Defining the Rules for Preemptive Host Protection

Defining the Rules for Preemptive Host Protection:
Internet Security Systems' Multi-Layered Strategy
By Joshua CormanHost Protection Architect
Copyright© 2005 Internet Security Systems, Inc. All rights reserved worldwideDefining the Rules for Preemptive Host Protection: Internet Security Systems' Multi-Layered Strategy An ISS Whitepaper 1
INTRODUCTIONProtecting desktop and server - or "host" - systems has rapidly become a high priority for organizations that want to ensure uptime and the 1availability of day-to-day business applications. In 2003, the average cost of a virus disaster's impact rose approximately 23 percent, to $99,900 , a figure that's increased for eight consecutive years. Today's hybrid threats are growing faster, more complex and more destructive. Only InternetSecurity Systems (ISS) provides a multi-layered security solution that can provide the preemptive protection needed to stop these threats before theyimpact business operations. Firewall and vulnerability-centric intrusion prevention provide protection for attacks that originate at the network level, while behavior-based,application-level protection is needed to stop buffer overflow exploits and malicious programs spread via e-mail, Web browsing and other file-centricthreat vectors. The market's inability to identify and distinguish between these two primary threat vectors has resulted in confusion over whichtechnologies can most effectively prevent a particular attack on the host.®Proventia Desktop software protects host systems using a combination of personal firewall, intrusion prevention, buffer overflow exploit prevention,application control and virus prevention (VPS) - a brand new technology that uses patent-pending behavioral analysis to prevent worms, viruses,Trojans, and spyware. VPS technology fills the gap left open by traditional signature-based antivirus technology by stopping viruses and wormswithout needing a signature update. This whitepaper will identify common problems associated with effectively protecting host systems and define the components of ISS' ProventiaDesktop - a comprehensive solution offering a superior level of host protection. Understanding Modern Threats to the HostWhen researching threats to host systems, it is important to understand the primary phases of a successful attack. In one popular model, attacks onthe host are broken into three phases - penetration, launch and propagation - as shown in Figure 1.
Penetration Launch Propagation
NNeettwwoorrkk VVeeccttoorr
AApppplliiccaattiioonn VVeeccttoorr
Propagation Launch Penetration
Proactive Zone Danger Zone Proactive ZoneFigure 1: Phases of an Attack on the Host
1 ICSA Labs Virus Prevalence Survey 2003Defining the Rules for Preemptive Host Protection: Internet Security Systems' Multi-Layered Strategy An ISS Whitepaper 2
The compromise of a host which allows further malicious activity PPeenneettrraattiioonn to occur. Penetration can occur through e-mail, Web browsers, remote buffer overflow or various other methods.
The execution of the attack's malicious payload. LLaauunncchh Launch methods can range from a user double-click to remote memory buffer overflow.
Post-compromise activity intended to replicate, retrieve other PPrrooppaaggaattiioonn components, transmit data or enable remote control.
Table 1: Definitions of Host Attack PhasesProtecting hosts from threats used to be much simpler. Because hosts are now so interconnected, they have become susceptible to many more typesof attacks that threaten real-time business. Attacks target host systems using one of two major threat vectors: the network vector and the application vector, as illustrated in Figure 2. Similar to the spread of disease in biological pathology, attacks are carried by vectors to their targets.
MyDoomNNeettwwoorrkk VVeeccttoorrSasser
Bagle
MS Blaster
Netsky
Welchia
AApppplliiccaattiioonn VVeeccttoorr
Figure 2: Threat Vectors Used in Recent Attacks
The Network Threat VectorNetwork-based attacks utilize malicious network traffic to remotely compromise their target systems. Unlike other threats, network-based attacks canpenetrate, launch and propagate without human intervention. Network-based attacks on the host predominantly exploit vulnerabilities in protocolsand network-aware processes. These vulnerabilities are ty... [download for more]