|
Primary Response FAQ
What is Primary Response?
Primary Response is an intrusion prevention software (IPS) product designed
to protect servers and PCs from malicious software. Primary Response includes
a central management server and agents that run on each protected machine.
Primary Response automatically detects, classifies and responds to complex
threats, accelerating time to protection and enabling IT to deliver business
continuity without compromising visibility and control.
Back to top »
What makes Primary Response unique from
other application security solutions?
While other products use only rules or signatures, Primary Response has layered
defense technology, including: (1) out-of-the-box knowledge-based system to
protect end-users, applications and services, (2) Active MDT, which are behavioral
heuristics that can detect and prevent suspicious malware activity and (3)
Sana Adaptive Profiling Technology (SanAPT) that learns application file path
behaviors and responds to anomaly-based threats.
Back to top »
How does Primary Response work?
Primary Response Agents autonomously trace application process system calls
in the OS kernel via a kernel loadable module, or device driver, and automatically
create a profile of normal system call code paths. All spawned child processes
are automatically included in the profile. Within a few hours the agent recognizes
repeatable system call code paths and lowers the adaptation threshold. The
adaptation threshold continues to decrease over time, taking several hours
to a couple of days depending on the profiled application. The agent automatically
detects and prevents anomalous code paths exceeding a set threshold at any
time, including during the adaptation period. Primary Response Agents are centrally
managed from a web-based management server via an encrypted and authenticated
protocol.
Back to top »
What are the key benefits
of Primary Response?
Primary Response offers unmatched capabilities around protection, enforcement,
visibility and integration; this directly translates into key benefits for
both your enterprise and IT administrators. For some of Primary Response’s
key benefits, see www.sanasecurity.com/products/index.php
Back to top »
I already have a firewall and a Network
Intrusion Detection system (NIDS) at my perimeter. Do I still need Primary
Response to protect my server-based applications?
Perimeter defenses, such as firewalls and NIDS, provide an important security
measure for computer networks. However, they do not provide a sufficient level
of protection for server-based applications. Because many applications communicate
with each other and with end users over the Internet, application-level attacks
will often penetrate a perimeter via a legitimate access point. Moreover, firewalls
and NIDS are unable to inspect encrypted (SSL) traffic, which is not decrypted
until it reaches the host. Attacks that successfully navigate the perimeter
security layers are often targeting specific application vulnerabilities and
are easily detected by Primary Response. According to Gartner Research, 75%
of successful attacks exploit application vulnerabilities. Most security experts
recommend a layered approach to information security. Primary Response is an
application security solution that complements NIDS and other network-layer
products, and protects server-based applications more effectively and accurately.
Back to top »
Why can't I just install
NIDS in front of my servers?
NIDS play an important role in securing network traffic. They are effective
at detecting certain types of attacks, such as Denial of Service (DoS) and
Distributed Denial of Service (DDoS), and can detect known attacks before they
reach servers. However, NIDS do not effectively protect server-based applications
even if deployed in front of server farms or individual servers. Because they
have no knowledge of application behavior and often no knowledge of what applications
are present on which servers, NIDS generate thousands of false alarms forcing
administrators to make tradeoffs between accuracy and efficacy by turning off
rules and signatures governing their security policies. Moreover, NIDS are
incapable of inspecting encrypted traffic such as SSL. Most security experts
recommend a layered approach to information security. Primary Response is an
application security solution that complements NIDS and other network-layer
products, and protects server-based applications more effectively and accurately.
Back to top »
What is the difference between
Primary Response and an application firewall?
Application firewalls are designed to protect web traffic by inspecting the
incoming and outgoing HTTP/HTTPS packets against a set of predefined web server-centric
filters. Because they are not capable of monitoring actual (web) application
execution processes, application firewalls require difficult manual fine tuning
to protect highly customized web servers. In addition, application firewalls
are susceptible to spoofing, evasion and DDoS attacks.
Back to top »
We have invested heavily
in our signature-based solution. Why should we spend more for
another product?
Signature-based approaches require previous knowledge of an attack and require
a developed signature for a specific type of attack. Products that use a signature-based
approach must have up-to-date signatures installed in order for this type of
system to work. Of greater importance, a signature-based approach, by its very
nature, will fail at preventing zero-day, unknown attacks.
The real cost of a signature-based solution is measured in the amount of time
required to (1) install and configure signature updates in initial deployment,
(2) manage the ongoing signature updates and general change management in the
IT environment, and (3) recover from a loss of business continuity, productivity,
and information data resulting from a successful penetration [from an unknown
attack] which signature-based systems neither detect nor prevent.
Back to top »
I have heard about
McAfee Entercept and Cisco Security Agent (formerly Okena). Are
these products similar to Sana's Primary Response?
Rules-based solutions, such as McAffee Entercept and Cisco Security Agent carry
two hidden costs, which over time greatly exceed the original cost of the security
software itself. First is the overhead cost associated with the amount of time
required to manage the tuning during both its initial deployment and subsequent
change management cycles. The second hidden cost is the real loss of productivity
resulting from successful penetrations from unknown attacks, which signature
and improperly configured rules-based systems neither detect nor prevent.
Back to top »
We always penetration
test our applications before we deploy them to production servers.
Do we still need Primary Response?
Penetration testing will detect application vulnerabilities for known attacks.
Primary Response will protect the application from both known and unknown attacks.
