Productive Corporation

Download

P-Guide The Next Layer of Desktop Security HIPS.pdf (92.61 KB)

Executive Summary

Mid-market IT staffs face a serious challenge in today's economy: how to keep Web-based security threats at bay and keep costs down at the same time. The reality is that it requires multiple layers of defensive tools to keep intruders out of your system-something that can be an expensive and time-consuming proposition. In the last few years, however, host-based intrusion-prevention systems (HIPS) have emerged as an increasingly viable option for companies looking for a cost-effective and reliable final layer of defense.

How can you find the right system for your needs? This P-guide walks you through the process.

Introduction

Everyone is feeling the economy's pinch these days, but mid-market IT staffs seem to be in a particularly difficult position. On one hand, they're not immune to the cost-cutting measures rippling through corporate environments. At the same time, however, they still have to contend with the risks posed by viruses, botnets, and other Web-based security threats-all of which show no signs of easing up anytime soon. In short, an already challenging job has only gotten tougher in the last year.

In a perfect world, a single, easy-to-use tool would guarantee 100 percent protection. The new reality, however, is that a firewall or antivirus program alone won't keep intruders out of your system. Today's threats are so complex and pervasive that you need a layered approach that employs multiple lines of defenses. With that in mind, it pays to examine the newest generation of HIPS products. Broadly speaking, a HIPS resides on an individual workstation and functions by continually monitoring incoming Web traffic, the operating system, and installed programs for unwanted or malicious behavior and then stopping it before it does any damage. In that sense, it can be a powerful and extremely cost-effective last line of defense-one that can wipe out malware that either slips through the first lines of network defenses or gets manually installed on a PC. 

The trouble is that intrusion prevention can be a confusing realm. In addition to HIPS, you have NIPS (network-based intrusion prevention systems), HIDS (host-based intrusion-detection systems), and NIDS (network-based intrusion detection systems). The acronyms alone are enough to make your eyes spin. In addition, the market is rapidly maturing, and more and more vendors are offering HIPS these days, either as standalone items or as part of larger software packages.

How can you sort through the offerings and find the right product? Read on for a closer look at HIPS and what you need to know to make an informed buying decision.

HIPS Fundamentals

The HIPS products on the market these days employ a variety of different approaches. Many are built around policy- or rule-based techniques and work by comparing data packets against a predetermined (and updatable) list of rules. If everything checks out OK, the data is cleared. If not, the HIPS will automatically block and isolate the offending item(s), send an alert to the IT staff, and generate a detailed report. Others use a combination of personal firewalls and antivirus and antispyware tools, and/or rely on such practices as protocol analysis, kernel protection, buffer overflow protection, positive security model enforcement, code-execution monitoring, and the like. 

No matter what approach it uses, a HIPS is fundamentally different from a HIDS. While HIPS products largely evolved out of earlier HIDS versions and the products still share some similarities, there's a key distinction between the two. As their names imply, it revolves around the concepts of "prevention" vs. "detection." A HIDS is more akin to a fire alarm-it monitors an individual workstation, performing such tasks as rootkit detection, logfile analysis, and policy checking. When it senses potential malware, it automatically alerts an IT administrator, who then must decide what action to take. By that time, however, it may be too late-the attack could well have infected the entire network

A HIPS is also different from its network-based cousin, the NIPS. While a HIPS operates at the individual workstation level, a NIPS sits on a network and monitors all incoming traffic. If something suspicious manages to wriggle past the firewall, the NIPS can terminate the network connection, block access to the target, or quarantine the item while allowing other traffic to pass through.

HIPS Advantages

HIPS, HIDS, and NIPS all have unique strengths and can all play significant roles as part of a layered approach. That said, HIPS products have capabilities that make them especially appealing in today's environment. For starters, they are designed to protect systems from intrusions that have broken through the other security layers-the corporate firewall, antivirus/antimalware programs, and even the NIPS. They also guard against non-network-based threats-malware that finds an entry point from, say, an infected USB flash drive or a remote user's laptop. At the same time, they also can analyze system calls and system applications behavior within an individual PC that a network-based product can't reach. That sort of information often provides the first clue that malware or a virus is at work. What's more, some observers feel that intrusion detection and prevention can be more precise on an individual workstation level than on a network. Why? Compared to networks, individual PCs typically have rigorously defined roles, which makes it easier to detect anomalous behavior.

A HIPS can offer some additional advantages. Many systems feature an agent-based setup that allows IT staffs to manage all of a firm's desktops and create, adjust, and oversee security policy for individuals or groups, all from a central management point. They also can help save time and resources during the patching process. Knowing that all of the company PCs are secure decreases the anxiety that many IT administrators feel on Patch Tuesday-not to mention stopping all other work so staffers can evaluate and distribute the latest round of patches.

Seven Key Questions

Given the rapid pace of change in HIPS technology and the variety of options at your disposal, it's imperative to make a smart buying decision. Here are seven key questions to ask of potential vendors.

1. Does it provide comprehensive, updatable protection?

Best-in-class HIPS products offer wide-ranging protection against both zero-day attacks and the universe of known exploits. Their vendors also provide consistent updates or new policy releases that address fresh threats.

2. How flexible is it?

Does the product allow you to modify policies-or even create your own-to deal with a unique or newly hatched threat?

3. What specific technique or mix of techniques does it use to stop intrusions?

Does it provide content filtering? Does it allow you to block high-risk devices and control specific application activities? Does it provide real-time event monitoring, so you can instantly view and gauge the severity of attacks as they happen? Does it use signature-based detection techniques and look for typical and established attack patterns? Or does it employ an anomaly- or behavioral-based algorithm that compares traffic against a baseline standard and searches for deviations from that norm? Does it offer a combination of signature- and anomaly-based approaches?

