Transcript of "Host Intrusion Prevention, HIPS, Application WhiteListing,"
An Ogren Group Special Report
Puts HIPS in the
While significant enterprise security resources are devoted to prevention of malicious code
infections, malware continues to frustrate security teams. Traditional anti-virus approaches
have proven to be ineffective against modern attacks, and organizations that have tried host
intrusion prevention find that technology is not an effective part of the endpoint security
solution. Application whitelisting monitors endpoints in real time to ensure that only authorized
programs can run, and that those programs have not been modified by malware. Application
whitelisting applied as the foundation of an endpoint security program gives security teams
complete visibility and control of executing applications.
Security organizations find that application whitelisting software provides the answer to the
shortcomings of traditional anti-virus endpoint security. Since malware often secretly modifies
a program to run attack code, the ability to block execution of applications that fall out of
compliance is an essential capability in protecting endpoints against threats that evade
detection by traditional anti-virus products. Application whitelisting builds a foundation for
Protects against new advanced persistent threats. Modern attacks are custom designed
to avoid detection by anti-virus scanners while pilfering regulated data. Application
whitelisting protects against advanced persistent threats by assuring that only compliant
applications are allowed to run.
Automates real-time visibility of actual application usage. IT and security teams can
monitor exactly what applications users and groups of users are executing. This
intelligence provides valuable feedback in adjusting security policy to best serve the
business, prioritizing application support efforts, and identifying drift from expected
Incorporates proprietary and third party applications into security policy. Large
organizations may have thousands of custom and outsourced applications that cannot be
protected by anti-virus signatures. Application whitelisting controls both custom and off-
the-shelf business applications to deliver enterprise-wide endpoint.
Drives endpoint security policy throughout enterprise endpoints to reduce risk to the
business. Risk based management allows security teams to automate block or audit
decisions when non-compliant applications are requested. Application whitelisting
improves on customer experiences with host intrusion prevention administration to offer
dynamic endpoint protection that scales to enterprise levels without introducing a heavy
This special report, commissioned by Bit9, reinforces the use of application whitelisting as the
key foundational layer that security teams require to close the security gap left by anti-virus
software, and as the security technology that promises to make behavioral host intrusion
prevention obsolete in enterprise deployments. Information in this report derives from Ogren
Group research and interviews with enterprise security officers of global organizations.
Classical anti-virus leaves the business vulnerable
Enterprise security teams rely on traditional anti-virus technologies as the main line of defense
to protect the business against malware infestations that steal regulated data or corrupt the
technical infrastructure. Even after including protection layers such as classical attack
signature pattern matching, sender and URL reputation, emulation of active Java script code,
and behavioral heuristics, traditional endpoint security remains dependent on an attack
recognition orientation. The problem is that attacks are proliferating far faster than attack-
centric security vendors’ ability to create and distribute anti-virus signature and behavioral
It is surprising to many security teams that a complete reliance on classical anti-virus leaves
the business vulnerable to malware. The best anti-virus products are less than 70% effective at
detecting and blocking dynamic malware, according to AV-Comparatives.
Source: AV-Comparatives Proactive/retrospective test
Detection of new viruses by antivirus programs is less than 70% successful
This means that the very best endpoint anti-virus products tested will miss at least 3 out of 10
new attacks, and the Ogren Group believes the detection rate to be less for modern dynamic
attacks when there is no signature, or pattern, to match. The attack-centric vendors have to
analyze reported attacks, develop and test protection logic, and then distribute endpoint
security updates in a timely fashion to all users. The result is that detection performance of
traditional anti-virus software only improves marginally in the week following the outbreak, as
shown by Cisco research in Exhibit 2.
Detection rate is still less than 70% a week after a new virus is identified1
Malicious code authors deploy tricks to avoid detection by anti-virus scanners, not to disable
computers but to acquire valuable data. Whether the attacks are drive-by download infections
caught while visiting infected web sites, malicious code embedded in downloads of free
application software, or deep botnets that execute remote attack code, these attacks thwart the
best anti-virus approaches, which helps explain why there were approximately 2.9 million new
threats discovered in 20092
Anti-virus software, a threat-oriented approach based on signatures, reputation, and heuristics
needs to be balanced with a positive approach that helps security teams define compliant
configurations and gives IT flexibility in enforcing security policy. For a short time, enterprises
turned to host intrusion prevention, HIPS, products to plug the security gaps left by anti-virus.
However, after the broad failure of HIPS, enterprises are finding success completing endpoint
security with application whitelisting.
