The Web    Google
Immunize Your Servers Against Attack

Immunize Your Servers Against Attack
June 7, 2004
Brian LivingstonBy

A security company is shipping today a new software release that it claims will better protect your servers against hacker attacks whether or not you've installed the latest patches from Microsoft.

Primary Response 2.2 is software you install on Windows NT, 2000, 2003, or Solaris servers. It "immunizes" your servers against undefined intrusions, the way the human body defends itself against biological viruses it's never seen before, according to its developer, Sana Security.

The basic security features of Primary Response 2.1, the software's previous version, have just been certified by ICSA Labs, an independent testing firm, according to a lab spokesperson. This is the first such certification given to a new kind of program known as host-based intrusion prevention systems or HIPS, according to Dr. Steven Hofmeyr, Sana's founder and chief scientist.

How Host-Based Protection Stands Out

The defenses provided by HIPS stand squarely between two older, better-known layers of enterprise security:

? Network-Based Intrusion Prevention Systems (NIPS). A NIPS solution is typically a hardware appliance that's plugged in between a company's servers and the Internet. Such devices monitor network traffic and protect the servers from inappropriate packets, such as hacker attacks. NIPS, however, cannot protect applications that are running on individual PCs or defend against the behavior of insiders, which most intrusions are.

? Client Security Defenses. If malware has come into the corporate environment via an e-mail attachment or a download from a malicious Web site that an employee visited, security software on the client machine (such as an antivirus program) might catch the problem. But software on users' desktops can't monitor hacker attacks that can bring down an entire server or cluster of servers.

? HIPS To The Rescue. Host-based intrusion prevention systems, such as Primary Response, install on each server that you wish to protect. Sana Security's software observes the operation of every application that runs on each server. This builds up a baseline of which behaviors are "normal." The security software can then automatically halt activities that are abnormal, such as a hacker's attempt to exploit a buffer overrun in a server application.

From Response Time of 180 Days to Zero Days

The need for Primary Response, Hofmeyr said in a telephone interview, comes from the fact that software developers such as Microsoft can't patch their products fast enough to defend against all possible attacks:

? Nimda and SQL Slammer. The Nimda and Slammer worms, which swept the Internet in September 2001 and January 2003, respectively, emerged approximately 120 and 180 days after Microsoft had posted patches for the Windows vulnerabilities involved. In hindsight, we might look back on the length of those grace periods as a relic of "the good old days."

? Seven-Day Exploitation Times. Later in 2003, two different worms required only seven days to exploit Windows security holes. Microsoft had identified these flaws only a week earlier in bulletins named MS03-039 and MS03-049, Sana Security says. "The attackers are winning the race," Hofmeyr says in a white paper, The Case for Intrusion Prevention. This is because "in general, patching is a slow, risky process." Many large corporations can't or won't test and install patches on their mission-critical systems in only seven days.

? The Zero-Day Nightmare. Although the worst-case scenario hasn't yet occurred, security researchers warn that "the big one" is coming. That means a hacker exploit that rapidly compromises network servers across the Internet before the software provider has made a patch available a so-called zero-day exploit.

Now Patch Only Every Three Months

Primary Response would have stopped all of the worms I've mentioned above, and others, Hofmyer says, whether or not the applicable patches from Microsoft had been installed on the affected servers. "All these attacks use unchecked bounds and buffers, and we prevent that," he explains.

Installing a HIPS solution, unfortunately, doesn't eliminate the need for companies to also purchase NIPS and client-based security software. But corporations can save big bucks with HIPS by installing Microsoft patches only once every calendar quarter, instead of once a month or more, Hofmeyr says.

One Sana Security customer, a global financial services conglomerate, reportedly employs 21 full-time people dedicated to security patching in the U.S. alone and spends $1.5 million every time Microsoft releases a security bulletin. That's a chunk of change, especially when you consider that 18% of security patches across all vendors are faulty and must be revised, according to one study.


Unless you think your company can install all security patches instantly and predict all upcoming zero-day attacks perfectly, HIPS software looks like a new layer of security you'll need to have.

A Primary Response 2.2 installation consists of at least one "management server," which lists for $6,500, and one "agent" per server you wish to protect. Each agent lists for $1,700. Sana Software offers bundles at a lower cost.

The short list of competing, host-based intrusion-prevention software for you to consider includes Cisco Security Agent and Network Associates' McAfee Entercept.

May the immune system be with you.

  • 2/21: MyDoom-BE Worm Harvests Addresses
  • 5/19: Viperik-A Trojan Deletes Files & Info
  • Netsky-D Ranked as High Risk
  • Cisco Snaps Up Security Software Maker
  • 9/20: Mydoom-Y Worm Connects To URL
  • 1/26: Patco-A Worm Replaces Doc Files
  • Nine out of 10 U.S. Emails Now Spam
  • 3/16: Trojan.Eaghouse Steals Info
  • 5/19: Webloin Trojan Downloads DLL File
  • Big Blue, GE Interlogix Team on Building Security
  • 4/25: Spybot-OBZ Worm Has DDoS Ability
  • Security Camera Price