Ray Davies: early HIPS user?
The Kinks: Tired of Waiting For You
I continue to have a love/hate relationship with Host-based Intrusion Prevention System (HIPS) technology. On the love side, I have a bias towards any security system that remediates new risks without installing new code. In order of preference, optimal vulnerability management ought to start with doing nothing because you're already invulnerable, reconfiguring what you have to be protected, and finally -- a last resort -- installing some sort of software patch. HIPS, in theory, allows you to hit the "do nothing" sweet spot for vulnerability management by gracefully handling the outcome of an attack (overflowing a buffer, for example) rather than trying to identify all possible variations of the attack itself. The latter has proven incredibly difficult over the years.
On the hate part, there's the waiting: while HIPS makes grand promises of zero-effort protection against zero-day threats, there is an unfortunate and unpleasant waiting game involved. To illustrate, let's look at the latest out-of-cycle (7/13/09) warning from Microsoft: "code execution is remote and may not require any user intervention." Visit the wrong web page with the wrong browser, presto, you're a statistic. Sounds pretty bad. If I'm going down my decision tree of (1) do nothing, (2) reconfigure, or (3) patch, I'd love to know right then, on 7/13/09, if I can stop at step (1) because my HIPS suite is protecting me. Is it? Let's check....
As of this writing, it has been a little over 72 hours since this particular vulnerability became public. Depending on my organization's vulnerability management policy, I may have had to make a decision by now on whether or not I need to take invasive action to protect my enterprise. It may turn out, after a few more days, that my HIPS suite had me covered all along. The link above gets updated periodically with the latest protection data. To my chagrin, I'm finding lately that the decision-enabling information that allows me to choose not to take invasive action to counteract a vulnerability is either absent or confirmed too late to help. HIPS: love it in principle, still waiting for the big payoff in practice.
I continue to have a love/hate relationship with Host-based Intrusion Prevention System (HIPS) technology. On the love side, I have a bias towards any security system that remediates new risks without installing new code. In order of preference, optimal vulnerability management ought to start with doing nothing because you're already invulnerable, reconfiguring what you have to be protected, and finally -- a last resort -- installing some sort of software patch. HIPS, in theory, allows you to hit the "do nothing" sweet spot for vulnerability management by gracefully handling the outcome of an attack (overflowing a buffer, for example) rather than trying to identify all possible variations of the attack itself. The latter has proven incredibly difficult over the years.
On the hate part, there's the waiting: while HIPS makes grand promises of zero-effort protection against zero-day threats, there is an unfortunate and unpleasant waiting game involved. To illustrate, let's look at the latest out-of-cycle (7/13/09) warning from Microsoft: "code execution is remote and may not require any user intervention." Visit the wrong web page with the wrong browser, presto, you're a statistic. Sounds pretty bad. If I'm going down my decision tree of (1) do nothing, (2) reconfigure, or (3) patch, I'd love to know right then, on 7/13/09, if I can stop at step (1) because my HIPS suite is protecting me. Is it? Let's check....
As of this writing, it has been a little over 72 hours since this particular vulnerability became public. Depending on my organization's vulnerability management policy, I may have had to make a decision by now on whether or not I need to take invasive action to protect my enterprise. It may turn out, after a few more days, that my HIPS suite had me covered all along. The link above gets updated periodically with the latest protection data. To my chagrin, I'm finding lately that the decision-enabling information that allows me to choose not to take invasive action to counteract a vulnerability is either absent or confirmed too late to help. HIPS: love it in principle, still waiting for the big payoff in practice.
