Host Intrusion Prevention, HIPS, Application WhiteListing,


Published on

Host Intrusion Prevention, HIPS, Application WhiteListing,

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Host Intrusion Prevention, HIPS, Application WhiteListing,

  1. 1. An Ogren Group Special Report April 2010 Application Whitelisting Puts HIPS in the Recycle Bin
  2. 2. Executive Summary While significant enterprise security resources are devoted to prevention of malicious code infections, malware continues to frustrate security teams. Traditional anti-virus approaches have proven to be ineffective against modern attacks, and organizations that have tried host intrusion prevention find that technology is not an effective part of the endpoint security solution. Application whitelisting monitors endpoints in real time to ensure that only authorized programs can run, and that those programs have not been modified by malware. Application whitelisting applied as the foundation of an endpoint security program gives security teams complete visibility and control of executing applications. Security organizations find that application whitelisting software provides the answer to the shortcomings of traditional anti-virus endpoint security. Since malware often secretly modifies a program to run attack code, the ability to block execution of applications that fall out of compliance is an essential capability in protecting endpoints against threats that evade detection by traditional anti-virus products. Application whitelisting builds a foundation for endpoint security:  Protects against new advanced persistent threats. Modern attacks are custom designed to avoid detection by anti-virus scanners while pilfering regulated data. Application whitelisting protects against advanced persistent threats by assuring that only compliant applications are allowed to run.  Automates real-time visibility of actual application usage. IT and security teams can monitor exactly what applications users and groups of users are executing. This intelligence provides valuable feedback in adjusting security policy to best serve the business, prioritizing application support efforts, and identifying drift from expected baselines.  Incorporates proprietary and third party applications into security policy. Large organizations may have thousands of custom and outsourced applications that cannot be protected by anti-virus signatures. Application whitelisting controls both custom and off- the-shelf business applications to deliver enterprise-wide endpoint.  Drives endpoint security policy throughout enterprise endpoints to reduce risk to the business. Risk based management allows security teams to automate block or audit decisions when non-compliant applications are requested. Application whitelisting improves on customer experiences with host intrusion prevention administration to offer dynamic endpoint protection that scales to enterprise levels without introducing a heavy administrative burden. This special report, commissioned by Bit9, reinforces the use of application whitelisting as the key foundational layer that security teams require to close the security gap left by anti-virus software, and as the security technology that promises to make behavioral host intrusion prevention obsolete in enterprise deployments. Information in this report derives from Ogren Group research and interviews with enterprise security officers of global organizations.
  3. 3. Classical anti-virus leaves the business vulnerable Enterprise security teams rely on traditional anti-virus technologies as the main line of defense to protect the business against malware infestations that steal regulated data or corrupt the technical infrastructure. Even after including protection layers such as classical attack signature pattern matching, sender and URL reputation, emulation of active Java script code, and behavioral heuristics, traditional endpoint security remains dependent on an attack recognition orientation. The problem is that attacks are proliferating far faster than attack- centric security vendors’ ability to create and distribute anti-virus signature and behavioral pattern antidotes. It is surprising to many security teams that a complete reliance on classical anti-virus leaves the business vulnerable to malware. The best anti-virus products are less than 70% effective at detecting and blocking dynamic malware, according to AV-Comparatives. Source: AV-Comparatives Proactive/retrospective test May 2009. Exhibit 1 Detection of new viruses by antivirus programs is less than 70% successful This means that the very best endpoint anti-virus products tested will miss at least 3 out of 10 new attacks, and the Ogren Group believes the detection rate to be less for modern dynamic attacks when there is no signature, or pattern, to match. The attack-centric vendors have to analyze reported attacks, develop and test protection logic, and then distribute endpoint security updates in a timely fashion to all users. The result is that detection performance of traditional anti-virus software only improves marginally in the week following the outbreak, as shown by Cisco research in Exhibit 2.
