The HIPS era ended today

Share

AVG has announced the acquisition of Sana Security, a longtime host-intrusion prevention software vendor. I have particular affection for Sana because they were a former client of mine at a previous job.

Back in the summer of 2007, when security startup venture money was still flowing freely, like a rose-scented fountain at a Vegas casino, I remember giving a speech for Sana at their San Jose Grand Prix event.

Don Listwin, their then-CEO, was a serious car racing enthusiast. He had conspired with the city of San Jose to shut down the city center so they could run race cars down the middle of it. It was pretty wild stuff -- speaking as someone who comes from Boston, where all of the roads seem to be derived from old horse-trails or giant spiderweb patterns.

Host intrusion prevention software has always been a fascinating sub-segment of client security, not least because of the fact that what HIPS vendors try to do is actually pretty hard stuff.

In concept, the idea sounds simple: monitor processes in memory for suspicious activity, and block them when they try to do something naughty. For example, an ActiveX control executing in the context of a website should not be allowed to open a command shell and then initiate an outbound connection to somewhere else. Simple, right?

In practice, though HIPS isn't so simple. Some early vendors -- like Cisco's CSA, née Okena; or Entercept, acquired by McAfee -- relied on rules to enumerate behaviors that would be allowed or blocked.

That worked, but only after lots of tuning. And re-tuning. And even more re-tuning. Anybody who's every written declarative security policies (firewall rules, Java security policies) knows how tough this is to get right from an engineering perspective -- the rule language needs to be precise, but flexible at the same time.

These early generations -- since improved -- went through significant growing pains to be useful. (Hmm: activity monitoring driven by rules that require lots of tuning... reminds me of DLP today!)

Second generation HIPS vendors, like Sana and Prevx, relied less on rules and more on something akin to fuzzy logic. An activity received weighted scores based on the context of the process, what it's doing, its code "pedigree" and other factors. Activities that seemed "suspicious enough" got blocked.

Promoted