The dramatic failure of host intrusion prevention
The chronic problem of anti-virus technology in detecting and blocking attacks spawned host
intrusion prevention, an endpoint security technology formed to prevent damage from attacks
for which there was no anti-virus signature. The premise of HIPS is that it would complement
attack-oriented anti-virus inspection with authorized activity-oriented monitoring of operations
affecting files, network utilization and operating system configuration. The positive approach
promised to detect malicious code before damage could be inflicted on the endpoint, and before
the attack could spread throughout the network.
Symantec Internet Security Threat Report, April 2010
Host intrusion prevention never fulfilled its promise of providing endpoint security that can
scale to enterprise levels as excessive administration and support costs doomed HIPS projects.
Enterprise IT found that they could lock down endpoint configurations for reasonable security at
high administration costs or they could deploy weakened HIPS security rules at reasonable
administration costs, but they could not achieve reasonable security at reasonable
HIPS shifted the burden of maintaining endpoint security from the security vendor to
enterprise IT. Security teams had to describe authorized activity of applications and
endpoints and encode the definitions of acceptable behavior as HIPS rules. Thus, IT had
to modify, retest and distribute rule sets whenever a software patch, software upgrade
or new application or was added to an endpoint. Customer experiences with HIPS
showed that maintenance of rule sets required significant ongoing efforts of very skilled
False positives blocked users from getting their jobs done and drove operating costs to
unacceptable levels. HIPS treated every violation of a rule as a possible attack that
required execution to be blocked – a false identification of a security incident. False
positives caused legitimate user activity to be blocked, increased the volume of calls to
the IT service desk, and consumed security resources in maintaining HIPS rule sets that
would not generate invasive false positives to users.
Security teams had to weaken security enforcement to gain user acceptance and reduce
overhead costs. Customers reported to the Ogren Group that security rule sets had to be
loosened to reduce the operating overhead to acceptable levels, even to the extent that
HIPS was no longer providing acceptable security to the endpoint. HIPS, configured to
keep reasonable operating costs across a wide variety of endpoint configurations, did
not offer acceptable enhancements to endpoint security.
Enterprise security teams are moving away from host intrusion prevention and behavioral
approaches as a complement to anti-virus for endpoint security as HIPS cannot provide
acceptable levels of security at acceptable operating costs. In fact, HIPS could never achieve the
optimal balance between effective malware detection rates, endpoint processor overhead, false
positive generation, and administrative overhead – the four key attributes of endpoint security.
As HIPS provides less value to security teams, IT and security vendors are de-committing from
host intrusion prevention. Large IT efforts, such as a corporate evolution to Windows 7, have led
many IT organizations to turn to application whitelisting as an additional layer to endpoint
Forming the foundation with application whitelisting
Application whitelisting complements traditional anti-virus for the best endpoint defense,
fulfilling the customer demand for protection against malicious attacks that AV cannot detect
and HIPS cannot practically prevent. Application whitelisting only allows IT-authorized
programs to run, and ensures that malicious files do not attempt to execute and programs have
not been inappropriately modified by malicious code. New attacks that evade anti-virus cannot
infect programs, execute and cause damage to the endpoint. This is a far simpler approach than
HIPS and provides enhanced endpoint security without exorbitant operating costs.
Application whitelisting has improved on the HIPS promise by denying the ability of malicious
code to run within an infected program – without requiring laborious maintenance of custom
rule sets. Enterprise security organizations achieve enhanced protection against modern
custom-designed attacks, while allowing anti-virus to remove and clean-up from known
detected attacks. Application whitelisting delivers on the HIPS mission of protecting enterprise
endpoints against attacks that evade anti-virus detection with an approach that does not over
burden security teams with continuous operating tasks and does not generate false positives
that block users from conducting business.
Application whitelisting automates definitions of operating system, application vendor,
and custom corporate software enabling software migrations and upgrades without a
reduction in security or interrupting the user experience. Application whitelisting
vendors leverage relationships with the leading operating system and application
vendors to automatically identify authorized software. The concept of “trusted sources”
of endpoint software allows custom corporate applications to be covered in the same
security policy as vendor and system software.
Users can customize the endpoint according to business requirements while application
whitelisting protects against advanced persistent threats. Unlike HIPS which can treat
user installation and upgrade activity as an attack, application whitelisting provides a
non-invasive user experience. Application whitelisting can allow users to run new
programs necessary to conduct business, with security teams auditing and monitoring
changes in order to adjust security policy to the needs of a dynamic business.
Operating expenses for enhanced endpoint security are kept in check with application
whitelisting as there is less demand for continuous threat signature or behavioral
updates. Centralized administration of security policy enables IT to readily upgrade
installed applications or migrate to Windows 7 while retaining resilience against new
Application intelligence gained by visibility into all programs that execute or attempts to
execute facilitates coordination between security, IT and application teams. Application
whitelisting is in a unique position to generate application intelligence since it makes
allow or block decisions for every program request. For example, management reports
of every application that executes allows security teams to automate compliance
reporting for data privacy regulations, application teams to negotiate favorable licensing
terms, and IT teams to keep the infrastructure aligned with business demands.
