How does HIPS fit into a security strategy?

Version 1

    HIPS is a relatively new addition to the LANDesk product range and one I feel is often misunderstood. With HIPS soon to be included by default within Security Suite, why would an environment need it if they already have most other kinds of protection?

     

    If we look at the other types of protection such as Anti-Virus, Spyware Scanning, Patching, Application Blocking etc, what we see are mechanisms that rely almost entirely on the 'known threat'. In order to be effective, somebody must have recognised a threat, developed a method to scan for that threat, and finally a method to patch or recover from an attack. In the best case a system gets patched before it is attacked, in the worst case a system gets cleaned after infection or attack.

     

    The fact that the protection relies on a known threat means that ,for a period of time, systems remain open to attack from an unknown threat. Steps can be taken to reduce the risk of this threat such as locking down systems, using the Security Threats capability of Security Suite, the use of firewalls, and also the use of internet filtering, but something unknown could still creep through.

     

    This is what HIPS is all about. It is a proactive method of protection. It protects against the unknown threat by identifying and preventing undesirable behaviours such as buffer overflows, unusual use of email transmissions and other behaviours commonly linked to misuse of systems while still allowing the system to function. In addition it turns application blocking from a reactive 'blacklisting' model to a proactive 'whitelisting' model where known business applications are allowed to run, but unknown applications are blocked.

     

    Application whitelisting is powerful and effective for those willing to take the time to known their business. In a managed environment the IT department understands the business and supports what it needs to run, and whitelisting is ideal for this type of environment since it removes the impossible task of banning all 'bad' applications. For unmanaged environments the IT department reacts to requests but doesn't understand enough of the business to recognise what the business needs; in these cases whitelisting will appear to be damaging to the business because it stops vital applications. HIPS in learn mode helps these organisations examine the normal usage of systems to help define this 'good' list of applications so that the whitelist can be created.

     

    HIPS is the proactive line of defense your organisation needs to deal with the unknown threats; the threats that have gone beyond the old zero-day vulnerability concerns and have become the negative day nightmare. With the capability of HIPS and a bit of care and attention you become the overseer of the environment; identifying bad behaviour and removing it before it becomes an issue.

     

    Mark Star - MarXtar LANDesk Enhancements