Thursday, January 25, 2007

Host Intrusion Prevention versus Host Anti Virus - Now is the time for change

Host anti virus is a traditional security mitigation software used by millions of computer users across the globe. Anti Virus does a great job of stopping known security exploits through the use of signature type definition files. Unfortunately for the general computer user, the word “known” is the key to this conversation. This means that Anti Virus is only as good as attacks that you already know about. If you use Anti Virus, you are still highly susceptible to a new computer attacks.

Contrast that with Hosts Intrusion Prevention (HIPS). HIPS looks at the behavior of hosts and decides if that behavior could be consistent with the action of malicious code. If the hips software besides that the behavior is suspicious, it will either stop the behavior or query you on whether you want to allow the behavior. Bottom line is that HIPS does not use signature definition files, it uses rule files that don't require updates and will stop viruses and worms whether they are known or not. My experience with hips software is that it is 100% reliable.

The downside of Host Intrusion Prevention software is that the versions that are available are targeted for larger customers with a professional security team that can manage and analyze events seen win rules trigger. Generally it's too complex to be managed by the average end user.

This article is little more than a call to action for security developers. Security engineers readily accept that HIPS software is superior to Anti Virus, now is the time to commercialize the software. Take the complexity out of the existing hips software, and tone it down so that the average home user can use it, and be protected at all times as opposed to the current scenario experience while using antivirus. This isn't that huge of a task. Shoot for the low hanging fruit, and only deploy rules such as, stopping code that is executed after a buffer overflow, stopping code that is being run for the first time, stop browsers from acting as servers, stop the average computer from opening any listening port, stop traffic related to port scans. These are just ideas I'm sure there's more. If you do happen to read this article, please encourage your local hips vendor to commercialize their product, maybe even encourage them to market it to huge service providers such as Comcast, and AOL.


Anonymous said...

Greg -- appreciate the comments re: AV v. HIPS wrt the fact that AV can only act on what it knows about. And HIPs only looks at curious behaviors, not unauthorized, but legit commercial software, at the end point. Give that, have you looked at nad have thoughts about application control as a better way to secure the endpoint?

Greg Abelar said...

I was an advocate for application contol for a long time. But it was explained to me that this would have to be enforced at either the operating system or at the application level. OS vendor run the risk of breaking some applications if they put in controls at the kernel and the expense of building full AC into applications isn't one that app vendors are willing to incurr.

I'm glad to see that you are asking these questions and raising awareness. If I haven't answered this question completely or pehaps misunderstood, please reply again because as a security engineer and a concerned web citizen I don't don't want t overlook possible solutions.

Very Sincerely - Greg

With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure