New HIPS Technology Takes on Zero-Day Attacks

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
First came enterprise-class anti-virus (AV) tools, then desktop firewallsand anti-spyware protection. With each technical advance, however,would-be attackers changed their tactics -- or morphed the latest virusor Trojan just enough for it to sail past the defenses.

It's reached the point where AV and spyware just don't seem able to copewith the newest threats.

The latest problem is the zero-day attack, which is an exploit that takesadvantage of a software vulnerability unknown to security professionals.Because it's an unknown bug, no virus and spyware signature updates havebeen issued yet to thwart the malware so it penetrates deep into theenterprise, causing damage for days, if not weeks, before a fix isavailable.

And that's where desktop host-based intrusion prevention systems (HIPS)come to the fore.

''HIPS includes a variety of approaches, such as behavior-based systemsthat sit on the desktop and defend against zero-day attacks,'' saysNatalie Lambert, an analyst at Forrester Research Inc. of Cambridge,Mass. ''It watches for behavior that would indicate the activity ofspyware, such as a program opening up something in a temp folder.''

According to a new Forrester survey of 150 enterprise technology decisionmakers, HIPS is now firmly on many companies' radar screens. Lambertreports that 28 percent of respondents plan to purchase desktop HIPS thisyear. With a mid-2005 estimate by Stamford, Conn.-based Gartner Inc.placing market penetration around 1 percent, it's clear HIPS is pickingup speed.

HomeBanc Mortgage Corp. of Atlanta is a retail mortgage company focusingon the Southeast. It selected San Mateo, Calif.-based Sana SecurityInc.'s Primary Response for HIPS-level protection against worms, spyware,Trojans, keyloggers and other threats.

''Threats to today's Internet-connected business are more complex andchallenging than ever,'' said Michael Ciarochi, senior security engineerat HomeBanc. ''Companies need to be armed with proactive solutions tomitigate new attacks.''

But while HIPS certainly seems to have an inside track on the proactiveangle, there is a debate going on as to its precise definition.

Some think it is really just a regular network-based IPS that youregularly update with virus-like signatures of the latest attacks. Othersget into advanced firewall techniques. A few vendors focus on hardeningthe system so attacks can't make an incursion into the application coreor Windows registry. Another camp conducts a variety of system scanningtechniques to detect and isolate suspicious behavior.

''There are multiple approaches to HIPS and they all have their own prosand cons,'' says Greg Shipley, chief technology officer of securityconsulting firm Neohapsis, Inc., which is based in Chicago. ''As thetechnology has yet to fully mature, there is not a current right way todo it.''

Shipley says he suspects the HIPS market will follow a similar course tothat taken by the Intrusion Detection System (IDS) market a few yearsago. Back around 2000 to 2001, there was a lot of debate about the bestway to accomplish IDS and which technology would come out on top.

Internet Security Systems Inc. (ISS) of Atlanta had a signature-basedproduct known as RealSecure, whereas tools, such as ManHunt (now owned bySymantec Corp. of Cupertino, Calif.) and BlackICE (now part of ISS), weremore based upon protocol anomalies. So who won? Today, most successfulIDS products have integrated the two models. ISS RealSecure, for example,uses both protocol anomaly and signature-based detection engines. Othervendors offer similar solutions that combine several technology elementsinto what is now considered standard IDS.

No such standard, however, has materialized in the HIPS arena.

''I do not believe there is an industry standard for desktop HIPS,'' saysGartner analyst John Girard. ''There just isn't one definition forcomprehensive desktop HIPS.''

HIPS Elements

What elements comprise HIPS today?

The basic goal is to block inappropriate system activity. According toPete Lind, an analyst with security consultancy Spire Security LLC ofMalvern, Penn., there are a number of techniques that can be simplifiedas follows:

  • Allow predefined/known good activity and block everything else;
  • Deny predefined/known bad activity and allow everything else, and
  • Block system activity that is anomalous.

    The most common activities being monitored are program executions, filesystem activity, registry reads/writes, and network operations.

    Shipley says other key elements of HIPS are system hardening, system-callinterception technology, memory firewalling, endpoint firewalls andsignature-based IPS systems.

    Basically, HIPS takes a variety of routes to achieving the same end --preventing impact from an unknown threat.

    When you view HIPS from the vendor perspective, expect a wide divergencein opinion about which method to implement.

    Cisco Systems Inc. of San Jose, Calif. assimilated promising HIPSstartup Okena into what is now the Cisco Secure Agent (CSA). Cisco avoidsthe cumbersome signature-based approach. Instead, it makes use of a rangeof techniques, including protection against buffer overflow attacks,firewall capabilities and application inventorying. In particular, Ciscoharnesses system calls and behavioral analysis to locate likely culprits.

    ''I know organizations that now have thousands of desktop nodes runningCSA,'' says Shipley. ''This technology is great at stopping a wide rangeof attacks and buying organizations additional time to patch, but therecan be a real configuration and maintenance overhead associated with thisprotection method.''

    Like Cisco, Sana's Primary Response also avoids IPS signatures. Itadvocates its own brand of behavioral analysis, along with systemhardening and protection against memory-based attacks.

    System hardening, for instance, acts as a safeguard against some attacks,particularly those based on privilege escalation. Shipley reports,however, that hardening alone may not be enough to combat many mainstreamremote buffer overflow attacks. Similarly, memory firewalling -- a termcoined by Determina Inc. of Redwood City, Calif. - is good at stoppingsome zero-day attacks, but not others. According to Shipley, it can alsocreate a performance hit and only prevents certain classes of attacks.

    The ability to view the HIPS universe with clarity has been furtherobscured by a couple of upstarts that also are both firmly opposed towhat they term the outmoded IPS signature model -- Trlokom Inc. ofMonrovia, Calif., and PivX Solutions, Inc. of Newport Beach, Calif.

    Trlokom appears to be positioning itself against Cisco. Instead ofconstantly scanning and analyzing every system call and every singleapplication, it lightens the overhead load and simplifies the threatperimeter by focusing only on the avenue of attack. About 80 percent ofcurrent attacks come in via Web browser, so this startup has designed asandbox to isolate the browser from the rest of the desktop.

    PivX, meanwhile, operates differently.

    Instead of having a large team of people who constantly analyze thelatest attacks to develop the latest signatures for viruses and spyware,PivX points its team in the direction of locating potential exploits anddevising fixes before anyone even discovers the vulnerability. This couldbe regarded as a hybrid form of system hardening.

    Vendor Frenzy

    Over the past two years, there has been a vendor frenzy to develop oracquire HIPS technology. The big security vendors are starting to rollout HIPS-point solutions, as well as all-encompassing security suiteswith an added HIPS element.

    McAfee Inc. of Santa Clara, Calif., has put HIPS functionality in withits AV and anti-spyware solutions, in what is a combo of the behavioraland signature methodologies. And Symantec is just one of the companiesexpected to come out with HIPS-inclusive security packages in the comingmonths.

    Analysts say it's too early to tell what technology will prevail in thissector.

    ''Desktop HIPS is very immature, still evolving rapidly and so we haven'tcome up with an acceptable definition as yet,'' says Forrester's Lambert.''The ultimate point we are heading toward is to prevent all zero-dayattacks. No vendor is there quite yet.''

  • Submit a Comment

    Loading Comments...