Back to Article List
OKENA Pioneers Next-Generation Intrusion Prevention
By Laura Taylor
September 25, 2001
Intrusion prevention has evolved as a smarter alternative to intrusion detection. Pioneer OKENA has mapped application behaviors into rules, and is using these behavior rules to prevent intrusions up front. This second-generation approach offers substantial bottom line savings, and frees up IT resources for other tasks.
Detecting an intrusion is useful. Preventing an intrusion is far more useful. OKENA's StormWatch intrusion prevention technology offers break-through capabilities previously unseen by traditional intrusion detection companies.
This is not surprising news for anyone who knows OKENA's founder Shaun McConnon. Mr. McConnon founded Raptor Systems in 1994, and at Raptor introduced the first firewall built for NT. In an already competitive market, and defying security critics who downplayed the marketability of an NT firewall, Mr. McConnon lead Raptor to become one of the most respected names in firewall engineering, and later sold it to AXENT. (Just last year AXENT was sold to Symantec, and has since introduced a souped up Raptor based firewall appliance called VelociRaptor.)
Pioneering visionary security technology seems to be one of the things that Mr. McConnon does best. The word "OKENA" means "to fulfill" in Hawaiian, and OKENA's pro-active approach to network and system intrusions holds promise to fulfill a segment in the security market not yet developed by other vendors.
Table 1. OKENA Corporate Information
Like a firewall, StormWatch works through the configuration of a rule-set. Unlike traditional intrusion detection systems, StormWatch works at the application level, not the network level. Each application that StormWatch locks-down has a rule, or set of rules, associated with it. StormWatch does come bundled with a default set of rules, however, more rules can be added at any time for no additional cost.
StormWatch's rules are in essence, behavior rules that understand how the application they are safeguarding behaves. It an application typically writes new data to a particular file, a corresponding StormWatch rule will make sure that the data isn't written to other files, owned by other users or applications. Hackers often use strategies which involve manipulating processes into writing data to incorrect files.
StormWatch works be installing intelligent agents on the systems targeted for application protection. A correlation engine that livfes within the installed agents, makes decision on whether the instruction an application receives is within standard behavioral guidelines or not. This is one of the elements of the product's INCORE (an acronym for Intercept, Correlate, Rules Engine) architecture, and is fundamental to the pro-active technique that StormWatch uses to protect applications from being lead astray.
If the proposed action is suspiciously unusual, for example, instructing the application to write to non-standard files, the rules that govern the application's behavior will prevent the unacceptable action from executing. In response to unacceptable behavior patterns, the StormWatch agent will begin a dialogue with a central management console that will begin further analysis of the offending file. The management console records the unacceptable activity, and if it finds similar reports of this unacceptable activity, it will update the other intelligent agents on the network of the impending threat.
The agents are able to prevent unauthorized modification of the registry from taking place by intercepting system calls. The management console communicates with the agents through a secure encrypted SSL link making sure that the rules on the agent systems are always up to date. If a new rule is written, distributing it to other agent systems is for the most part automated. A test mode exists which allows administrators to test out new rules in action, before installing them on production systems.
The default rules that ship with StormWatch prevent inadvertent actions to your system caused by Trojans, worms, viruses, buffer overflows, syn floods, and port scans. Writing a rule for a new or custom application requires knowledge of the application's file, executables, directories accessed, and ports accessed, which does require some knowledge and expertise. However, this process is not much different than the learning curve required in writing firewall rules.
An advantage of StormWatch over traditional intrusion detection systems is that StormWatch doesn't rely on attack signature analysis. Traditional intrusion detection systems compare network traffic patterns with attack signatures, and the effectiveness of this methodology depends on the vendor staying ahead of current system and network attack exploits, and writing signatures which their product uses with pattern matching algorithms. If the vendor misses a new exploit, if the attack signatures are not engineered properly, if the customers do not download and keep their intrusion detection system up to date, the attack signature-based intrusion detection system does not operate to its potential, and leaves the customer network exposed.
One of the problems with traditional intrusion detection systems is that they typically require time-consuming hands-on management and administration. Traditional intrusion detection systems compare suspicious activity with attack signatures. The problem with this approach is two-fold: numerous false positives and false negatives are generated, and new attacks are unending, which means that the intrusion detection system needs to be constantly updated with new signatures. The usefulness of these systems depends on the vendor's ability to keep up with new attacks by populating the signature database with new attack signatures.
In 1996, Sandia National Labs did some research which showed that detecting false positives can only be reduced at the expense of increased false negatives. Balancing false positives and false negatives is an added chore that traditional intrusion detection systems give to the IT staff that manages it. By preventing intrusions up front, balancing false positives and false negatives is not required. This frees up a significant amount of administrative time, and reduces the cost of ownership of the technology itself. Correlating false intrusion attempts is an expensive use of company resources. It is enough work just to analyze real intrusion breaches and attempts. With StormWatch, the analysis of false negatives and positives is not something that will be added to an organization's security agenda. StormWatch's ability to pro-actively prevent intrusions from happening in the first place reduces the analysis of false positives and negatives.
