New HIPS Technology Takes on Zero-Day Attacks
February 1, 2006
By Drew Robb
First came enterprise-class anti-virus (AV) tools, then desktop firewalls and anti-spyware protection. With each technical advance, however, would-be attackers changed their tactics – or morphed the latest virus or Trojan just enough for it to sail past the defenses.
It’s reached the point where AV and spyware just don’t seem able to cope with the newest threats.
The latest problem is the zero-day attack, which is an exploit that takes advantage of a software vulnerability unknown to security professionals. Because it’s an unknown bug, no virus and spyware signature updates have been issued yet to thwart the malware so it penetrates deep into the enterprise, causing damage for days, if not weeks, before a fix is available.
And that’s where desktop host-based intrusion prevention systems (HIPS) come to the fore.
‘‘HIPS includes a variety of approaches, such as behavior-based systems that sit on the desktop and defend against zero-day attacks,’’ says Natalie Lambert, an analyst at Forrester Research Inc. of Cambridge, Mass. ‘‘It watches for behavior that would indicate the activity of spyware, such as a program opening up something in a temp folder.’’
According to a new Forrester survey of 150 enterprise technology decision makers, HIPS is now firmly on many companies’ radar screens. Lambert reports that 28 percent of respondents plan to purchase desktop HIPS this year. With a mid-2005 estimate by Stamford, Conn.-based Gartner Inc. placing market penetration around 1 percent, it’s clear HIPS is picking up speed.
HomeBanc Mortgage Corp. of Atlanta is a retail mortgage company focusing on the Southeast. It selected San Mateo, Calif.-based Sana Security Inc.'s Primary Response for HIPS-level protection against worms, spyware, Trojans, keyloggers and other threats.
‘‘Threats to today’s Internet-connected business are more complex and challenging than ever,’’ said Michael Ciarochi, senior security engineer at HomeBanc. ‘‘Companies need to be armed with proactive solutions to mitigate new attacks.’’
But while HIPS certainly seems to have an inside track on the proactive angle, there is a debate going on as to its precise definition.
Some think it is really just a regular network-based IPS that you regularly update with virus-like signatures of the latest attacks. Others get into advanced firewall techniques. A few vendors focus on hardening the system so attacks can’t make an incursion into the application core or Windows registry. Another camp conducts a variety of system scanning techniques to detect and isolate suspicious behavior.
‘‘There are multiple approaches to HIPS and they all have their own pros and cons,’’ says Greg Shipley, chief technology officer of security consulting firm Neohapsis, Inc., which is based in Chicago. ‘‘As the technology has yet to fully mature, there is not a current right way to do it.’’
Shipley says he suspects the HIPS market will follow a similar course to that taken by the Intrusion Detection System (IDS) market a few years ago. Back around 2000 to 2001, there was a lot of debate about the best way to accomplish IDS and which technology would come out on top.
Internet Security Systems Inc. (ISS) of Atlanta had a signature-based product known as RealSecure, whereas tools, such as ManHunt (now owned by Symantec Corp. of Cupertino, Calif.) and BlackICE (now part of ISS), were more based upon protocol anomalies. So who won? Today, most successful IDS products have integrated the two models. ISS RealSecure, for example, uses both protocol anomaly and signature-based detection engines. Other vendors offer similar solutions that combine several technology elements into what is now considered standard IDS.
No such standard, however, has materialized in the HIPS arena.
‘‘I do not believe there is an industry standard for desktop HIPS,’’ says Gartner analyst John Girard. ‘‘There just isn’t one definition for comprehensive desktop HIPS.’’
What elements comprise HIPS today?
The basic goal is to block inappropriate system activity. According to Pete Lind, an analyst with security consultancy Spire Security LLC of Malvern, Penn., there are a number of techniques that can be simplified as follows:
Allow predefined/known good activity and block everything else;
Deny predefined/known bad activity and allow everything else, and
Block system activity that is anomalous.
The most common activities being monitored are program executions, file system activity, registry reads/writes, and network operations.
Shipley says other key elements of HIPS are system hardening, system-call interception technology, memory firewalling, endpoint firewalls and signature-based IPS systems.
Basically, HIPS takes a variety of routes to achieving the same end – preventing impact from an unknown threat.
When you view HIPS from the vendor perspective, expect a wide divergence in opinion about which method to implement.
Cisco Systems Inc. of San Jose, Calif. assimilated promising HIPS startup Okena into what is now the Cisco Secure Agent (CSA). Cisco avoids the cumbersome signature-based approach. Instead, it makes use of a range of techniques, including protection against buffer overflow attacks, firewall capabilities and application inventorying. In particular, Cisco harnesses system calls and behavioral analysis to locate likely culprits.
‘‘I know organizations that now have thousands of desktop nodes running CSA,’’ says Shipley. ‘‘This technology is great at stopping a wide range of attacks and buying organizations additional time to patch, but there can be a real configuration and maintenance overhead associated with this protection method.’’
Like Cisco, Sana’s Primary Response also avoids IPS signatures. It advocates its own brand of behavioral analysis, along with system hardening and protection against memory-based attacks.
System hardening, for instance, acts as a safeguard against some attacks, particularly those based on privilege escalation. Shipley reports, however, that hardening alone may not be enough to combat many mainstream remote buffer overflow attacks. Similarly, memory firewalling – a term coined by Determina Inc. of Redwood City, Calif. - is good at stopping some zero-day attacks, but not others. According to Shipley, it can also create a performance hit and only prevents certain classes of attacks.
The ability to view the HIPS universe with clarity has been further obscured by a couple of upstarts that also are both firmly opposed to what they term the outmoded IPS signature model – Trlokom Inc. of Monrovia, Calif., and PivX Solutions, Inc. of Newport Beach, Calif.
Trlokom appears to be positioning itself against Cisco. Instead of constantly scanning and analyzing every system call and every single application, it lightens the overhead load and simplifies the threat perimeter by focusing only on the avenue of attack. About 80 percent of current attacks come in via Web browser, so this startup has designed a sandbox to isolate the browser from the rest of the desktop.
PivX, meanwhile, operates differently.
Instead of having a large team of people who constantly analyze the latest attacks to develop the latest signatures for viruses and spyware, PivX points its team in the direction of locating potential exploits and devising fixes before anyone even discovers the vulnerability. This could be regarded as a hybrid form of system hardening.
Over the past two years, there has been a vendor frenzy to develop or acquire HIPS technology. The big security vendors are starting to roll out HIPS-point solutions, as well as all-encompassing security suites with an added HIPS element.
McAfee Inc. of Santa Clara, Calif., has put HIPS functionality in with its AV and anti-spyware solutions, in what is a combo of the behavioral and signature methodologies. And Symantec is just one of the companies expected to come out with HIPS-inclusive security packages in the coming months.
Analysts say it’s too early to tell what technology will prevail in this sector.
‘‘Desktop HIPS is very immature, still evolving rapidly and so we haven’t come up with an acceptable definition as yet,’’ says Forrester’s Lambert. ‘‘The ultimate point we are heading toward is to prevent all zero-day attacks. No vendor is there quite yet.’’