Sana Uses Medical Concept for Application Security Platform

Sana's Primary Response security platform acts like the human immune system in how it recognizes and blocks attacks.

The IT security industry has looked to medicine for metaphors and ways of thinking about network protection. Sana Security Inc., a San Mateo, Calif., startup, is extending that relationship with the introduction of its Primary Response application security platform.

The software, unveiled last week, observes application/operating system interactions and learns the code paths that each application uses during normal operations. The system develops a profile of each applications behavior and blocks anything that falls outside that profile.

As a result, the system produces a remarkably low number of false positives—as few as two or three per month in some customer environments.

The concept was taken from the human immune systems ability to recognize potential infections and begin defending against them before they reach their targets. The software is the brainchild of Steven Hofmeyr, Sanas founder and chief scientist, who developed the idea during research for his doctoral thesis.

Although the concept is similar to several other systems on the market, there is one key difference, Hofmeyr said: Sana does not rely on a human to define acceptable behavior for each application. "[Other vendors] assume theres some human out there with sufficient knowledge to recognize the attacks and know what to do," he said. "Weve assumed the human wont understand."

Primary Response relies on a server/agent architecture and is meant mainly for servers handling Web, FTP and Domain Name System traffic, but it can also protect custom applications.


Key features of Primary Response:
  • Learns code paths used by each application
  • Develops a profile of acceptable behavior
  • Recognizes and blocks unusual activity on protected servers
"It can be applied to any application that has predictable behavior," Hofmeyr said. "We can take one of several different actions during an attack. We can either block all file actions or prevent certain unusual operations or just block the execution of the file." Once an attack is detected and blocked, the system functions much like other security applications. It sends an e-mail alert to the administrator and logs the event in a central management console. The system includes a set of analytics to help identify trends and dig deeper into each event.

Primary Response is due to ship in the middle of next month on Windows and Solaris; Linux and AIX versions are in the works. One server license costs $6,500; each agent is priced at $1,750.