A New Take on Host-Based IPS

TECH ANALYSIS: HIPS technologies should complement existing strategies.

There are numerous techniques for providing host-based intrusion prevention capabilities, but eWEEK Labs believes there are two that will best complement enterprises current strategies: vulnerability inspection and application and process vetting. These technologies can be found in disparate solutions, but both should be seen as extensions of existing projects rather than as security as a means unto itself.

Vulnerability inspection works to shore up the problem of the diminished patch window. Administrators already have a tough time keeping up with new patches for operating systems, applications and even existing security solutions. Limited resources and the need to maintain usage agreements remain reasons that patches arent installed. Add to that an increasing number of zero-day exploits, and the window of opportunity for IT implementers to test and deploy patches to servers and desktops is almost completely disappearing. Indeed, many administrators have quietly given up trying, which is really the worst response possible.

Vulnerability inspection uses the specific details of a vulnerability to find exploit code—reducing the need to worry about dealing with variants of the same exploit. Defenses must be updated periodically as new vulnerabilities are discovered and analyzed, but not with the frequency needed for signature-based exploit detectors. Best of all, vulnerability inspection gives administrators time to acquire, test and deploy patches, which is still the best defense of all (and a practice that should be continued).

Weve seen a number of takes on this type of vulnerability defense. As a stand-alone HIPS (host intrusion prevention system) provider, Determina has been a big proponent of this approach with its VPS (Vulnerability Protection Suite) products. Vulnerability inspection wont be found in run-of-the-mill anti-virus solutions, but companies such as Symantec and Panda Software have added it to their more advanced security suites (usually those with a firewall). McAfee includes vulnerability inspection capabilities not in any of its anti-virus platforms but in its McAfee Host Intrusion Prevention suite.

Other companies, such as Blue Lane Technologies, take this breed of defense off the host, instead putting it in a network gateway device that provides vulnerability-specific blocking for Internet-facing servers.

Application and process vetting

eWEEK Labs has often touted the advantages of a least-privileged-user desktop environment. But we also acknowledge that a least-privileged-user environment is just a step toward improved security, as some malware and applications can operate solely in the user space. Some threats dont need to access restricted parts of the file system or registry to get a toehold on the system, and there are privilege-escalating threats floating around that could be combined with other exploits to access privileged parts of the operating system.

The second type of HIPS technology we advocate aims to fill this breach by controlling the processes and applications that are actually allowed to run on a workstation. Products such as Bit9s Parity 3.5 (see review starting on Page 34) maintain a list of approved applications that are allowed to run, denying all others. Unauthorized applications, installers and malware are effectively neutered because they cannot run without ITs approval.

Last year, we reviewed a pair of products designed to help corporations implement least-privileged-user environments. In our tests, both Winternals Softwares Protection Manager and DesktopStandards PolicyMaker Application Security allowed us to target and run poorly coded applications with the necessary elevated security rights while the user on the whole maintained limited privileges. (Since our review, Microsoft has acquired Winternals and DesktopStandard.)

Bit9s Parity 3.5 is a natural adjunct to these products—in a nutshell, going the other way by denying applications instead of elevating them. But Bit9 would do well to meld the technologies: Instead of focusing on Parity 3.5 as a security solution, Bit9 should target the product as a complete process privilege management solution—one that not only locks out unwanted applications but also provides the flexibility to selectively elevate an applications execution credentials.

In the highly competitive HIPS security market, Parity 3.5 suffers by comparison with other products. Parity 3.5 doesnt clean anything, doesnt plug vulnerabilities and doesnt detect malicious code—basically, it doesnt do anything that traditional security products do.

With a more expanded focus, Bit9—or another player—could be the dominant player in an underserved privilege management market. And this is a market that we expect will grow significantly as Windows Vista introduces a new audience to least-privileged-user accounts through the operating systems integrated User Account Control feature.