Re: Real world experience with HIDS

[Pukhraj Singh <pukhraj.singh () gmail com>]

NOTE: I work for a HIPS company, but I am also an information security
enthusiast and a regular contributor to the list. I have some
experience in intrusion prevention which might help you in taking
right decisions. And you may want to  note that I have not mentioned
any vendor product in the response.

----

HIPS (or HIDS) have seen good technological progress in the last few
years. People have realized that HIPS is, in fact, the last line of
defense against attacks. Nowadays, they encompass number of features
and varying capabilities in order to provide proactive and reactive
defense mechanisms. Before answering your questions specifically, I
would suggest that you have a look at this paper written by Gartner:

Understanding the Nine Protection Styles of Host-Based Intrusion Prevention
http://www.gartner.com/DisplayDocument?doc_cd=127317

This will give you a good insight about the real scope of protection
and prevention using HIPS and what to look for when assessing them.

> 1) Ease of install - can it be done through GPO?  SMS?  Login scripts?

Yes, most HIPS (agents and management consoles) are quick software
installs and can be managed easily.

> 2) Usefulness of the information generated - have you detected any
> exploits?  How were you notified?  Etc.,

Of course, it is useful. Most HIPS support good notification and
alerting techniques like central alert database, alert/log correlation
and exportation, SMS/Pager/e-mail notifications.

> 3) Centralized management - is there any?  If so, how easy is it to use?

Yes. This is one of the most important features of a good HIPS. Most
Agents will be centrally controlled using a management console or web
interface. It should be intuitive and easily graspable, the reporting
should be compliant with standards, proper user-level access control
should be provided. It should have the ability to create server
profiles, detect software running and thus activating profiles
automatically.

> Configurable at the host level?  Or group of hosts level?

Should be on the discretion of the administrator. Should support both.

> 4) Access to data - is it possible to restrict access to the data so
> that an administrator on the server would *not* be able to see the
> output of the HIDS?

Yes, as discussed, User-level access control.

> 5) Interference with the server - does it consume lots of memory or CPU?

Yes. The agent should be as light as possible. Should consume minimal
resources. The control channel noise (between agents and managers)
should be minimal. The latency of the servers should be in
micro-seconds.

> Is it proactive or passive?

As you see the Gartner paper. It should do both. It should have the
ability do to protocol anomaly detection, detect vulnerability
specific attacks, zero-day attacks. Should have the ability to
sanitize/normalize malicious data or edit sessions.

> 6) Would you purchase again, if you had the option?

Will leave that to you. :)
But personally, I see a good potential for HIPS as providing a good
host/server level protection. They can really be effective in
computing environments which have a lot of mobile hosts coming in and
coming out where network periphery is not the last fortification.

Thanks,
Pukhraj

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------