Page 1 of 2   next page »

Even in the best of times, security products that aim to thwart worms are playing catch-up. Anti-virus and anti-malware products are populated with signatures created for attack specific signatures, which are created and distributed only after an attack is underway. Internet worms propagate too quickly for such reactive solutions to be effective. This is a major problem in maintaining information security as well as providing business continuity for many organizations.

In the "good old days" worm creation was literally a mischievous playground for young hackers to show off their skills. Unfortunately, worms today are part of the criminal syndicate. Worms are used in a high-stake, high-tech version of the neighborhood shakedown. Enterprises dependent on Internet commerce are extorted by threats of distributed denial of service (DDOS) attacks. To pull off DDOS attacks criminals need large remotely controlled "BOT" networks. Typically worms are used to take over the unprotected machines of unsuspecting users to create these BOT networks. According to Symantec, the number of bots jumped more than 15 fold in the first six months of 2004.

Driven by changes in the attack landscape, pandemic worm breakouts (e.g., the Slammer, Blaster, and Sasser worms), as well as Sarbanes-Oxley and other compliance requirements, enterprises are increasingly taking on high-profile anti-malware or worm mitigation projects.

These projects typically involve an Endpoint Intrusion Prevention Solution. There are a multitude of different host-based solutions and technologies in this space. Selecting one that addresses your organization's needs is no easy task. However, any solution you choose should address the following seven criteria:

1. Accuracy
Accuracy, or the ability to correctly identify an intrusion, is required in a good solution. Even more importantly, the solution shouldn't tag a normal operation as an intrusion - a false positive. Unlike an Intrusion Detection Systems (IDS), where false positives are just a nuisance, each false positive in an intrusion prevention system will disrupt a normal business operation. So a solution that doesn't treat a false positive as a software bug but asks you to live with it isn't a viable solution. As billions of normal events occur between attack events, even the smallest rate of false positives will make the solution negatively impact business operations at a rate higher than the worms themselves. Accuracy is the most important criteria because it can have a continuous and immediate impact on your normal business operations well before you encounter an actual attack.

2. Maintainability
Maintainability is an obvious and important criterion for a product that will be deployed enterprise-wide. A solution that requires individual attention in each installation or tuning every time a system is updated, upgraded, or used for a different purpose, will become a management nightmare. Unlike signature-based systems, where the vendor does day-to-day signature creation, policy-based and learning-based systems offload most of the work onto you. In a policy-based system, you may need to fine-tune policies on every machine and work to eliminate the false positives that show up. You also must convince yourself and your management that the policy you created is sufficiently stringent to catch the next attack. In a learning-based system, you need to teach the system by stressing it with all the possible execution scenarios and hope that you don't miss any critical ones. This requires that the system be in detection mode in production long enough for the system to learn all the common scenarios or that you set a sufficiently tight policy before a system is put in protection mode. During this time it's vulnerable to attack. A solution where the cost of operation is higher than the cost of cleaning up a few worm infections a year provides little ROI.

3. Scalability
Scalability of a system to an enterprise-wide deployment is important because all mass worms to date have attacked the entire infrastructures - including servers, desktops, laptops, even embedded controllers. So, rolling out a solution that protects everything in the enterprise is critical. This applies especially to machines running Windows, since most of the recent worms have targeted the core infrastructure programs in those machines. Any solution that requires constant individual attention at each endpoint doesn't scale. Critical centralized components also hinder scaling.

4. Coverage
Coverage measures the range of attacks a solution can protect against. Contrary to marketing claims no solution can systematically and comprehensively handle all intrusions - both known and unknown. It's essential that you understand what class of attacks a solution covers. See that the coverage complements the existing layers of security in your organization. Although more than 500 mass intrusions were detected during the last year, you should be protected from most of them by commonly deployed products such as anti virus systems. Since it's impossible to predict future attacks, look at the past and see what attacks got through the existing layers of protection. Focus on specific intrusions that your current security systems didn't handle satisfactorily. What would have happened if you had this product deployed during that intrusion?

Each intrusion exploits an application's vulnerability. Thus the published vulnerabilities in your critical applications and operating systems are an important resource for understanding how comprehensively a solution covers the kind of attacks that can take advantage of these vulnerabilities. A comprehensive list of vulnerabilities can be found in the CVE list or Microsoft security bulletins. Since most attacks exploit an existing vulnerability, a solution that can't cover the most important vulnerabilities, it isn't the solution for you.

Since no enterprise can implement barriers against every conceivable intrusion it's critical to prioritize. Some kinds of intrusions have devastating consequences; others are important; many are rare; some are still theoretical or imaginary and only exist in the minds of researchers. Trying to protect an enterprise against all these possibilities creates an enormous cost in implementation and management and makes the infrastructure less stable. Worst of all, the noise drowns out absolutely necessary and critical protections. Therefore, you need a good understanding of the attack landscape and must precisely define the remaining holes in your current protection shield. This way you can prioritize and protect against the critical attacks at a reasonable cost while ignoring the noise.

5. Proactivity
Proactivity, the ability to stop an attack with the least amount of attack-specific information, is extremely important against zero-day attacks. A solution that requires a new signature update to stop an attack is no use against rapidly propagating worms such as Slammer, which only took 10 minutes to go from 0% to 90% infection worldwide. It is not sufficiently proactive to protect against modern worms. Solutions that require some knowledge of the vulnerabilities provide some level of proactivity. To date, attack writers have relied on the vulnerabilities revealed by the ISVs when they release a patch. In these cases vulnerability information was available before an attack. However, during the last two years, the time between the revelation of the vulnerability and the release of an attack targeting it has decreased. So the best solutions are the ones that stop attacks without any special knowledge of the attack or the vulnerability. A solution that's technically capable of stopping an attack but not sufficiently proactive will gear up to stop a day-zero attack only after that attack has created havoc in your enterprise.

Page 1 of 2   next page »