Primary Response Quickly Stops Online Attacks

Sana Security has made host-based intrusion-prevention simpler and more effective by creating a security system that shields services without use of static rules or signatures. Its product, Primary Response, protects against vulnerabilities in the OS or in applications that don't have security patches yet. In this review, VARBusiness labs partner KeyLabs puts the product up against MS Blaster.

Remember those old Western movies when, in the blink of an eye, the sheriff would make a quick hip shot with his Colt and down his opponent? We'd marvel at how accurate he was. It also turns out to be a great metaphor for the current state of network security. But instead of a one-horse town, we have an Internet server with Web, e-mail and FTP. And instead of a sheriff, we have an IT manager armed with myriad security tools that are often difficult to keep track of. One new weapon in that arsenal is Primary Response, a host-intrusion prevention (HIP) tool from Sana Security that promises to simplify the job of protecting IT resources from the ravages of the Internet.

It's no secret: Network security has become one of the most critical aspects of a technology manager's job. By simply attaching a device to the Net, you've created a security vulnerability. Whether it's a malicious hacker or the latest Internet worm, service downtime and compromised data present a tangible risk to any organization.

In the past, firewalls, virus scanners and access control lists (ACLs) did a pretty good job of protecting systems against the wilds of the Internet. But with the frenetic pace of today's unrestrained Internet community, it is impossible for operating-system and virus-scanning vendors to issue updates fast enough. What is needed is an adaptive tool that is capable of recognizing and blocking suspicious behavior as soon as it starts. Sana Security's Primary Response does just that. Primary Response is a server-based application that automatically profiles normal system activity and then blocks anything that deviates from that profile. That effectively stops attacks at the moment they start, even if the server hasn't been patched for a particular threat.

Real-time protection from known and unknown threats distinguishes Primary Response from other security products. Each time a new vulnerability is discovered, IT professionals have had to decide the lesser of two evils: whether to install an untested security patch that may break the server, or take a chance against the vulnerability. Primary Response offers a level of protection that will give software vendors time to create patches and for IT professionals to validate the patches before they are installed on production systems.The advantage of Primary Response is that it doesn't rely on signatures. It protects the system at the kernel level by profiling application code paths during normal operation. Then when a hacker or malicious program attempts to exploit a system vulnerability, Primary Response notes the deviation from the norm and blocks the process.

We tested Primary Response version 2.2 by installing management agents on both Windows 2000 Advanced Server and Windows Server 2003. Our management console was configured on another server running Windows Server 2003. We were surprised at the simplicity of the installation, as well as its ability to install without requiring a reboot of the server. OS requirements for both the management console as well as the managed servers include Windows 2003 Server with no service pack, Windows 2000 Server with Service Pack 2 or higher, and Windows NT Server with Service Pack 6a. In addition to Windows, Primary Response also provides support for the 32- and 64-bit versions of Solaris 8.0.

After adaptation -- the process used to profile normal application behavior -- we validated Primary Response by using various manual attacks as well as common worms. Included in this mix of attacks were MS Blaster, HTTP head manipulation, directory transversals and code injections. In each case, Primary Response was able to detect and block the attacks.

Alerts from all the managed servers were displayed on the management console. They were intuitive and with enough detail to be useful in forensics. While Primary Response creates an alert, it also grabs the log from the application, thus eliminating the need to manually search for the point of attack in the log files. This allows for easy identification of the attack and what the attacker is trying to do.

For larger organizations with many managed servers, Primary Response offers group management, which lets the IT manager compartmentalize system administration. Rather than having one console manage a complex server farm, Group Manager allows for functionally similar systems to be managed as a single unit. For example, some organizations might have someone manage all systems except the database servers. In this case, the database administrator would receive the alerts for database and middleware servers only, and the network manager would receive alerts from all other systems. This ability to compartmentalize administration can help resellers interested in creating a managed security offering to their clients. By establishing a group for each client, controls and alerts can be directed appropriately, yet the entire system can be centrally managed.Our method for testing Primary Response's ability to protect against these exploits involved running the exploit (such as MS Blaster) against an unprotected server. We verified that the server was infected. We then reimaged the system equipped with Primary Response and ran the MS Blaster worm again. That time, the server wasn't infected and a proper alert showed up in the management console. Similar methods were used to test other exploits.

Primary Response is architected for central administration. Multiple servers and groups of applications can be administered from the management console. Obviously, Primary Response will alert the administrator of any abnormal activity on a managed server, but it also captures important forensic data, such as application process by malicious behavior, network connections to host at time of security event, unexpected application file-system operations and unexpected memory usage. These are all important for tracking down potential holes in a system.

Primary Response has some obvious benefits to resellers. In addition to providing one more product to sell, VARs now have the opportunity to add security to their product and service offerings. Because of Primary Response's central administration, it is possible to create a recurring revenue stream by offering to manage the security of the client's systems. Of note, Sana Security sells through the channel exclusively and is actively recruiting VARs.

Eric J. Bowden ([email protected]) is CTO at KeyLabs, a quality management consulting and testing company.