|
Host Intrusion Prevention Systems (HIPS) complement perimeter defenses, and play a vital role in protecting critical applications and sensitive data from a security breach. As such, the process of selecting the right HIPS - one that provides the required protection while addressing operational security concerns, and minimizing the impact on IT resources - is an important one. This white paper identifies twelve critical questions that organizations need to consider when selecting a HIPS product. These questions relate to protection, manageability, integration and speed.
Enterprises today recognize the importance of securing their hosts, applications and data from a security breach. They know that:
Financially motivated cyber-criminals are increasingly targeting enterprises;
Perimeter defenses, while important, can be readily bypassed or penetrated, often by insiders;
It can take weeks or months to fully test and deploy the latest patches for operating systems and enterprise and web applications, leaving a significant vulnerability gap that attackers can exploit;
The costs of a breach - including those associated with business disruption, lost revenue, customer turnover, lower productivity, and remediation and support - are high;
Regulations, standards, and service level agreements with customers increasingly require additional, host-based compensating controls.
Host Intrusion Prevention Systems (HIPS) have emerged as a security best-practice that address these issues. Because of the vital role that HIPS plays in a proactive, defense-in-depth strategy, the process of selecting the right HIPS - one that provides the required protection while addressing operational security concerns, and minimizing the impact on IT resources - is an important one.
To help ensure organizations evaluate and select the appropriate HIPS product for their environment, here are twelve critical questions that should be asked of every vendor, about their HIPS product.
1. How does it minimize false positives?
The accuracy of a HIPS - as measured by the number of false positives and negatives - is crucial. False positives require investigation that consumes valuable and often scarce IT resources, and can undermine the confidence of business owners. HIPS implementations that rely solely on behavioral analysis must first learn what normal behavior is for a host, and then identify and block strange or anomalous behavior. As such, they must be continuously retrained whenever there is a change to the software running on the host. In contrast, HIPS products that use a blended approach of network techniques-such as stateful firewall, signatures, and other filters that shield known vulnerabilities from unknown exploits, and enforce application and protocol behavior - can be fine-tuned for greater accuracy, and don't require training. This blended approach also provides organizations with maximum flexibility by allowing them to adjust or tune the HIPS product based on their risk profile.
2. Can it prove you were protected?
While stopping an attack is the ultimate goal of any HIPS, it's also important to know - and to be able to prove to auditors and other business executives - that your systems were actually protected from a specific threat. With HIPS products that use a behavioral-only approach, you don't know whether you're protected unless you test it by launching specific malware. In contrast, filtering-based HIPS products link vulnerabilities with specific rules, so it's easy to determine whether the necessary protection was in place.
3. What platforms does it protect?
Most enterprises today have heterogeneous IT environments - particularly in the data center, where Windows, Solaris, Linux and other operating systems often run side-by-side - and adopt the latest releases to take advantage of new features. So in addition to supporting a wide range of platforms, it's also vital that the HIPS vendor quickly support new platform versions (such as Solaris 10, SuSE 10). You simply can't afford to have your migration plans be constrained or impacted by your HIPS solution. Microsoft Windows Vista and Windows Server ?Longhorn? 64-bit versions include PatchGuard, a kernel protection mechanism that is problematic for some HIPS products that rely on kernel hooking. In contrast a HIPS product that uses deep packet inspection to protect vulnerabilities will be compatible with these new Microsoft operating systems.
4. How easy is it to administer and manage?
Security administrators have a lot on their plates. So it stands to reason that any new security product such as a HIPS that is added into daily operations is only going to be successfully deployed and used if it's easy to administer and manage.
|
