White Paper

The Role of CA Host-Based Intrusion Prevention System (CA HIPS) in Integrated Threat Management
Ellen Newlands January 2007

Table of Contents
Why Do You Need A Host-Based Intrusion Prevention System (HIPS)? .............................................................................................. 3 Evolving Business Practices ......................................................................................................................................................................3 New Blended Threats Require New Prevention Strategies ............................................................................................................3 Anti-Virus and Anti-Spyware Are a Good Start, But Not Enough ....................................................................................................3 Additional Blended Solutions Firewall, Intrusion Detection and Intrusion Prevention ..........................................................3 The Three Technologies Stand-Alone Firewall, Intrusion Detection and Intrusion Prevention ....................................................4 Firewall ..........................................................................................................................................................................................................4 Host-Based Intrusion Detection System................................................................................................................................................4 Host-Based Intrusion Prevention System ..............................................................................................................................................4 HIPS and Zero-Day Protection..........................................................................................................................................................................4 Stand-Alone Product Inefficiencies ................................................................................................................................................................4 CA HIPS Capabilities Firewall, HIDS and HIPS Technologies Combined ..........................................................................................4 Learning Mode......................................................................................................................................................................................................5 Policy and Rule Setting ......................................................................................................................................................................................5 Policy-Based Client User Interface ..................................................................................................................................................................5 The Role of CA HIPS in Integrated Threat Management............................................................................................................................6 CA HIPS Rounds Out CAs Portfolio of Threat Protection Products ........................................................................................................6 CA Integrated Threat Management........................................................................................................................................................6 eTrust PestPatrol Anti-Spyware Corporate Edition ..........................................................................................................................6 eTrust Antivirus..........................................................................................................................................................................................6 eTrust Secure Content Manager ............................................................................................................................................................6 Summary................................................................................................................................................................................................................7

Why Do You Need A Host-Based Intrusion Prevention System (HIPS)?

Evolving Business Practices
Lets start with the basics. Quite simply, every investment an organization makes in computer security is driven by a business need, or frankly, it is not a smart investment. Organizations today face the challenge of keeping their network doors open for business while ensuring their digital assets; proprietary information, financial transactions, bandwidth resources, intellectual property, employee and customer data are secure and readily available. When you consider the level of access and information sharing required to sustain business partnerships, customer collaboration, a remote and mobile workforce and government reporting regulations, it becomes clear that, from a network perspective, the threat line between outside the company and inside the company is difficult to draw. It would be easy to declare that threat only comes from outside the enterprise and then create a set of rules to prevent intrusion at the gateway. In reality, there is just as much risk at the endpoint. Many times threats enter via an employees inadvertent mistake, not through a conscious effort to do damage. This is especially true with todays mobile workforce. Increasingly people work remotely, carrying the endpoint, in the form of laptops, PDAs, smart phones and USB drives, beyond the protection of the corporate network, and then back in again. Employees can now work in coffee shops, airports, on airplanes, in cars, in hotels and from home, so the endpoints are on and off the corporate network frequently. Picture this: Dad brings home the corporate laptop for the weekend to finish a presentation. He leaves the PC up and running in the family room while he watches the Pats/Jets game in the den. The kids find it, surf the net, download a cool new online game, and have hours of fun, all without Dads knowledge. Come Monday morning, the laptop, downloaded game, infection and all, is reconnected to the corporate network. Suddenly, it is no longer a problem of outside versus inside and the perimeter is now a very wide, grey area. Defending the network solely at the gateway is difficult and in this case, the gateway is not the only gate into the organization. Adding endpoint protection, to protect individual laptops, desktops, PDAs, and USB drives, makes sense when the edge of the corporate network is so flexible a boundary and consequently so hard to protect. For years, endpoint (or host-based) anti-spyware and anti-virus products provided sufficient protection from all types of online, spyware, trojans, viruses and malware. So how do you protect the client from this broader threat?

New Blended Threats Require New Prevention Strategies

Times are changing. Over the past few years, malware creation and deployment has evolved from a hacker sport, populated by amateurs, to a profitable business, populated by software professionals. The goal of malware developers has migrated from bragging rights to ill-gotten gain; malware has become a subtle, sophisticated, and lucrative services business. Professional threat coders can use a combination of malware techniques, an email virus coupled with a spyware Trojan for example, to evade detection and deliver their malicious payload. These blended threats are difficult for any one threat prevention technology alone to detect and deter. Blended threats mandate blended protection.

Anti-Virus and Anti-Spyware Are a Good Start, But Not Enough.

It takes multiple layers of defense to protect against todays wide variety of attacks and innovative blended threats. One product or technique cannot protect against every possible combination of threats. Traditional antivirus and anti-spyware defenses are still the cornerstone of a good enterprise threat defense, but they are more effective at providing comprehensive threat protection when coupled with behavior-based threat prevention. Anti-spyware and anti-virus software detect threats based on signatures, so software code must be identified as malicious, added to the signature list, and then the signature lists of the organizations updated before such a threat can be identified and stopped. The time between new signature creation and system update, albeit short, leaves a time window of opportunity for new, unidentified threats to infect endpoints and wreak havoc.