  4. 4. Exhibit 2 Detection rate is still less than 70% a week after a new virus is identified1 Malicious code authors deploy tricks to avoid detection by anti-virus scanners, not to disable computers but to acquire valuable data. Whether the attacks are drive-by download infections caught while visiting infected web sites, malicious code embedded in downloads of free application software, or deep botnets that execute remote attack code, these attacks thwart the best anti-virus approaches, which helps explain why there were approximately 2.9 million new threats discovered in 20092 . Anti-virus software, a threat-oriented approach based on signatures, reputation, and heuristics needs to be balanced with a positive approach that helps security teams define compliant configurations and gives IT flexibility in enforcing security policy. For a short time, enterprises turned to host intrusion prevention, HIPS, products to plug the security gaps left by anti-virus. However, after the broad failure of HIPS, enterprises are finding success completing endpoint security with application whitelisting. The dramatic failure of host intrusion prevention The chronic problem of anti-virus technology in detecting and blocking attacks spawned host intrusion prevention, an endpoint security technology formed to prevent damage from attacks for which there was no anti-virus signature. The premise of HIPS is that it would complement attack-oriented anti-virus inspection with authorized activity-oriented monitoring of operations affecting files, network utilization and operating system configuration. The positive approach promised to detect malicious code before damage could be inflicted on the endpoint, and before the attack could spread throughout the network. 1 2 Symantec Internet Security Threat Report, April 2010
  5. 5. Host intrusion prevention never fulfilled its promise of providing endpoint security that can scale to enterprise levels as excessive administration and support costs doomed HIPS projects. Enterprise IT found that they could lock down endpoint configurations for reasonable security at high administration costs or they could deploy weakened HIPS security rules at reasonable administration costs, but they could not achieve reasonable security at reasonable administration costs.  HIPS shifted the burden of maintaining endpoint security from the security vendor to enterprise IT. Security teams had to describe authorized activity of applications and endpoints and encode the definitions of acceptable behavior as HIPS rules. Thus, IT had to modify, retest and distribute rule sets whenever a software patch, software upgrade or new application or was added to an endpoint. Customer experiences with HIPS showed that maintenance of rule sets required significant ongoing efforts of very skilled security engineers.  False positives blocked users from getting their jobs done and drove operating costs to unacceptable levels. HIPS treated every violation of a rule as a possible attack that required execution to be blocked – a false identification of a security incident. False positives caused legitimate user activity to be blocked, increased the volume of calls to the IT service desk, and consumed security resources in maintaining HIPS rule sets that would not generate invasive false positives to users.  Security teams had to weaken security enforcement to gain user acceptance and reduce overhead costs. Customers reported to the Ogren Group that security rule sets had to be loosened to reduce the operating overhead to acceptable levels, even to the extent that HIPS was no longer providing acceptable security to the endpoint. HIPS, configured to keep reasonable operating costs across a wide variety of endpoint configurations, did not offer acceptable enhancements to endpoint security. Enterprise security teams are moving away from host intrusion prevention and behavioral approaches as a complement to anti-virus for endpoint security as HIPS cannot provide acceptable levels of security at acceptable operating costs. In fact, HIPS could never achieve the optimal balance between effective malware detection rates, endpoint processor overhead, false positive generation, and administrative overhead – the four key attributes of endpoint security. As HIPS provides less value to security teams, IT and security vendors are de-committing from host intrusion prevention. Large IT efforts, such as a corporate evolution to Windows 7, have led many IT organizations to turn to application whitelisting as an additional layer to endpoint protection. Forming the foundation with application whitelisting Application whitelisting complements traditional anti-virus for the best endpoint defense, fulfilling the customer demand for protection against malicious attacks that AV cannot detect and HIPS cannot practically prevent. Application whitelisting only allows IT-authorized programs to run, and ensures that malicious files do not attempt to execute and programs have not been inappropriately modified by malicious code. New attacks that evade anti-virus cannot
  6. 6. infect programs, execute and cause damage to the endpoint. This is a far simpler approach than HIPS and provides enhanced endpoint security without exorbitant operating costs. Application whitelisting has improved on the HIPS promise by denying the ability of malicious code to run within an infected program – without requiring laborious maintenance of custom rule sets. Enterprise security organizations achieve enhanced protection against modern custom-designed attacks, while allowing anti-virus to remove and clean-up from known detected attacks. Application whitelisting delivers on the HIPS mission of protecting enterprise endpoints against attacks that evade anti-virus detection with an approach that does not over burden security teams with continuous operating tasks and does not generate false positives that block users from conducting business.  Application whitelisting automates definitions of operating system, application vendor, and custom corporate software enabling software migrations and upgrades without a reduction in security or interrupting the user experience. Application whitelisting vendors leverage relationships with the leading operating system and application vendors to automatically identify authorized software. The concept of “trusted sources” of endpoint software allows custom corporate applications to be covered in the same security policy as vendor and system software.  Users can customize the endpoint according to business requirements while application whitelisting protects against advanced persistent threats. Unlike HIPS which can treat user installation and upgrade activity as an attack, application whitelisting provides a non-invasive user experience. Application whitelisting can allow users to run new programs necessary to conduct business, with security teams auditing and monitoring changes in order to adjust security policy to the needs of a dynamic business.  