Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts

Search EarthWeb Network

Be a Commerce Partner
Car Donations
KVM over IP
Home Improvement
Corporate Awards
Calling Cards
Dental Insurance
Cell Phones
Online Education
Disney World Tickets
Laptop Batteries
Web Hosting Directory

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: A Different Approach To PC Immune Systems

Heroes Happen Here Launch Events
Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »

Install What You Need with Windows Server 2008
Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »

Simplify Big Business IT for Small and Midsize Companies
Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »

Q&A with Bob Muglia: Senior VP, Server and Tools Division
Bob Muglia, senior vice president, Server and Tools Division, discusses Microsoft's new interoperability principles and the steps the company is taking to increase the openness of its products. »

Q&A with Lutz Ziob, GM of Microsoft Learning
Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
PacketLogic - Packet Inspection Platform Provides Traffic Shaping and Filtering Features
VMware Infrastructure - Core Components for Data Center Virtualization
Small Business Publisher - Print Flyers, Letterheads, Envelopes and More
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities

more products >>

Datamation Definitions
data mining
grid computing
network appliance
FREE Tech Newsletters

Visit ServerWatch for summaries of server and development tool updates, the latest on server news and trends, and more.

A Different Approach To PC Immune Systems
March 29, 2005
By Brian Livingston

Brian Livingston I wrote in this space last week that Sana Security, a software firm, had released Primary Response 3.0. This is the first version of the company's "host-based intrusion prevention system" (HIPS) that installs on desktop PCs as well as corporate servers. Version 3.0 observes the activity taking place on a PC and attempts to shut down Trojan horses and "root kits" that may have infected a machine.

The security program, which works in addition to and not as a replacement for an antivirus program, acts as an immune system that looks for unusual behaviors. For example, company officials say, a hidden process that executes from the Windows directory is very likely to be up to no good and should be terminated.

This isn't the only approach that's currently being used to add immune-system functionality to PC networks, however. In fact, the field of HIPS is getting a mite crowded. Your company may well benefit from one product much more than another, depending on your needs.

From The Network To The Protocol

One vendor that's well-regarded for its offerings is eEye Digital Security. Its HIPS product, known as Blink, was just upgraded last month to version 2.0.

In a telephone interview, eEye COO Firas Raouf explained the evolution of the company's protection strategy:

Protecting the network layer. Blink 1.0 was designed to provide defenses against hacker attacks -- without relying on signatures from old threats -- at the network level. "We did that by hooking into the NDIS [Network Driver Interface Specification] and TDI [Transport Driver Interface] layers, below the process layer or application layer," Raouf says. "You need to intercept the attack before it gets up to the application."

Defending the protocol layer. Even if hackers can't get through the corporate network layer, however, their handiwork can still get inside a company. That's because an end user may bring an infected laptop into the building or click "OK" at a Web site that silently plants a Trojan horse on a PC. "In Blink 2.0, we decided to tackle spyware and phishing," Raouf says. "Blink 1.0 already protected against these things by denying that [malicious] application from connecting through the Internet. Blink 2.0 prevents that application from installing in the first place."

Testing for vulnerabilities. eEye also recommends that, in addition to a HIPS program such as Blink 2.0, corporations should also check their networks for weaknesses using vulnerability-assessment tools, such as eEye's Retina scanner.

A Question Of Choosing The Best Approach

eEye's methodology to protect a company's electronic assets is different from that of Sana Security and other vendors in the competitive space, such as Cisco Systems. Blink, for example, monitors Windows APIs (application programming interfaces) rather than intercepting system calls to learn which behaviors are considered appropriate.

"CSA [Cisco Security Agent] uses only the process layer," Raouf asserts. "And so does Sana."

In response, Jeff Platon, vice president of market management for Cisco, says his company's product is a "converged agent" that includes both a behavior-blocking program plus a personal firewall. "There is no difference in architecture," between what Cisco does and eEye does, Platon states. "CSA does work at both the file system layer and the network layer."

Tim Eades, senior vice president of marketing for Sana, says, "The complexity of malware has just begun. You have to have a model of what is known bad and a way to know what is new that is bad."

Taking issue with eEye's approach, Eades replies: "I don't believe you can do that through packet inspection and protocol analysis as the only means of detection. You have to have a behavioral heuristics model that can detect and prevent malicious code from executing."

Threats Are Evolving And So Are The White Hats

With hacker attacks growing stronger by the day, information technology executives need the best tools they can get to keep their corporate data assets secure. Products in the intrusion-prevention category promise to help you with this job, but at this point it's a difficult task just to determine which application best fits your particular network.

In a white paper by eEye co-founder Marc Maiffret on "Understanding Kernel Level Host-Based Intrusion Protection," the company makes a case for its method of stopping "zero-day threats," attacks that have never been seen before. The company contrasts "static behavior protection," using rules that recognize bad behavior, and "learning-mode behavior protection: 

Static behavior protection. "If one analyzes a majority of the attacks that plague networked systems today, one will find common characteristics that comprise nearly 90% of the known vulnerabilities," the company says. "Some of the common terms for these attack classes include buffer overflows, format string attacks, directory traversal attacks, and parser logic bugs." Defending against all possible exploits of these types provides good protection beyond signature-based products, in the company's view. For example, no legitimate program uses a buffer overflow to communicate with another program (with the exception of vulnerability-assessment tools that are used to test a network's defenses).

Learning-mode behavior protection. Security programs that attempt to "learn" the appropriate behaviors for a network or a PC are intellectually attractive. "Tuning" these programs to permit legitimate behaviors that may only seem unusual, however, can require a large amount of staff time, eEye notes. "Because of the significant time investment, personnel resource commitment, and intrusive nature of these systems, behavioral-based systems are best utilized for securing critical servers and not for protecting all the host-based assets across an entire enterprise," the company's white paper states.

If your company isn't evaluating intrusion prevention systems, and your network assets are exposed to the Internet, you should start a pilot project as soon as possible. For more information, see the product pages on Blink 2.0, Cisco Security Agent 4.0, and Primary Response 3.0.

Brian Livingston is the editor of and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Add to your favorites
Add to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live