Transcript Document Requirements and Testing Procedures

HIPS
Host-Based Intrusion Prevention Systems
 One of the major benefits to HIPS technology is the ability to identify
and stop known and unknown attacks, at the network layer where
personal firewalls operate and in the operating system.
 All commercial HIPS software uses a technique called system call
interception.
 The HIPS software uses something called an OS shim to insert its
own processes between applications, accessing resources on the
host and the actual OS resources.
 This way, the HIPS software has the ability to deny or permit those
requests based on whether the request is identified as malicious or
benign.
Host-Based Intrusion Prevention Systems
 HIPS tools use a combination of signature analysis and anomaly
analysis to identify attacks.
 This is performed by monitoring traffic from network interfaces, the
integrity of files, and application behavior.
Real-world Defense Scenarios
 The best defenses in this area are from vendors that offer intrusion
prevention that is not solely based on signature or rule-based
analysis.
 Application analysis techniques, the best-in-class vendors are able
to stop attacks that have common exploit methods (such as buffer
overflows) without requiring updates to the software.
Dynamic Rule Creation for Custom
Applications
 HIPS vendors are readying tools that monitor how an application
operates in a learning mode, identifying what files are opened, what
Registry keys are accessed, what system calls are made, and so on.
 An organization using this technology would "train" the HIPS
software in learning mode to recognize the traditional behavior of the
production software and use the results of this training later in
production to identify and stop anomalous events.
 This functionality is helpful for both vendors and customers.
Monitoring File Integrity
 HIPS software uses its operating system shim functionality to
monitor any files that are opened as read/write or write-only on the
operating system.
 When a program or process attempts to call a function that would
change the contents of a file, such as write(), fwrite(), or fsync(), or
use any other file-modification system calls, the operating system
checks whether the file handle corresponds to a list of files that
should be monitored for change.
 If the file is supposed to be monitored for change, the HIPS software
then checks to determine if the user or application requesting the
change is authorized to do so.
Monitoring Application Behavior
 Application behavior monitoring is a feature of HIPS software where
a manufacturer selects a supported application and records the
intended functionality of the application in normal use.
HIPS Advantages
 HIPS software includes nearly all the capabilities of HIDS software.
 HIPS also have the ability to stop attacks from being successful.
 HIPS can cop up with the problem zero-day exploit, an attack that
occurs before the vulnerability is published.
 HIPS software provides a better method of defending our perimeter
when distributed throughout the enterprise than traditional tools
allow.
HIPS Challenges
 HIPS
deployments
have
implementation
and
maintenance
challenges that include testing updates, deploying updates,
troubleshooting updates.
 False positives are another major challenge.
 The ability to monitor for anomalous behavior from applications is
limited to those applications selected by your vendor
 Hardening operating systems and secure coding practices are still
good ideas for protecting custom application software.
More HIPS Challenges
 HIPS is not a replacement for regular system patching or antivirus
defenses.
 With all the advantages and detection techniques offered by HIPS
software comes the additional burden of processing requirements on
servers and workstations.
 Need for a management console to oversee HIPS software
throughout the organization. need for a management console to
oversee HIPS software throughout the organizationneed for a
management console to oversee HIPS software throughout the
organization
HIPS Recommendations
 Document Requirements and Testing Procedures
 Develop a Centrally Managed Policy for Controlling Updates
 Don't Blindly Install Software Updates
 Don't Rely Solely on HIPS to Protect Systems
 Expect Your HIPS to Come Under Attack
More HIPS Challenges
 HIPS is not a replacement for regular system patching or antivirus
defenses.
 With all the advantages and detection techniques offered by HIPS
software comes the additional burden of processing requirements on
servers and workstations.
 Need for a management console to oversee HIPS software
throughout the organization.