The Four Key Qualities of Effective Host Intrusion Prevention (HIP) Solutions:
Defining Deep HIP
Organizations that need to protect sensitive information assets - in order to comply with corporate or regulatory policies, protect competitive advantage, or simply enable new business processes - have come to recognize Host Intrusion Prevention (HIP) as a critical component of a defense in-depth security strategy.
This white paper explains what to look for in HIP products, and introduces the concept of "Deep HIP" as a means of characterizing effective solutions in this area.
Executive Summary
Unrelenting and increasingly sophisticated attacks against enterprise networks have dramatically raised organizations' IT security risks. With the relative ease that many types of attacks bypass perimeter security, traditional perimeter-based security approaches are no longer sufficient to adequately protect enterprise assets. To combat these threats, security professionals are implementing multi-layered defenses, with the last line of defense being implemented at the host itself.
Host Intrusion Prevention (HIP) is the last line of defense in a comprehensive defense-in-depth security strategy. While the need for this last layer of defense is becoming increasing evident, there remains considerable confusion over what constitutes a HIP product. To be practical, HIP should be viewed as security capabilities deployed at the host to effectively keep it running, free from viruses, worms or other malware.
The key to the debate is overall effectiveness. Individually there are many HIP technologies that offer value, but do not go far enough in solving the overall problem. HIP solutions need to embody the following characteristics, or be relegated to the shelf as impractical. They must:
- Provide comprehensive protection
- Have minimal performance impact on the host
- Be extremely robust and reliable
- Offer low cost of ownership
Solutions with these attributes can offer a deep level of protection, deep within the network where an organization's most valuable information assets reside. Products with these types of capabilities provide "Deep HIP" and are critical to an effective HIP approach.
With an organization's regulatory compliance, good corporate reputation, brand equity and customer satisfaction at stake, it is imperative that organizations choose an effective solution based on the characteristics of Deep HIP as their last line of defense.
Defense-in-depth is a dynamic process, involving a continuing cycle of risk assessment, response, and evaluation. An initial threat, risk and security audit, with special attention to servers with critical information establishes a security baseline. Once that is established, a solid defense-in-depth strategy can be created.
Economics of the Shrinking Perimeter
One common approach to defense-in-depth has been to employ the same perimeter security techniques to continually shrinking security zones. From a security perspective this is advantageous because it introduces layers of defense as well as providing the ability to tune the control to the specific needs of the asset or assets being protected. However, the economics of this approach have a meaningful impact on the nature and scope of these controls. As the perimeter shrinks the use of hardware based solutions to protect smaller and smaller zones becomes too costly and at some point necessitates a software based approach. Additionally, while the size of the zones shrinks the number of zones increases, putting an increased value on the ability to centrally manage large number of zones in a cost effective way. Taken to the extreme, the perimeter shrinks to the boundary of the host itself.
Confusion Surrounding HIP
While the need to provide a last layer of defense at the host itself is an easily understood problem, there has been considerable confusion over what constitutes a HIP product. Security vendors and analysts have all jumped into the fray, each positioning a slightly different view of what constitutes HIP technology, including existing technology such as firewalls, Intrusion Detection Systems (IDS) and anti-virus signature based approaches (Figure 1).
Vendors
Even among analysts there are varying definitions of HIP. According to Gartner VP and Distinguished Analyst, John Pescatore, "HIP systems detect and block malicious operations and attacks, and do so without disrupting normal operations. Hosts running intrusion prevention processes will only show latencies in the tens of milliseconds range, even when attacks are being blocked.
