools operate. Most include several functions: In addition to host intrusion prevention, they can incorporate adware protection, protection against buffer-overflow attacks, firewalling, various forms of system hardening, malicious mobile-code protection and even signature-based modules.
"HIPS includes a variety of approaches," says Lambert. "Everybody defines it differently."
For example, Stonehill College in Easton, Mass., deploys a tool that combines behavioral analysis with a signature defense. Proventia Desktop from Internet Security Systems Inc. (ISS) in Atlanta is used on about 2,500 seats campuswide, most of which are student laptops -- 95% run Microsoft Windows XP and the rest are Macintoshes.
Stonehill CIO Gary Hammon tried his best with antivirus software and the Windows Update program. But the Wild West of campus computing rendered his efforts useless.
"Some colleges have attempted to dictate to their students, but you really can't control what they put on their laptops," says Hammon.
During the Blaster attack a couple of years ago, student computer infections reached epidemic proportions. IT had to shut off access from residence halls in order to protect the institutional systems. At that time, the college distributed CDs containing removal tools to students. These days, students have to register to get on the network and then download Proventia.
"Problems such as the WMF vulnerability have been a nonissue on campus," says Hammon. "If an infected computer is doing port scans or transmitting worms, we work with the individual or shut it off."
There are some similarities between CSA and Proventia, but the latter also includes regular updates -- primarily for intrusion prevention but sometimes also for virus prevention. Unlike virus signatures, though, they need to be delivered only about once a month. Proventia also includes a firewall, buffer-overflow prevention and application controls.
Start-up Alternatives
But there are more than one or two ways to deliver HIPS. PivX Solutions Inc. in Newport Beach, Calif., is based around a team of security experts who discover potential exploits and devise fixes before anyone even discovers the vulnerability. Like Proventia, it sends updates to users over the Web. This could be characterized as a hybrid form of system hardening.
Another start-up, Trlokom Inc. in Monrovia, Calif., has come out with a variation on traditional behavioral analysis. Instead of constantly scanning and analyzing every system call and application as CSA does, its SpyWall software zeroes in on the primary avenue of attack - via Web browser.
For example, SpyWall blocked the latest Internet Explorer createText-Range zero-day exploit without using any signatures. It does this by using a sandbox to isolate the browser from the rest of the desktop. Untrusted programs can be safely run in the sandbox, thereby restricting the interaction the browser has with the system. Any damage is contained, analyzed and eradicated.
One user of Trlokom is Chun Yu Works & Co. in Taiwan, a major producer of nuts and bolts that has a large manufacturing facility in Chino, Calif. It is an IBM RS/6000 shop using Windows PCs at the desktop level. Desktop infections were devouring IT staff hours.
"After we put in SpyWall, we didn't get any more infections for six months," says Robert Wong, network administrator. Chan Yu Works' experience suggests that HIPS is the next evolutionary step in network security.
First came enterprise-class anti-virus tools and then firewalls, IDS and spyware protection. But with each advance, attackers managed to outwit the defenses. Antivirus and spyware technology now appear to be morphing into back-line defenses, which are used to mop up employee goofs and safeguard against known threats. HIPS, on the other hand, is a new kind of front-line battlement to block the latest wave of threats.
That's why the likes of Symantec Corp., CA Inc. and Cisco are gobbling up desktop HIPS vendors: Symantec bought ManHunt, ISS acquired BlackICE, Cisco bought Okena, and CA now owns Tiny Software Inc. The next major release of CA Integrated Threat Management will include a firewall and HIPS. McAfee Inc. has put HIPS functionality into a suite, including anti-virus and antispyware technology.
"In the long run, desktop HIPS will be absorbed by antivirus/spyware into one large client security suite," says Greg Shipley, chief technology officer at Neohapsis Inc., a security consulting firm in Chicago. "You'll have a single agent on the desktop that includes a personal firewall, HIPS, antivirus and spyware protection."
Robb is a Computerworld contributing writer in Los Angeles.