Preventing Attacks From Subverting Your Network

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The market for software that prevents attackers from gaining access to
corporate networks has just become a lot more interesting with the
introduction of Blink, a new defensive suite from eEye Digital Security.

The makers of Blink say it takes a new approach to intrusion prevention, but
competitors disagree. Who can you believe?

A Choice Of Where To Draw The Line

Intrusion-prevention software (IPS) has been available to enterprises for
some time. I wrote, for example, on
June 7 about a new release of Sana Security’s Primary
Response IPS, contrasting it with Cisco’s Security Agent and McAfee’s Entercept.

Blink uses a different and more effective approach than other
intrusion-prevention software, according to Firas Raouf, COO of eEye. One
way of looking at the differences is to consider various places where
intrusion-prevention software can reside.

• The Process Layer.
The “process layer” is the conceptual area where software applications run,
whether on a corporate server or in a PC. “Host-based” intrusion-prevention
software (HIPS) can monitor the processes within machines and attempt to
detect and halt unusual behavior that suggests a possible hacker attack.

• The Network Layer.
The “network layer” is the portion of an operating system that is closest to
a machine’s hardware connection to the Internet or a local area network.
Blink carefully monitors activity in this layer to stop attacks, Raouf says,
before they ever get a chance to interact with processes and applications.

• The Hardware Layer.
Every machine that’s connected to a network has some kind of networking
card that handles the physical tasks of communication. “Network-based”
intrusion-prevention systems (NIPS), which defend at the hardware layer, usually
take the form of a physical appliance that’s installed between the Internet
and the networking card on corporate servers. Although they can be effective
against external attacks, network-based defenses can’t protect against rogue
applications that may be running within a corporation’s PCs or insiders who
seek unauthorized access.

The new Blink software, which was first released last month, protects the
network layer of the operating system against unusual activity —
without relying on a list of attack “signatures,” Raouf says. This preventive capability, plus eEye’s new application- and system-level software firewalls,
plus its Retina vulnerability assessment tool (which has been available
in some form since 2000), have been combined to form Blink.

Guarding Against Behaviors Rather Than Signatures

Blink installs onto every server and client PC in a company. While a
deployment this broad may be a daunting task for some large corporations,
once Blink is widely installed it offers enterprise-wide managability with
centralized dashboards and policy setting, eEye says. Adding these capabilities
throughout a company, Raouf explains, offers the following benefits:

• Defense Against “Zero-Day” Attacks.
Blink’s behavior-monitoring approach means that PCs running it are protected
against new assaults, known as zero-day attacks, that take advantage of
previously-unknown vulnerabilities for which no vendor patch is available.
Using this technique, eEye’s software was able to hold off such widespread
exploits as Code Red and LSASS, Raouf says.

• No More “Panic Patching.”
When patches for newfound security holes do become available from software
publishers, it may not be necessary for enterprises running Blink to install
those patches ona crash basis to prevent a successful intrusion. If
Blink is already guarding against a particular hacker exploit, installation
of the new patches can wait for the next regular maintenance cycle, saving
labor and downtime costs.

• Protecting Roaming Laptops.
A mere “security perimeter” approach to defense is flawed because corporate
workers routinely take their laptops and other portable devices outside the
perimeter. When these devices return onsite and are again plugged into the
local network, any Trojan-horse software they may have caught has an
opportunity to probe across the LAN for vulnerabilities. Installing Blink on
mobile devices defends them from attack when they’re off the network.

eEye officials believe their new software approach offers better overall
protection than other intrusion-prevention software. Enterprises seem to echo
this confidence, with clients such as Citigroup, Prudential, the U.S. Dept. of
Defense and many others filling eEye’s roster. “Fifty percent of our revenue
[from eEye’s earlier products] comes from deals that are $100,000 and above”
for first-year contracts, Raouf says.

The Battle Is Joined

To underline its belief in the superiority of its products,

eEye has created a comparison chart that pits Blink against its
competitors. The chart shows that eEye ranks Blink strongly vs. Cisco Security Agent, McAfee Entercept, ZoneLabs Integrity, ISS RealSecure,
and four other products that vie for market share.

Jason Coombs, director of forensic services for security vendor PivX Solutions,
disagrees that Blink has the best approach. PivX is not listed in eEye’s
competitive chart because its new IPS offering, Quik-Fix Pro, just began
shipping on Aug. 16. But Coombs says his company’s product has advantages
over the layered approach Blink uses.

“In order to block the attack, Blink has to identify the attack,” he explains.
“We have the ability to solve the underlying vunerability that hackers would
take advantage of.” Quik-Fix Pro, Coombs says, acts like a series of patches
for Microsoft Windows and numerous Windows applications that otherwise would
be susceptible to stealthy intrusions.

Blink 1.0 has some of the rough spots associated with a new release,
according to an Aug. 16 review by eWeek.com. Reviewer Cameron
Sturdevant found that Blink had trouble installing and reporting back
to central management, and lacks integration with antivirus and other
security software.

Blink lists for $56 per device on an annual basis, which drops to about $40
per device for installations of 500 or more. eEye is marketing Blink at this
time only to customers with more than 500 machines, but a package
for companies who want to protect as few as 10 machines will be available
by the first quarter of 2005, Raouf adds. For more information, see eEye’s
Blink product page.

Quik-Fix Pro lists for $60 per PC and $500 per server. More information is
available at PivX.com.

In this space next week, I’ll bring you responses from other Blink competitors
who have their own views of this rapidly changing field.