Application whitelisting does not intend to replace anti-virus solutions; rather application
whitelisting provides an important layer of a defense-in-depth strategy. The Ogren Group has
found many commercial and government organizations run anti-virus alongside application
whitelisting. Malicious code can only do damage if it is allowed to execute, and it can only
execute if it creates a new executable or modifies and existing program. Application whitelisting
solutions detect unauthorized changes to infected programs in real-time before the program is
allowed to run. This protects the endpoint from damage and prevents the malware from
spreading its infection throughout the business infrastructure.
Application whitelisting is designed for the modern dynamic business that requires enhanced
endpoint security, compliant software configurations, and flexible enforcement policies that
protect users without inhibiting their ability to do their jobs. The recognition that endpoint
security has to be provided at reasonable operating costs is one of the important lessons
application whitelisting has learned from the HIPS mistakes.
Conclusions and recommendations
Enterprise infrastructures are vulnerable to malware from endpoints that are insufficiently
protected due to shortcomings in traditional anti-virus and the failure of host intrusion
prevention. Malicious code, especially that designed to steal regulated data, intellectual
property and confidential information, remains the leading concern of security teams that must
secure dynamic business environments. Application whitelisting is evolving the traditional
approaches to endpoint security with significant benefits to enterprise security teams:
Achieve maximum prevention rates. As shown, anti-virus alone cannot reduce the risk of
data stealing malware penetrating the infrastructure and behavioral host intrusion
prevention cannot pragmatically deliver security for dynamic endpoints. The
combination of compliant-oriented application whitelisting and attack-oriented anti-
virus provides enterprises the best chance of preventing malicious code from
interrupting the business.
Preserve non-invasive end user experiences. Endpoint security needs to deliver security
inspection and oversight functionality without distracting the user from doing their jobs,
such as unnecessarily blocking applications, asking the user to make real-time security
decisions in the middle of a work process, and degrading system performance by
inserting security logic into the operating system. Automation of the whitelisting
approval process allows users to do their jobs and reduces the burden on IT
Implement security practices that are as dynamic as the business. A high rate of false
positives from HIPS products was indicative that security was impeding the business,
and that IT had to investigate mistaken reports of malware to allow business
applications to execute. Enterprise security requires protection that permits users to
personalize configurations and enables the business to evolve with intrinsic security.
Keep operating expenses and administrative overhead to responsible levels. HIPS failed
partly because the technology could not deliver security within reasonable operating
costs. Application whitelisting is designed to scale to enterprise levels without requiring
significant IT operating resources, including interfaces that allow application
whitelisting administration to be streamlined with traditional endpoint security products.
The Ogren Group recommends that enterprises that have deployed host intrusion prevention
products, or are evaluating HIPS products, examine the benefits of application whitelisting.
Experiences with enterprise security teams show that application whitelisting satisfies the need
to enhance endpoint security by adding a positive layer to endpoint security approaches, without
the oppressive operating overhead of HIPS technology. Bit9 is one of the leading application
whitelisting vendors that the Ogren Group believes should be on the shortlist of security teams
evaluating application whitelisting to ensure a compliant and secure business.
Bit9’s leadership in application whitelisting
Security organizations find that application whitelisting software provides the ideal answer to
the shortcomings of traditional anti-virus endpoint security. While classical anti-virus products
effectively remove well known wide-spread attacks, its inability to reliably detect dynamic
targeted attacks, such as advanced threats, leaves enterprise networks exposed to malware
and endpoints out of compliance with security policies. Application whitelisting monitors
endpoints in real time to ensure that only authorized programs can run, and that those
programs have not been modified by malware. Application whitelisting applied as the foundation
of an endpoint security program gives security teams complete visibility and control of
Bit9 is an industry leader for application whitelisting technology. The company founders had
experience in host intrusion prevention, and started Bit9 with the firm belief that application
whitelisting provided the better solution for securing corporate endpoints. Bit9’s solutions
ensure that only trusted software executes on endpoints, reducing the risk of advanced threats
and infestation of disruptive unauthorized software.
Bit9 Parity is an application whitelisting technology that ensures the integrity of endpoints and
the technical infrastructure supporting the business. Bit9 Parity discovers all applications
running on endpoints, evaluates a Trust Factor and performance against security policy, and
makes real-time allow/block decisions on running application programs based on the
organization’s software policies. The visibility and control gained by Bit9 Parity reduces
operating costs while delivering protection against malicious code.