Friday, May 7, 2010

Live Web Seminar with Bit9

I will be talking about the failure of HIPS to provide a scalable endpoint security and the acceptance of application whitelisting as a foundational layer in conjunction with AV. One of the big problems with HIPS is that it is prohibitively expensive from an administrative standpoint. I think it is an interesting topic since I have some experience with with is now Cisco CSA. I hope you can join us on May 19th at 2:00ET.

"While significant enterprise security resources are devoted to prevention of malicious code infections, malware continues to frustrate security teams. Traditional anti-virus approaches have proven to be ineffective against modern attacks, and organizations that have tried host intrusion prevention find that technology is not an effective part of the endpoint security solution. Application whitelisting monitors endpoints in real time to ensure that only authorized programs can run, and that those programs have not been modified by malware."


  1. Hi, I'm a security guy in Europe (which means your talk will be at 20.00 local, not sure I'll be able to make that) but I do have some questions I'd like to ask anyway:

    I have some CSA experience as well and I like the solution, even if it has a steep learning curve and is hard to introduce into a new company. I was therefore disappointed to find out the long running rumors CSA development will stop are true (have stopped actually, now 6.02 has been released).
    So my questions are (especially considering the timing of your talk):

    1. what is the future of these solutions if a company like Cisco is unable to make it commercially interesting?

    2. are there any serious alternatives to CSA or do you believe CSA will actually have a future anyway (within Cisco or otherwise)

    Love to hear your view.

    Regards, Joost

  2. Hi Joost,

    I’ve been out hiking for a week and I’m just getting back. I also didn’t want to spoil the webcast thunder so I waited an extra day or two. Sorry you couldn’t join Bit9 and me today. The web event was very very well attended and I hope people got something out of it. I am also hoping that between the white paper and the blog something I say will help you out ;).

    The problem with HIPS is not that it doesn’t secure endpoints; it does. It’s that it doesn’t secure endpoints at an acceptable cost to IT and blocks too many legit user actions. Enterprise security guys that I’ve talked with report no impact from new attacks because HIPS blocked an action the attack needed (file, network, or registry activity). Unfortunately, it also blocks custom corporate applications and requires re-tuning for every software upgrade for every variant of user desktop. If you have a user community of any size or variety then the admin support costs make HIPS quickly impractical (e.g. running down false positives, modifying rule sets, apologizing to users, etc.). It is just way too complex for mere mortals.

    I’m not convinced that HIPS ever got past the admin issues to become a realistic market with over $100M in revenues (an arbitrary number I use to indicate market appeal and vendor staying power. If the security companies in a segment don’t tally up to $100M, then it is probably a very niche play that will eventually become a product feature somewhere else. I consider DLP to fall into this category. Lots of hype but the lack of revenue is a more accurate reflection of value to the customer.). So I would definitely say that the HIPS bubble has burst and it is time to move on. And that is something I would not have dreamed of saying even 3 years ago.

    Cisco’s issue may well be that it is a company that generates billions of dollars in networking gear each year. A niche endpoint security product probably would have had a better chance in a software company. Cisco will surely support CSA for its customers, and perhaps it will find its way into Cisco management software (e.g. people will deploy HIPS as part of some other thing). But it is time to look at alternative solutions that can work in conjunction with AV.

    In many ways application whitelisting (AWL) is a next generation HIPS approach that relies upon network security products to catch unauthorized connections that indicate an attack in progress, such as phoning home. AWL shares the positive approach with HIPS of catching endpoint attacks, but does it in a way that is less invasive to users. So I’d suggest that HIPS needs to recognize and coordinate with network elements – perhaps using the Trusted Computing Group’s IF-MAP as a great starting point. That might give HIPS a better chance to use its behavioral tendencies to coordinate elements to resolve an anomaly and let other products make the allow/block decisions. Having said that, there are other HIPS-ish approaches that I find interesting. FireEye has a neat idea to detecting attacks in a network device that may scale easier than endpoint security software.

    One idea I find intriguing, but may be a little too early, is the use of disposable virtual desktops. At some point the cost of fixing products becomes greater than the cost of replacement. People seldom send home printers, mobile phones or even PCs out to repair anymore – it is just as easy to get a new one and copy the data over. Perhaps the role of HIPS is to recognize when a VM has become infected, and instead of trying to figure out what happened or why, it just coordinates with server software to toss out the bad VM and refresh the endpoint with a new one. If HIPS coordinates with the VM server, then maybe the dynamic VDI only needs to replace infected blocks and not stream a whole new desktop. Just a thought … maybe it will be a less appealing idea when I get off the airplane … ;).


  3. A few questions came up during the web cast. I'm sure Bit9 is following up, so I will leave most of those to them. There are 4 general ones that I can take a crack at though with brief responses.

    Q: Why would I need both AV and AWL (Dan S./Don G.)? Well, AV is one of the few technologies that can clean an attack, and there is nothing wrong with blocking something bad if it is recognized. Application WhiteListing can stop attacks by taking away their ability to execute within a trusted program. I think AV is over-valued, but I do not recommend running without it (because it could be a career limiting move). I do recommend shifting resource to a balanced positive model and looking at some of the cheaper/free products from publicly held companies.

    Q: Why won't AWL kill performance like AV (Vincent H.)? AWL has a relatively short list to check as an application launches; AV has a huge list of signatures to check, and that list is growing rapidly.

    Q: My security testing lab needs to run nasty applications - can AWL handle that (Matthew U.)? Probably. Defining trusted sources helps with the nasty apps and grouping users and actions helps admin the nasty testers. It is certainly easier than maintaining a separate set of precise HIPS rules.

    Q: Is HIPS ready for the recycle bin because it is too complex (Erik I.)? Yup.