Additional Blended Solutions Firewall, Intrusion Detection and Intrusion Prevention

In response to this new generation of threats, security professionals are increasingly shoring up their threat defenses by adding stand-alone firewall, intrusion detection and intrusion prevention products to augment the threat protection offered by anti-virus and antispyware software. As this trend has been growing, the industry experts have been sounding the alarm.

In his recent article Host-Based Intrusion Prevention, posted on About.com, Tony Bradley points out: Using a combination of host-based technologies to identify, quarantine and eliminate malware threats is now a common security strategy for enterprise security professionals who want to stay one step ahead of the escalating malware coders. Deploying layered security, using anti-spyware, antivirus, firewall and intrusion detection products, is a widely accepted response to online attacks. The basic principal is that it takes multiple layers of defense to protect against the wide variety of attacks and threats. Not only can one product or technique not protect against every possible threat, therefore requiring different products for different threats, but having multiple lines of defense will hopefully allow one product to catch things that may have slipped past the outer defenses.

HIPS and Zero-Day Protection

HIPS technology is considered pro-active because it allows a System Administrator to define the behavior of an application within a system. This may defined on an existing application or the System Administrator may choose to define a set of behaviors to occur when an application is unknown to a system. Policy may be used to prevent unknown malware from executing if its behavior is in violation of the policies and rules set by the administrator. Or policy may be used to contain unknown software until the System Administrator has the chance to review and make a decision. This behavior-based capability gives HIPS its ability to protect the organization from brand-new threats and to provide detail to a System Administrator on a possible new set of attacks. Zero-day attacks are released before, or on the same day, that an operating system or application vulnerability is identified and, sometimes, the vendor patch is released to the public. By applying a preset list of policies, HIPS behavior-based technology helps protect organizations from zero-day attacks

The Three Technologies StandAlone Firewall, Intrusion Detection and Intrusion Prevention
To set a common understanding of the additional layers of protection now recommended for a comprehensive threat solution, here is a brief review of the general capabilities of each one of the products, firewall, host-based intrusion detection systems (HIDS) and host-based intrusion prevention systems (HIPS). Definitions taken from Webopedia.com and Security Wizardry.com. Firewall a logical barrier designed to prevent unauthorized or unwanted communications between sections of a computer network. Firewalls protect a host by monitoring network packets and attempting to identify good versus bad traffic. Traffic is both ingoing and outgoing. Host-Based Intrusion Detection System (HIDS) monitors host and server event/system logs from multiple sources for suspicious activity. It can alert a system administrator to this suspicious activity, but it cannot deter or prevent it from taking place. Host-Based Intrusion Prevention (HIPS) works to protect a host by monitoring applications that execute. HIPS products generally look at what the program does, either by intercepting system calls, or by watching packets or other system activity. HIPS products are designed with policies that set rules to identify traffic and then makes decisions on what will happen based on preset policies and rules. HIPS has the ability to identify anomalous behavior, allow or restrict the applications ability to execute and stop unknown code from executing.

Stand-Alone Product Inefficiencies

The trouble with deploying several narrowly-focused point products, desktop firewall, host-based intrusion detection and host-based intrusion prevention systems, to complement traditional anti-spyware and anti-virus endpoint protection is that it is inefficient for System Administrators to manage three different point products. This is especially true if the goal is enterprise-level threat protection. Each product must be bought, installed, deployed, managed and maintained separately. In addition, the complementary technical capabilities of the three products cannot leverage each other, and the common services associated with all three products, such as reporting, auditing, patching and upgrading, must all be managed separately.

CA HIPS Capabilities Firewall, HIDS and HIPS Technologies Combined

CA HIPS blends stand-alone firewall and intrusion detection and prevention capabilities to provide centralized proactive threat protection to counter online threats. This combination offers superior access control, policy enforcement and intrusion prevention management. This can all be administered from a central management console via a single, intuitive user interface.

Learning Mode
System Administrators can use key functionality within CA HIPS to learn system behavior and then base specific rules and policy around information learned when they profiled the activities of a group of machines. This information can be used to create or edit existing policies that may detect anomalies based on known behavior, prevent potentially malicious activity or contain new activity until it is deemed harmless by a System Administrator. This feature helps ensure service continuity and helps keep your critical IT assets up and running by protecting resources and processes. This also helps the System Administrator customize environments based on business requirements and user work patterns.

