Desktop defenses

Patching is supposed to secure your organization from the latest batch of malicious code. But try telling that to the state of Alaska 's IT department. Staffers were working diligently to stay up-to-date on patching, despite the sheer size of the territory they serve and the limited bandwidth available in remote areas. But what if no patches existed?

"We were expending a huge amount of effort cleaning up the infections in our machines," says Darrel Davis, chief security officer for the state. "Some exploits were out there yet no patches were available."

Like a growing number of IT security managers, to address those problems, Davis deployed host-based intrusion-prevention system (HIPS) software on 19,000 desktops scattered throughout the state. This relatively immature technology brings the concept of defense right to the desktop. Its definition hasn't been settled upon, however, and several vendors advocate very different approaches.

At this point, no one knows if HIPS will do away with the need for the traditional security perimeter or become just one more element of an ever-expanding security arsenal. Is it the answer to so-called zero-day attacks -- those incursions that exploit vulnerabilities not yet known to security professionals? At a practical level, what kind of HIPS tool is best?

"Desktop HIPS is still evolving rapidly," says Natalie Lambert, an analyst at Forrester Research, "The ultimate point we are heading toward is to prevent all zero-day attacks. But no vendor is there quite yet."

Catching fire

A year ago, the hot debate in security was how intrusion-detection systems (IDS) were giving way to the broader concept of intrusion-prevention systems (IPS). At that time, network-based IPS was all the rage, whereas HIPS had an estimated 1 percent market-penetration rate, according to Gartner Inc. in Stamford, Conn.

But new attack routes into the enterprise -- such as the recent Windows Metafile (WMF) vulnerability -- have forced IT organizations to rethink their tactics. In a recent Forrester survey of 150 enterprise technology decision-makers, 28 percent of respondents said they plan to purchase desktop HIPS during the course of the year, says Lambert.

Alaska, however, is ahead of the game. It is most of the way through an implementation of Cisco Security Agent (CSA) from Cisco Systems. Along with the 19,000 desktops -- primarily Windows-based ones, with a few Linux and Macintosh systems -- CSA also protects about 2,000 servers across dozens of data centers.

"We needed something to protect our desktops and buy us additional time to deploy patches," says Davis. "Our major selection criterion was that the tool had to be heuristics- not signature-based, so that it would analyze behavior with no need to download signatures."

CSA never needs updating, and Davis reports no trouble at all from recent exploits such as the Zotob worm. Software like CSA watches for behavior that would indicate spyware activity, such as a program opening a file in a temporary folder. It intercepts system calls between applications and the operating system, correlates them, compares the calls against a set of behavioral rules and decides whether to allow the action.

But that is by no means the only way such tools operate. Most include several functions: In addition to host intrusion prevention, they can incorporate adware protection, protection against buffer-overflow attacks, firewalling, various forms of system hardening, malicious mobile-code protection and even signature-based modules.

"HIPS includes a variety of approaches," says Lambert. "Everybody defines it differently."

For example, Stonehill College in Massachusetts, U.S., deploys a tool that combines behavioral analysis with a signature defense. Proventia Desktop from Internet Security Systems (ISS) in Atlanta, U.S. is used on about 2,500 seats campuswide, most of which are student laptops -- 95 percent run Microsoft Windows XP and the rest are Mac-intoshes.

Stonehill CIO Gary Hammon tried his best with antivirus software and the Windows Update program. But the Wild West of campus computing rendered his efforts useless.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark