A year ago, network-based IPS was all the rage, whereas HIPS had an estimated 1% market-penetration rate, according to Gartner Inc. in Stamford, Conn. But new attack routes into the enterprise — such as the recent Windows Metafile (WMF) vulnerability — have forced IT organizations to rethink their tactics. In a recent Forrester survey of 150 enterprise technology decision-makers, 28% of respondents said they plan to purchase desktop HIPS during the course of the year, says Lambert.
Alaska, however, is ahead of the game. It is most of the way through an implementation of Cisco Security Agent (CSA) from Cisco Systems Inc. Along with the 19,000 desktops — primarily Windows-based ones, with a few Linux and Macintosh systems — CSA also protects about 2,000 servers across dozens of data centers. Software like CSA watches for behavior that would indicate spyware activity, such as a program opening a file in a temporary folder.
Software like CSA watches for behavior that would indicate spyware activity, but that is by no means the only way such tools operate. Most include several functions: In addition to host intrusion prevention, they can incorporate adware protection, protection against buffer-overflow attacks, firewalling, various forms of system hardening, malicious mobile-code protection and even signature-based modules.
Proventia Desktop from Internet Security Systems Inc. (ISS) in Atlanta is used on about 2,500 seats campuswide, most of which are student laptops — 95% run Microsoft Windows XP and the rest are Macintoshes.
“Some colleges have attempted to dictate to their students, but you really can’t control what they put on their laptops,” says Hammon.
Unlike virus signatures, though, they need to be delivered only about once a month. Instead of constantly scanning and analyzing every system call and application as CSA does, its SpyWall software zeroes in on the primary avenue of attack – via Web browser. For example, SpyWall blocked the latest Internet Explorer createText-Range zero-day exploit without using any signatures. “After we put in SpyWall, we didn’t get any more infections for six months,” says Robert Wong, network administrator.
First came enterprise-class anti-virus tools and then firewalls, IDS and spyware protection. But with each advance, attackers managed to outwit the defenses. Antivirus and spyware technology now appear to be morphing into back-line defenses, which are used to mop up employee goofs and safeguard against known threats.
That’s why the likes of Symantec Corp., CA Inc. and Cisco are gobbling up desktop HIPS vendors: Symantec bought ManHunt, ISS acquired BlackICE, Cisco bought Okena, and CA now owns Tiny Software Inc.
The next major release of CA Integrated Threat Management will include a firewall and HIPS.