Operating expenses for enhanced endpoint security are kept in check with application whitelisting as there is less demand for continuous threat signature or behavioral updates. Centralized administration of security policy enables IT to readily upgrade installed applications or migrate to Windows 7 while retaining resilience against new exploits.  Application intelligence gained by visibility into all programs that execute or attempts to execute facilitates coordination between security, IT and application teams. Application whitelisting is in a unique position to generate application intelligence since it makes allow or block decisions for every program request. For example, management reports of every application that executes allows security teams to automate compliance reporting for data privacy regulations, application teams to negotiate favorable licensing terms, and IT teams to keep the infrastructure aligned with business demands. Application whitelisting does not intend to replace anti-virus solutions; rather application whitelisting provides an important layer of a defense-in-depth strategy. The Ogren Group has found many commercial and government organizations run anti-virus alongside application whitelisting. Malicious code can only do damage if it is allowed to execute, and it can only execute if it creates a new executable or modifies and existing program. Application whitelisting
  7. 7. solutions detect unauthorized changes to infected programs in real-time before the program is allowed to run. This protects the endpoint from damage and prevents the malware from spreading its infection throughout the business infrastructure. Application whitelisting is designed for the modern dynamic business that requires enhanced endpoint security, compliant software configurations, and flexible enforcement policies that protect users without inhibiting their ability to do their jobs. The recognition that endpoint security has to be provided at reasonable operating costs is one of the important lessons application whitelisting has learned from the HIPS mistakes. Conclusions and recommendations Enterprise infrastructures are vulnerable to malware from endpoints that are insufficiently protected due to shortcomings in traditional anti-virus and the failure of host intrusion prevention. Malicious code, especially that designed to steal regulated data, intellectual property and confidential information, remains the leading concern of security teams that must secure dynamic business environments. Application whitelisting is evolving the traditional approaches to endpoint security with significant benefits to enterprise security teams:  Achieve maximum prevention rates. As shown, anti-virus alone cannot reduce the risk of data stealing malware penetrating the infrastructure and behavioral host intrusion prevention cannot pragmatically deliver security for dynamic endpoints. The combination of compliant-oriented application whitelisting and attack-oriented anti- virus provides enterprises the best chance of preventing malicious code from interrupting the business.  Preserve non-invasive end user experiences. Endpoint security needs to deliver security inspection and oversight functionality without distracting the user from doing their jobs, such as unnecessarily blocking applications, asking the user to make real-time security decisions in the middle of a work process, and degrading system performance by inserting security logic into the operating system. Automation of the whitelisting approval process allows users to do their jobs and reduces the burden on IT administrators.  Implement security practices that are as dynamic as the business. A high rate of false positives from HIPS products was indicative that security was impeding the business, and that IT had to investigate mistaken reports of malware to allow business applications to execute. Enterprise security requires protection that permits users to personalize configurations and enables the business to evolve with intrinsic security.  Keep operating expenses and administrative overhead to responsible levels. HIPS failed partly because the technology could not deliver security within reasonable operating costs. Application whitelisting is designed to scale to enterprise levels without requiring significant IT operating resources, including interfaces that allow application whitelisting administration to be streamlined with traditional endpoint security products.
  8. 8. The Ogren Group recommends that enterprises that have deployed host intrusion prevention products, or are evaluating HIPS products, examine the benefits of application whitelisting. Experiences with enterprise security teams show that application whitelisting satisfies the need to enhance endpoint security by adding a positive layer to endpoint security approaches, without the oppressive operating overhead of HIPS technology. Bit9 is one of the leading application whitelisting vendors that the Ogren Group believes should be on the shortlist of security teams evaluating application whitelisting to ensure a compliant and secure business.
  9. 9. Bit9’s leadership in application whitelisting Security organizations find that application whitelisting software provides the ideal answer to the shortcomings of traditional anti-virus endpoint security. While classical anti-virus products effectively remove well known wide-spread attacks, its inability to reliably detect dynamic targeted attacks, such as advanced threats, leaves enterprise networks exposed to malware and endpoints out of compliance with security policies. Application whitelisting monitors endpoints in real time to ensure that only authorized programs can run, and that those programs have not been modified by malware. Application whitelisting applied as the foundation of an endpoint security program gives security teams complete visibility and control of executing applications. Bit9 is an industry leader for application whitelisting technology. The company founders had experience in host intrusion prevention, and started Bit9 with the firm belief that application whitelisting provided the better solution for securing corporate endpoints. Bit9’s solutions ensure that only trusted software executes on endpoints, reducing the risk of advanced threats and infestation of disruptive unauthorized software. Bit9 Parity is an application whitelisting technology that ensures the integrity of endpoints and the technical infrastructure supporting the business. Bit9 Parity discovers all applications running on endpoints, evaluates a Trust Factor and performance against security policy, and makes real-time allow/block decisions on running application programs based on the organization’s software policies. The visibility and control gained by Bit9 Parity reduces operating costs while delivering protection against malicious code.