Host Threat Prevention: a New Weapon in the War against Desktop Threats
By Dennis Szerszen
It is no secret. Windows is riddled with interfaces that can leave a business vulnerable to attack, which is why the PC desktop has emerged as a primary source of enterprise security worries. The extensible nature of Windows vastly increases the difficulty of defending the desktop, leaving the enterprise most vulnerable through its end points. For example, current PC practices undermine desktop and perimeter defensive measures. Users readily download unknown code and open unsolicited attachments and email messages. In doing so, they become unwitting accomplices in security breaches.
In addition, new classes of threats are emerging that the current defenses were never intended to combat. Personal USB storage devices, for example, allow for the easy attachment of new storage, but also pose a threat of allowing malicious code to bypass perimeter defense, thereby introducing yet another point of vulnerability. Similar to USB storage, many other I/O devices attached to the PC potentially bypass whatever perimeter defenses are in place because it’s assumed that since the end user is in control of the device, they will be able to discern what’s safe to attach or not. Not only can malicious code enter into the system, but confidential and private information can leave, via personal memory devices ranging from USB memory sticks to removable memory used in cameras and handheld organizers. Finally, the very flexibility of Windows itself, which is designed to support nearly unlimited numbers of ports and services, renders the system vulnerable to attack.
Given the recent spate of destructive viruses like ‘SoBig’, the desktop PC has emerged as one of enterprise security’s major points of exposure. Traditional approaches to PC security-anti-virus software and personal firewalls-only partially address security threats in the form of malicious executables that are becoming more frequent and more sophisticated. Host Threat Prevention, a new class of security product, allows only previously approved processes to execute while preventing any other processes from running. Unlike the conventional sandbox approach that isolates sources of vulnerability, Host Threat Prevention doesn’t attempt to quarantine running processes, which can become tremendously complicated with today’s Windows applications. Instead, Host Threat Prevention works by enabling known, trusted code processes to run while preventing all others from executing. This stops malicious code, such as viruses and worms, from running underneath the processes. As such, Host Threat Prevention is efficient and readily dovetails with existing security components including enterprise access control, identity management, intrusion detection, and anti-virus.
Security technologies such as perimeter defense, anti-virus protection and intrusion detection do part of the job, but they still leave the enterprise vulnerable through its Windows desktops. They cannot prevent unknown attacks and threats from unconventional directions, such as USB attached devices.
Hurwitz & Associates recommends companies augment their conventional perimeter and desktop defenses with a Host Threat Prevention solution based on the default-deny principle. Host Threat Prevention fills a critical security gap, ensuring that enterprises can run their trusted business processes without disruption by malicious code from any source.
New strategies required-default-deny: Host Threat Prevention is based on the principle of default-deny, in which everything is automatically prevented except that which has been explicitly approved. In short, the default position is always ‘no’. Host Threat Prevention uses default-deny to reinforce conventional security products with an effective defense at the desktop against any unknown threats-those that readily evade perimeter defense-as well as attacks from other channels, such as USB and I/O devices. As such, it delivers defense from the perimeter to the desktop against any potential threats.
Through default-deny, Host Threat Prevention fills the critical gap in today’s conventional defenses, which address only known, recognizable attacks. To guard against unknown threats-those initial attacks that strike before black lists and patches can be updated to defend against the new attack, organizations can implement Host Threat Prevention, which stops unknown attacks as well as attacks from non-conventional directions, such as through USB devices and other I/O devices attached to the desktop. Host Threat Prevention simply stops all code that isn’t pre-approved from executing at all. As a result, it will stop known any malicious software without even having to know what it is, whether the latest unrecognized virus or the most innocuous game.
Through default-deny, Host Threat Prevention is particularly effective on the Windows desktop, which has emerged as a major point of vulnerability. Default-deny is based on a simple premise: allow only what the business needs and has approved; deny everything else. In practice, default-deny is simple to implement. It follows a three-step process:
1 Identify the portfolio of executables-the organization typically runs a finite number of Windows applications with a known number of executable files. These can be readily identified. Changes to this set of applications and executables are usually known well in advance and don’t occur that frequently.
2 Specify the use of particular I/O devices-the organization specifies the approved I/O devices and USB storage devices and defines policies that restrict usage to only what is absolutely necessary.
3 Block everything not previously identified or specified-malicious code may still enter the system but it cannot cause damage because it is not on the tightly controlled list of approved applications, executables, and I/O devices. Thus, it will automatically be prevented from executing.
In short, everything unknown that might do damage-executables- are automatically failed. The advantages of Host Threat Prevention are numerous. In addition to being straightforward to implement and execute, it is easily maintained, which makes it less costly to operate. No longer must administrators continuously update virus definitions and install patches as they are released; they can deploy these mandatory updates on their own schedules with some measure of assurance. Most importantly, it stops unknown as well as known threats. In short, this approach significantly reduces IT security risk by adding an important new security layer while complementing existing security measures. Therefore, with Host Threat Prevention there is no need to predict where the next threat will come from or what shape it will take.
SecureWave offers default-deny defense products: One company we looked at recently is SecureWave, a security software company that offers default-deny defense for the Windows environment. Unlike the conventional perimeter defense solution providers, SecureWave addresses the problem through host intrusion prevention, which takes place at the application execution and I/O device management level, where it blocks everything but approved ‘white-listed’ applications, executables, and I/O devices. The SecureWave default-deny approach allows the organization to manage and control Windows workstations in a way that is non-disruptive, non-intrusive, and transparent to workers.
The SecureWave approach is delivered through two products:
? SecureEXE blocks all unauthorized software (including viruses, games, personal software, etc.) If a virus enters the Windows environment, it simply cannot execute, which renders it harmless.
? SecureNT enables the administrator to remotely control and audit activity on all I/O devices of each workstation, from memory sticks and floppy drives to PDAs, DVD/CD-ROM, tape drives, scanners, parallel and serial peripherals, or any other plug-n-play device.
In all cases, any malicious code or unapproved code simply sits there unable to execute. Using conventional anti-virus and intrusion detection tools, the organization can, if it so desires, clear out any malicious code at its convenience.
Unlike conventional perimeter defense tools, which rely on a ‘black list’, SecureWave uses a ‘white list’-a list of approved applications, executables, and devices. Where black lists are difficult to maintain and keep current, requiring nearly constant vigilance, and even then will fail in the face of unknown code, white lists are simple to build and easy to maintain. Only the approved applications, executables, and devices on the white list are able to run; everything else, whether malicious or not, is blocked. Authorized administrators and managers can add new applications to the list of approved executables after they have been assured of their safety.
The approach is well-known; ‘default-deny’ and ‘white-listing’ are established security techniques. Perhaps that’s the most notable aspect of SecureWave’s solutions–why hasn’t someone developed these sooner?!?
Dennis Szerszen is Principal and Senior Strategy Consultant of Hurwitz & Associates, a consulting, research, and analyst firm focused on emerging software markets. He can be reached at firstname.lastname@example.org