New Armor to Thwart Hacks

Security providers prep tools that guard applications and processes running in memory.

A small cadre of vendors is set to release a new class of host-based security technologies that protect applications and processes running in memory.

While many enterprises are still adjusting to the concept of signatureless defenses such as intrusion prevention systems, Determina Inc., a startup founded by a group of security-industry veterans, and Immunix Inc., a top Linux security provider, are rolling out solutions designed to lock down server memory space and allow only explicitly permitted operations among applications and processes.

This tack represents a shift from the decades-old approach of detecting and stopping attacks in progress using signatures or pattern-recognition algorithms. Customers and security experts say the new tools signal a new direction for the industry at large.

Determinas SecureCore, due this week, comprises a central management console and agents planted on servers throughout the network. Once installed, the agents act as a firewall around the servers memory, preventing attackers from hijacking applications and using them for malicious purposes.

"Attacks break the fundamental rules of the architecture. The line between good and bad behavior is very clear," said Nand Mulchandi, president and CEO of Determina, of Redwood City, Calif. "The CPU doesnt enforce the rules, but we can."

SecureCore agents can protect Microsoft Corp.s Windows services, IIS (Internet Information Services) Web servers, Exchange servers and SQL Server. The company plans to offer a version for Linux later this year.

"Weve had tremendous success with it. Its done almost everything we were looking for," said Mike Kamens, global network and security manager at Thermo Electron Corp., of Waltham, Mass., which has had SecureCore installed for several months. "We put a box with the agent on it outside the firewall to see what happened, and it hasnt been penetrated. And [the agent] caught Sasser in the wild."


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

In the Linux world, Immunixs Application Firewalling Suite works by containing applications and limiting the actions they are permitted to take. The tool leverages Immunixs proprietary SubDomain access control technology, which uses privilege confinement to prevent attackers from using malicious programs on the protected server or even using trusted applications in unintended ways.

The SubDomain technology allows enterprises to set up mail and Web servers on the same machine without worrying that an attacker who compromised one would get control of the other.

Immunix officials said that despite the solutions focus on security, the developers also had to ensure that the Application Firewalling Suite worked with legacy applications and security systems.

"The worst kind of security is the stuff thats never used because its too hard," said Crispin Cowan, chief technology officer and co-founder of Immunix, in Portland, Ore. "All intrusions come from bad software or bad configurations. This lets you get access and do what youre supposed to do, but nothing else."

Security specialists who have used SecureCore say the product eliminates a lot of doubt and anxiety from their jobs.


Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page