Network- and server-based intrusion prevention may still be necessary, but companies are moving IPS down to the desktop level for better protection. Patching is supposed to secure your organization from the latest batch of malicious code. “We were expending a huge amount of effort cleaning up the infections in our machines,” says Darrel Davis, chief security officer for the state. “Some exploits were out there yet no patches were available.” Like a growing number of IT security managers, to address those problems, Davis deployed host-based intrusion-prevention system (HIPS) software on 19,000 desktops scattered throughout the state. Its definition hasn’t been settled upon, however, and several vendors advocate very different approaches. “The ultimate point we are heading toward is to prevent all zero-day attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"
A year ago, network-based IPS was all the rage, whereas HIPS had an estimated 1% market-penetration rate, according to Gartner Inc. in Stamford, Conn. But new attack routes into the enterprise — such as the recent Windows Metafile (WMF) vulnerability — have forced IT organizations to rethink their tactics. In a recent Forrester survey of 150 enterprise technology decision-makers, 28% of respondents said they plan to purchase desktop HIPS during the course of the year, says Lambert.<\/p>\n
Alaska, however, is ahead of the game. It is most of the way through an implementation of Cisco Security Agent (CSA) from Cisco Systems Inc. Along with the 19,000 desktops — primarily Windows-based ones, with a few Linux and Macintosh systems — CSA also protects about 2,000 servers across dozens of data centers. Software like CSA watches for behavior that would indicate spyware activity, such as a program opening a file in a temporary folder.<\/p>\n
Software like CSA watches for behavior that would indicate spyware activity, but that is by no means the only way such tools operate. Most include several functions: In addition to host intrusion prevention, they can incorporate adware protection, protection against buffer-overflow attacks, firewalling, various forms of system hardening, malicious mobile-code protection and even signature-based modules.<\/p>\n
Proventia Desktop from Internet Security Systems Inc. (ISS) in Atlanta is used on about 2,500 seats campuswide, most of which are student laptops — 95% run Microsoft Windows XP and the rest are Macintoshes.<\/p>\n
“Some colleges have attempted to dictate to their students, but you really can’t control what they put on their laptops,” says Hammon.<\/p>\n
Unlike virus signatures, though, they need to be delivered only about once a month. Instead of constantly scanning and analyzing every system call and application as CSA does, its SpyWall software zeroes in on the primary avenue of attack – via Web browser. For example, SpyWall blocked the latest Internet Explorer createText-Range zero-day exploit without using any signatures. “After we put in SpyWall, we didn’t get any more infections for six months,” says Robert Wong, network administrator.<\/p>\n
First came enterprise-class anti-virus tools and then firewalls, IDS and spyware protection. But with each advance, attackers managed to outwit the defenses. Antivirus and spyware technology now appear to be morphing into back-line defenses, which are used to mop up employee goofs and safeguard against known threats.<\/p>\n
That’s why the likes of Symantec Corp., CA Inc. and Cisco are gobbling up desktop HIPS vendors: Symantec bought ManHunt, ISS acquired BlackICE, Cisco bought Okena, and CA now owns Tiny Software Inc.<\/p>\n
The next major release of CA Integrated Threat Management will include a firewall and HIPS.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=132"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":2619,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/132\/revisions\/2619"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}