4. Does it offer additional capabilities?

An increasing number of HIPS products also include some combination of antivirus, antispam, and antimalware protection. These can eliminate the need for a separate antivirus/antimalware product.

5. How much administrative oversight and ongoing maintenance will the system require?

You could easily rephrase this question as: Will the increased security provided by the HIPS justify the ROI-both in terms of the cost of the product and the amount of administrative time needed to manage it? Best-in-class HIPS products provide reliably accurate results (i.e., few false negative or positive alerts) and are relatively easy to use. In a similar vein, you should find out about the central management console-is it intuitive and easy to understand, or will the IT staff need extensive training on it? And this: How easy will it be to distribute new updates to individual machines?

6. How easy is it to test the HIPS to ensure that it's capable of hunting down and eliminating the latest malware and viruses?

Given the constantly mutating nature of today's threats, you need a product that will allow you to test quickly and make adjustments if needed.

7. How well will the HIPS integrate with your company's network and existing systems?

Some early HIPS systems were memory hogs that required generous amounts of system resources to work effectively. That's largely changed in the last few years, but it still pays to ask. At the same time, you'll also want to know if the HIPS will work with your existing antivirus/antimalware products. Will you need to upgrade elsewhere to make sure everything works together seamlessly? Will it be able to monitor and protect all of your existing programs and processes?

HIPS Solutions

Here's a look at a handful of HIPS products. While all of them offer robust intrusion prevention capabilities, each has its own unique advantages.

Solution #1: CA Host-Based Intrusion Prevention System (CA HIPS)

CA HIPS combines a remarkable amount of features-an endpoint firewall, intrusion-detection prevention, operating system security, and application control capabilities-into a single package that offers proactive protection against a variety of attacks. It also provides a single-interface, Web-based management console that allows for flexible security management throughout the entire company. IT administrators can use it to determine how applications can communicate, set access rights and policies for groups or individual users, and log all key events. The product also has a feature dubbed the Learning Mode, which lets users supervise a group of systems to settle on what constitutes acceptable behavior.
By doing so, it allows administrators to determine the proper mix for security policies and find a balance between ones that are overly restrictive or too lax.

Solution #2: McAfee Host Intrusion Prevention

McAfee's Host Intrusion Prevention is a HIPS package that combines automatically updated signature-based antivirus and antispyware protection with behavioral-based algorithms. It also features a stateful packet firewall that analyzes the contents of data packets and monitors the state of network connections, along with customizable application controls. Like the CA product, it has a Web-based management console that allows for at-a-glance overviews of individual workstations and provides a range of details on attacks, including the type, source, severity, and the like. One particularly useful feature is the product's quarantine mode, which blocks remote users who fail security checks from accessing the network.

Solution #3: eEye Digital Security Blink

eEye Digital Security Blink is a multilayered endpoint protection product that features an integrated mix of spyware and malware prevention technology, buffer overflow protection, and a stateful firewall. The product has high levels of flexibility-users can generate customized protection rules or modify existing ones, configure firewall settings, and perform local vulnerability assessment scans, which seek out potential security problems. It also has detailed reporting functions, providing the ability to log individual events and then take needed actions such as blocking specific IP addresses, locking out USB devices, or even creating new rules as needed.

Solution #4: Symantec Multi-tier Protection

Symantec's Multi-tier Protection is a comprehensive HIPS product that integrates antivirus, antispyware, firewall, intrusion prevention, and device and application control technologies into a single package. The software works on the Windows, Apple, and Linux platforms, and can protect workstation PCs, laptops, and different types of mobile devices against such threats as worms, Trojan horses, zero-day attacks, and buffer overflows. It also leverages the power of the Symantec Global Intelligence Network, a 24/7 service that collects data on security breaches and threats from a system of operations centers and more than 40,000 sensors around the world. The network provides automated, real-time updates to the Multi-tier Protection product, helping ensure that it's armed against the latest threats.

Solution #5: Third Brigade Deep Security

Like the other products mentioned here, Third Brigade's Deep Security melds multiple capabilities, including intrusion detection and prevention, application controls, a firewall, and more. It also offers signature- and anomaly-based detection, along with deep packet inspection, a network packet filtering technique that examines both the data and headers of incoming and outgoing packets (as opposed to shallow packet inspection, which provides less detailed information), looking for protocol deviations. According to the company, the product works with Windows, Linux, and Unix systems; off-the-shelf software; and Web applications. It also features automatic updating capabilities and can be rapidly deployed without impact on host performance.

Conclusion

In today's environment, there is no single answer or magic bullet that can offer 100 percent protection against the constantly evolving range of threats. That said, HIPS products have evolved into remarkably powerful and flexible tools, offering the sort of all-in-one capabilities that can make life easier for IT administrators and offer significant protection as a part of a layered security program.

For more information on HIPS solutions, contact Productive Corporation:

We Can Help You
Deployment Questions
Licensing and Technical Support
help@productivecorp.com
800.726.4099

About Productive Corporation

Productive Corporation, is a specialized software reseller, that helps small and medium businesses across North America with software initiatives in security, storage and infrastructure.  We provide subject matter expertise, access to technical support, and relevant content for IT staff in the Mid-Market.     

About the Author

Chris Mikko is a Twin Cities-based writer and editor who specializes in technology topics.