With software maintenance ending this December 2011, Cisco Security Agent (CSA) reaches End of Life. Known as Okena StormWatch, first introduced in late nineties, StormWatch acquired by Cisco in 2003 and was re-named as CSA. The other security vendors acquired similar Host Intrusion Protection Systems (HIPS) products of the same era.  CSA end-of-life is also the confirmation of an end of an era for HIPS even though similar HIPS products are still being marketed by the same security vendors.

The new owners of the acquired HIPS products never improved to address today’s threats.  Designed to address the malware for Windows 95 and Windows 2000, these HIPS products stayed frozen in time.  As Windows evolved over a decade, with Vista and Windows 7, Microsoft introduced new protection capabilities including DEP (Data Execution Prevention), ASLR (Address Space Load Randomization), preventing arbitrary code execution in exception handling paths, and UAC. After all these changes, HIPS’s decade old defenses primarily developed for Windows 95 and Windows 2000 era malware became irrelevant. As the Windows protections improved, HIPS solutions were helpless and useless in tackling new generation malware that no longer needed local administrative rights to cause damage.

HIPS products were too focused on the antiquated application anomalies of the Windows 2000 era and on unpredictable application behaviors. This resulted in per application tuning of rules, false positives, and asking users to make advanced security decision through pop up dialog boxes. Rules and exceptions needed to be formed per application.  As the applications needed updating this created a tremendous burden on administrators to manage the thousands of applications on a day to day basis  The millions of events generated on a  daily basis paralyzed administrators of even the smallest of deployments.

THE MYTH OF WHITELISTING AND THE NEED FOR THE NEXT GENERATION OF WHITELISTING

Today, the same experts led us to HIPS Cul-de-sac are now telling audiences that the traditional White Listing is the silver bullet for malware defense. Although HIPS and the traditional White Listing are vastly different technologies, they both have the same weakness: both have significant administrative overhead for day-to-day operations to a point that the management of the product itself becomes central point as oppose to protecting the enterprise. While HIPS administrators had to worry about constantly tuning HIPS rules, traditional White Listing products require administrators to be concerned about software updates and security patches and ensuring new signatures are available to end points before the patches and updates can be applied.
The traditional White Listing solutions rely on a myth that if an application is signed and approved, the application is safe. Today malware can easily highjack perfectly legitimate and signed White Listed applications in run time. The high jacked application can encrypt user’s data and ask for ransom for an encryption key. A high jacked application can “migrate” to another perfectly White Listed application by altering Windows registries, by performing code injection, or by modifying the memory of a running process. Or a White Listed application could peek into the memory of an important financial application to steal financial data or steal content of user’s files by reading and uploading to a server on Internet.

THE NEXT GENERATION SOLUTION

Enterprises and consumers deserve to have better protection to confront today’s ever evolving malware. One that offers the dynamic White Listing that not only worries if the application is genuine to start but also protects the application in run time from being high-jacked. Draconian techniques used by HIPS and traditional White Listing solutions are not usable. The next generation solution should not hinder users from downloading and running applications of their choice.  Nor should they need to worry about if a downloaded PDF or Word document has malicious content. Next generation solutions should provide users with freedom yet protect the entire system from user downloaded content or user downloaded programs.

Posted: Wednesday, September 28th, 2011 - Endpoint Security
RSS 2.0 - Comment - Trackback