Security Vendors Defend Themselves Against Blink
Which intrusion prevention system truly is the best? Executive Tech columnist Brian Livingston lets competing IPS vendors have their say.
That's the situation in a nutshell after eEye Digital Security recently released a controversial comparison chart. The table asserts that eEye's Blink 1.0 intrusion-prevention software (IPS) has numerous capabilities not found in Cisco Security Agent, McAfee Entercept, Sygate Secure Enterprise, ISS RealSecure, and four other IPS products.
Charting A Rocky Course
I wrote up eEye's claims about Blink 1.0 in this space last week. The new software suite, which was released in July, is partly based on eEye's respected Retina vulnerability scanner, which debuted in 2000. But the new Blink bundle adds application- and system-level firewalls, plus additional software that the company claims will prevent hacker intrusions "based on the characteristics of an attack, rather than the specific signature."
eEye's comparison chart, posted on Blink's product page, has inspired some of its competitors to launch a few attacks of their own.
"Blink's representation of what Entercept does is inaccurate and outdated," charges Zimal Solanki, McAfee's director of product marketing for IPS products.
Besides strongly disagreeing with the eEye chart, McAfee spokespeople say their security software has many features that eEye left out of the comparison entirely. According to Patrick Bedwell, Entercept's product marketing manager, these include the following:
• Levels of Protection. "We include a number of defined signatures in our product that eEye doesn't," Bedwell maintains. "For some of the well-defined attacks, you really need to have those signatures in place."
• Scalability. McAfee's products have been well-tested in the line of fire in large enterprises, Bedwell says. "We currently have about 30 million desktops worldwide being monitored by ePO," the company's ePolicy Orchestrator security management tool, he indicates.
• Manageability. McAfee's software has evolved to respect the policies that exist within enterprises of various sizes, Bedwell says. He contrasted that with the new Blink 1.0, saying, "Their management console requires administrative privileges, which low-level admins don't always have."
Securing the Enterprise, Computer By Computer
Spokespeople for Sygate Technologies, the makers of Sygate Secure Enterprise (SSE) were even more adamant that their product had been misrepresented and is, if anything, more capable than Blink.
"All of the functionality they say we don't offer on that list, we actually do," flatly states Maritza Perez, product manager for SSE.
Bill Scull, SVP of Sygate, added his own list of features that he said his company's products offered that didn't make it into eEye's comparison:
• Enforcement. "You might say, Here's a list of things I want to be 'on' before this machine can connect to my network," Scull says. "You might want to make sure IM [instant messaging] is off, that peer-to-peer networking is off, and that there are other applications that are on." Corporate policy might require that an antivirus program be running and up-to-date on a roaming worker's laptop, for example, before it's allowed to access the home network.
• Adaptive Policy. "You might want a different policy when you're connecting wirelessly from Starbucks than when you're inside the corporate firewall," Scull points out.
• Performance And Monitoring Across The Enterprise. Sygate's largest customer has 250,000 devices under central management, according to Scull. "When you need to scale to a quarter-million end points, there are a lot of things you need to do." Sygate recently has announced deals ensuring interoperability in multi-vendor environments, a benefit for corporations with mixed networks.
• Automatic Remediation. When devices are found to be out of compliance with one security requirement or another, Scull says, Sygate's products are equipped to update many of them. "The purpose is to make sure the computer is up-to-date before it connects to the network," Scull says. Remediation is an entire category eEye left out of its comparison chart, he notes.
Finding Oneself in the eEye of a Storm
In a follow-up interview, eEye COO Firas Raouf acknowledged that Blink 1.0 doesn't itself handle end-point updating.
"If a machine does not meet that level of security," Raouf says, Blink can "lock down that machine even further, or it can notify the Retina Remediation Manager," which is a separate product. "Over time, those two products will converge into a single agent," he said, adding that some corporations prefer to use their own update-management software.
Thor Larholm, senior security researcher for PivX Security Solutions, a competitor to eEye that wasn't mentioned in the comparison chart, feels Blink brings to the industry fairly few new technologies. The capability that does intrigue Larholm, after reading eEye's white papers on the subject, is the claim that Blink can prevent process-based buffer overflows, a vulnerability that's popular with hackers who seek to plant rogue programs on PCs.
"That's the only one from our point of view that's at all interesting," Larholm says. "But that's also the one that we have the least technical information about. All of the other capabilities we see in other products."
PivX's own product, Qwik-Fix Pro, which was released on Aug. 16, "eliminates specific vulnerabilities" in Windows, says director of forensic services Jason Coombs. "Any attack that targets the vulnerability will fail before it can take root."
eEye has a well-deserved reputation for the benefits of Retina and the firm's other products and services. In a hot IPS market that's rapidly growing in size and importance, it's understandable that security providers have their elbows out to defend their reputations and customer bases.
Which IPS system truly is the best? That call will have to await independent testing — which is just now getting underway, considering that some of these products have been available only for weeks, not months. Until then, my advice is, "Don't believe everything you read on the Internet."