According to Michael Rasmussen, a security analyst with Giga Information Group, "Intrusion detection systems (IDS) have received a lot of undeserved hype during the past few years….IDS systems, particularly network-based, are prone to false positives, missing attacks and deception." Getting attacked creates work. Every time your staff spends valuable corporate resources analyzing an attack, you are spending money. Every time your staff spends valuable corporate resources analyzing an attack that didn't happen, you are really wasting money. With StormWatch, analyzing attacks that never happened is not part of the strategy.
The engineering approach of StormWatch is based on understanding the correct way the application is supposed to behave -- not what are the multiple ways it is not supposed to behave. In the last few years, system, network, and application security threats have grown by such magnitudes that online businesses are having significant problems keeping pace with attacks, viruses, and online fraud. The sheer number of attack signatures that need to be generated to combat all the possible exposures is growing at unprecedented rates. In a recent survey of 538 security professionals conducted by the Computer Security Institute, 85% reported computer security breaches in the last twelve months.
The Police Commercial Crime Bureau in Hong Kong has reported that computer crime losses increased by nearly 500% in the first half of this year compared with the previous six months. Keeping attack signature databases up to date with the latest exploits has turned into a race against the clock. While intrusion detection systems based on attack signatures offer some protection, it is a development methodology that will become significantly harder to scale in the years ahead.
According to a joint publication by the Information Technology Association of America (ITAA) and CERT in June of 2000, " IDS products based on current signature-based analysis produce useful results in specific situations, but since they cannot detect novel attack patterns, they do not provide a complete intrusion detection solution." This same report goes on to say that traditional intrusion detection systems require "labor-intensive signature tuning." StormWatch blocks intrusions pro-actively, and does not make use of attack signature files.
Though OKENA's technology is based on intrusion prevention, industry analysts will lump StormWatch into the intrusion detection market -- a growing and established market. Contenders like Entercept, Internet Security Systems, and Network Flight Recorder all offer intrusion detection products that have advanced capabilities, and proven track records. As these other intrusion detection vendors vie for the same market share, OKENA will face numerous contenders coming out of the starting gate. New innovative competitors will continue to crop up, and one potential threat is a European company called SecureWave which also claims to offer second-generation intrusion prevention protection.
User acceptance is necessary for any new break-through technology to remain competitive. OKENA's success will depend in part on its ability to win over potential customers to a new way of looking at and managing security and network intrusions. In order to take advantage of the technology that OKENA offers, companies need to be willing to commit the resources up-front that are required for pro-active security.
Running only on Microsoft operating systems, OKENA's management console might not appeal to UNIX shops, however, OKENA has committed to developing a Solaris platform that will debut sometime next year.
Vendor Recommendations and Predictions
It will be important for OKENA to educate the market on the difference between their next-generation intrusion prevention product and traditional intrusion detection products. Like any new company, OKENA will need to gain customer confidence that they can adequately support large deployments with complex applications.
With a seasoned management team, and engineering leaders that are experienced in security, Relevant Technologies expects OKENA to nudge its way into the established intrusion detection market, and hold its own among some of the larger more established vendors. As OKENA gains momentum, Relevant expects traditional intrusion detection vendors who wish to remain competitive to initiate more pro-active approaches to system and network intrusions similar in approach to OKENA's.
Today, the IT security market is close to a $6 billion USD. Relevant expects this market to increase by $2 billion dollars a year for the foreseeable future. Even in today's weakened economy, new security companies like OKENA will be able to find a big enough piece of the pie to remain competitive, as long as they control their growth, and don't jeopardize their bottom line with excessive spending. Since Shaun McConnon has already proven that he can lead the innovation of a new security technology company to profitability, Relevant predicts that OKENA will be around for the long-haul, and should be considered a viable contender in any intrusion technology IT decisions.
As a security product pure-play (a company focusing on doing one thing well), in 3-5 years OKENA is a likely acquisition target for a larger security company that is trying to expand its product line. Creating partnerships with resellers and consulting firms will assist OKENA is creating the competitive stance it will need to command future marketability for potential prospects.
Companies and agencies that are just starting to perform due diligence on intrusion detection products will want to include StormWatch on their short list. In particular, large organizations that are currently overwhelmed with security management, and want to take a less labor-intensive approach to intrusions, stand the most to gain from a StormWatch deployment.
Financial institutions that need to safeguard customer transactions, and cannot afford to lock the barn door after the horse is stolen, are ideal candidates for this second-generation intrusion prevention technology. StormWatch is not intended to take the place of a firewall. It works well in conjunction with firewalls, and provides the type of application level security that firewalls are not able to protect against.
Systems administrators and security engineers that currently maintain firewalls, are probably best suited for configuring and managing the StormWatch rules and agents. The management of StormWatch requires some training, however, understanding what steps it takes to secure your systems, networks, and applications is what it means to be pro-active about security.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759