The System Administrator can determine the level of access and control applied to the system, to groups of users or to an individual user. CA HIPS allows the system administrator to set up policies that apply to specific users when they are in specific roles or locations. IT professionals and network administrators can protect against security breaches and ensure service continuity by determining what traffic is appropriate in their network environment, what applications can communicate and even what behaviors and access rights on individual systems will be allowed or blocked. Centralized management functions allow for efficient and effective logging of all relevant events to help with compliance, reporting and investigations. The CA HIPS server collects and records the events that occur on each client. To help administrators make sense of the high volume of events, CA HIPS provides primary criteria that the System Administrator may use to filter the events. For example, the System Administrator can display a list of the last events uploaded to the server, or examine a specific event for more information using the additional filtering criteria on the convenient drop-down menu.

Policy and Rule Setting

A sophisticated policy management model provides the capability to set up dynamic security rules with a simple, easy-to-use and configure interface. This allows administrators to apply rules dynamically, and define rules based on a number of factors, including the machine environment, the time of day, allowed applications, role and individual user, all from a central console. CA HIPS allows the administrator to set policies to apply rules for: Lightweight Directory Access Protocol (LDAP) or Microsoft Active Directory User Groups (users, administrators) Computer Groups (laptops, servers, devices) Firewall, IDS and IPS Rules and File Protection Security Levels

Policy-Based Client User Interface

CA HIPS provides an intuitive client user interface for end users. Depending on the policies set by the System Administrator, end users can see and modify CA HIPS defensive measures and block new attacks to the desktops if necessary. This feature is set centrally by the administrator and can be turned on or off at the administrators discretion.

Figure 1. Client User Interface

The Role of CA HIPS in Integrated Threat Management

The appearance of blended threats and zero-day attacks highlight the importance of adding behavior-based, proactive threat prevention capabilities to your existing threat protection strategy. CA HIPS enables organizations to easily manage and monitor network traffic and system behavior for Windows-based assets. This helps organizations determine what traffic is appropriate, what applications can communicate and even what behaviors and access rights on individual systems will be allowed or blocked. To further aid IT administrators, all relevant events are logged to assist with compliance, reporting and investigations. CA HIPS reduces the risk of downtime by preventing malware, spyware, and adware and rogue software from gaining access to the network via the endpoint. It helps improve cost and operational efficiencies by reducing or eliminating remediation expenses and help desk costs. CA HIPS also ensures service continuity and helps keep critical IT assets up and running by protecting resources and processes in the absence of signature-based updates. It protects assets by allowing for the creation of rules for blocking access to protect critical information and data against zero-day attacks and facilitates compliance, monitoring and investigations by providing centralized event logs and graph-based reports. Adding CA HIPS to existing endpoint threat defenses helps prevent known and unknown threats such as malware, spyware, adware and rogue software from penetrating the organizations network. The behavior-based technology of CA HIPS enhances the protection offered by traditional anti-virus and anti-spyware, resulting in multiple layers of threat protection.

CA HIPS Rounds Out CAs Portfolio of Threat Protection Products

CA HIPS also enhances the protection that CAs existing threat management products provide. CA HIPS has been designed and tested to be compatible with, and complementary to CA Integrated Threat Management, eTrust PestPatrol AntiSpyware Corporate Edition, eTrust Antivirus and eTrust Secure Content Manager. When CA HIPS is deployed in conjunction with these products, the result is a multilayered, comprehensive defense against threats. CA Integrated Threat Management protects endpoint systems, both stationary (e.g., in an office) and mobile (remote/traveling), from a wide variety of vulnerabilities, threats and pests. CA Integrated Threat Management combines best-of-breed security solutions: eTrust PestPatrol Anti-Spyware Corporate Edition and eTrust Antivirus. CA Integrated Threat Management leverages a single, common, integrated management console to reduce installation complexity, simplifies the system image, reduces support costs and raises efficiency through a common agent, logging facility, updates and other common services. eTrust PestPatrol Anti-Spyware Corporate Edition prevents, detects and removes spyware, hacker tools, non-viral malware, as well as, annoying pests like adware. eTrust PestPatrol AntiSpyware Corporate Edition helps to protect users from diminished PC and network performance, unauthorized access and information theft (business and personal). eTrust Antivirus provides enterprise-class protection against virtually all forms of costly virus attacksfrom the gateway to the PDA. It uses easy methods to implement, administer, and update signatures and safeguards enterprise users from viruses and malicious code before they can enter the network. eTrust Secure Content Manager CA understands that effective security is best implemented in layers and threats that are stopped at the gateway level do not get the chance to impact the end point systems or network traffic that are protected behind it. This is why CA offers eTrust Secure Content Manager for gateway level protection in addition to its endpoint security products. eTrust Secure Content Manager is a unified gateway solution that secures, monitors, filters and blocks potential threats from messaging and web traffic from a central management console.

Summary
Todays aggressive, blended threats targeted at the enterprise require aggressive, blended threat defenses to counter them. The CA HIPS combination of stand-alone firewall, intrusion detection and intrusion prevention technologies provides behavior-based, proactive protection from blended threats and make it an excellent addition to the current arsenal of enterprise threat prevention applications.

Copyright 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document AS IS without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP311740107