In-Depth

CA Unveils Host-Based Intrusion Prevention System

As cyberfelons continue to attack simple host-based firewalls, antirust, and antispam measures, IT needs to be increasingly attentive to its endpoint defenses.

At the RSA Conference this week, Computer Associates announced an addition to its security packages called Host-Based Intrusion Prevention System (HIPS). The software combines firewall, intrusion detection, and host policy management into a single centrally-managed package that should provide enterprises with better threat defense and better compliance monitoring.

The criminals who threaten the corporation’s electronic data jewels are increasingly sophisticated. Many are better financed and very patient, offering bounties for workable exploits and even recruiting talented programmers like colleges recruit star athletes.

With hardened enterprise-parameter defenses, the cyberfelons are targeting the typically less-protected endpoints, aiming at basic lapses (such as weak passwords), outright flaws (such as OS or application holes) or social-engineering entries with phishing e-mails or trapped Web sites.

The obvious response of endpoint protection of firewalls, antivirus, and antispam software is a responsible reaction, but blended threats and zero-day exploits bore through the defenses of signature-based checkers. That’s part of CA HIPS’ role, augmenting the defense provided by antivirus and antispam software by adding firewall functionality and proactively suppressing breaches, such as keyboard loggers or rootkits, that leak through other defenses.

In addition to the firewall role, HIPS is a policy enforcer dictating what programs and devices can be used on a host. Working in conjunction with Microsoft Active Directory or an LDAP central directory, HIPS can restrict which programs are executed on the system by user or by time-of-day and can slap down rogue and unauthorized programs from running. Similar user, time-of-day, and by-application restrictions can apply to host devices, including the physically-exploitable DVD/DC media or USB thumb drives.

The product gives administrators better granularity than Active Directory’s Group Policy Objects or usual access-list controls. Additionally, customers get a comprehensive set and subsets of policy templates, and its learning mode can turn settings into exportable templates.

HIPS takes a serious stab at IDS/event log reporting and consolidation by grouping events together, such as hopping or sequential port scans from the same host, and techniques such as stream compression. The consolidated events can be useful in both forensic and judicial proceeding but may not be sufficiently detailed for deep security post-mortems on a compromised system.

The system is not without limitations, however. [Continued on next page]

Not Without Limitations

Some of HIPS’ limitations are based on that IDS/event logging. A single HIPS controller can sustain 15,000 endpoint clients. However, the number of systems and amount of event traffic, particularly if the endpoint generates more than 50 events per minute, will impact performance and the need for multiple HIPS controllers.

Therein lies a rub; the current product doesn’t seamlessly push policies or reporting across multiple controllers. You can manually copy and import both policies and events, which works far better for policies than coping with event-log tsunamis.

As for maturity, HIPS almost is past the “version 1.0” point. Given its origins in CA’s acquisition of Tiny Software for its heuristic firewall and access control work, there is substantial hardening in the IDS/IPS roles. CA admits there are some current limitations: Windows-only clients, 15K clients/controller, and lack of consolidation for policy pushing or reporting across multiple controllers. These will be fixed with time and CA plans on pumping the release cycle handle every 12 months.

The “retail” tag is $40 per seat, and corporations should expect the typical CA volume pricing. But HIPS is only partial protection; most corporations will still require antivirus and antispam for the same endpoints.

Jon Oltsik, senior analyst at Enterprise Strategy Group, sees the product filling an obvious and evolving need. “It’s a broad step-up from just basic firewall and fits well for the enterprises that need to enforce policies and centralize their management controls.” Oltsik thinks the product’s sweet spot is “the large enterprise, anyone who faces compliance challenges, such as government agencies, financial companies, health industries, and those facing regulations like Sarbanes-Oxley.”

For the mid-size business implementing HIPS, CA recommends pulling in an expert to roll up the architecting. Expect a pilot project running in a week and another week or so to push the software out. Expect tweaking over the next couple of weeks. Large corporations will do the usual shake-and-bake in test labs and pilot deployments and change management, but HIPS deploys like any other major asset rollout.

CA is neither the first nor last player in the endpoint policy game. Security vendors such as Sophos have made recent announcements of similar products that compliment established lines of antivirus and antispam protection. When the desire to reduce the number of vendors or consolidate central management tools makes sense, your current AV vendor usually gets the first invitation to the bidding table. Another 800-pound company, Microsoft, will be pushing ForeFront later this year.

Although HIPS can play nice with other endpoint security solutions, the single-source logic makes the product (and its pricing) more sensible for those already invested into CA’s other security management products and use eTrust Security Command Center. It makes even more sense if you are married to Unicenter as a central asset/management console.

Given how security threats continue their evolution, cyberfelons will continue attacking simple host-based firewalls, antivirus, and antispam measures. Adding some proactive protection and program lockdown to the endpoint defense mix with products like HIPS is a wise choice.

Must Read Articles