In addition, Primary Response provides robust forensic and analytic information
that can aid in diagnosing security issues in an application development environment.
Back to top »
How can I get an evaluation
copy of Primary Response or a One-on-One Demo?
Contact Sana Security sales at 866-900-SANA to receive a time-limited evaluation
copy of Primary Response or a One-on-One Demo.
Back to top »
Who should I contact
at Sana for more information?
Contact Sana Security sales at 866-900-SANA.
Back to top »
Protection
Why is Primary Response better than
competitive products that also claim behavior-based intrusion prevention?
Security products such as McAfee Entercept and Cisco Security Agent use knowledge-based
policies (rules and/or signatures) to predefine what an application can and
cannot do, and what constitutes an attack. These companies claim that rules
and signatures can adequately model normal and anomalous application behavior.
While a rules-based approach can be effective in firewalls and other network-focused
security products, Sana believes that this approach is fundamentally flawed
when it comes to application security. Application behavior is significantly
more complex and cannot be accurately defined with a set of rules and signatures.
Because rules and signatures are not granular enough to correctly define normal
and anomalous application behavior, they force administrators to choose between
an effective security policy and a low number of false alarms. Locking down
an application with too many rules will prevent it from meeting its core business
objectives and will make it more difficult to maintain. On the other hand,
modifying or turning off rules to enable the application to run unfettered,
or to lower false alarm rates, enables potential vulnerability exploits. Moreover,
because IT environments are diverse and constantly changing, rule and signature
modifications are necessary for each server with every system change. This
includes operating system and application upgrades, security patches, and configuration
changes, making the rules-based solutions not only inaccurate, but also impractical
to deploy across the enterprise on production systems.
In contrast to the rules-based approach of our competitors, Primary Response
provides out-of-the-box protection from code injection. Code injection attacks
(also called buffer overflow exploits), are the largest class of threats on
enterprise servers. Examples include Sasser, Blaster, Slammer and Code Red.
Primary Response SanAPT technology enables autonomous profiling of applications
on each server, and quickly and automatically adapts application profiles during
change management. Moreover, because Primary Response profiles applications
at a system call level, it is significantly more effective and accurate than
rules-based solutions focused on file system access.
Back to top »
Which applications
does Primary Response protect?
Primary Response is application agnostic. Because the SanAPT technology autonomously
adapts to any server-based process, Primary Response protects standard applications
(such as IIS, Apache and iPlanet Web servers), complex applications (such as
Microsoft Exchange, Peoplesoft, SAP, and Oracle) and custom, in-house developed
software and applications.
Back to top »
Does Primary Response protect
the host server as well as the applications running on it?
Yes. Primary Response can profile and protect core operating system services
on the host as well as applications running on it. Primary Response includes
a set of default applications for securing the operating system with detection
protection. Customers can add additional services in the same way they would
add new monitored applications.
Back to top »
What are code injection
or buffer overflow attacks?
When an attacker overflows the buffer with programmatic instructions, the attack
is a code injection. The injected code attempts to take over
the machine so the attacker can access private data or use the machine to attack
still more machines. Primary Response provides protection against the most
common forms (85-95%) of code injection attacks, such as those used by Blaster,
Slammer, and Code Red.
Back to top »
How does Primary Response
prevent code injection or buffer overflow types of attacks?
Primary Response knows what memory has been allocated to legitimate processes.
If code begins to run from another part of memory, Primary Response takes specific
steps. A code injection attack can take one of two forms:
- In the first type, all malicious code is injected into the buffer.
- In the second type, only a very small amount of malicious code is injected
into the buffer.
This small piece of code then activates normally benign code for a malicious
purpose. Primary Response observes when system calls occur in invalid memory
spaces. In the first type of attack, the code must execute a fairly high number
of system calls to accomplish anything. If the number of system calls executed
matches the Minimum System Calls filter set in Primary Response for that application,
then Primary Response generates an alert. In addition, Primary Response will
block additional system calls if it has been configured to do so. In the second
type of attack, the code launches an external process. Primary Response will
block this behavior regardless of the number of system calls used by the attacker.
Back to top »
What types of attacks does Primary
Response detect and prevent?
Primary Response detects threats that cause server behavior to deviate from
normal application behaviors. This means it will detect a wide range of exploits
of program vulnerabilities. Included is a list of some of the major classes
of attacks that Primary Response can detect. While this selection is not comprehensive,
it is simply intended to highlight the extensive coverage provided by Primary
Response:
- Bounds overflows, including buffer overflows, stack overflows, heap overflows,
and index overflows
- Code injections, including heap, stack and static memory code injections
- File linkage abuse
- Abuse of incorrectly set permissions
- Abuse of default and sample files
- HTTP header manipulation
- Format string
- Command injection
- Directory traversal
- Abuse of debug functions
- Null bytes
- Off-by-one
- Trojans and backdoors
- Account enumeration
- Race conditions
- Privilege escalation
Because Primary Response is a host-based intrusion prevention solution, it will
not detect abuses that are focused at the network layer, such as connection hijacking
and sniffing. Such attacks are best detected or prevented by network-based security
solutions such as Network Intrusion Prevention solutions (NIPS).
Back to top »
Does Primary Response take automatic
action on all alerts or can it be configured to only detect attacks
and generate alerts?
Primary Response Agents can be set to either detect or prevent attacks. Because
this setting is centrally managed, it can be easily switched from detection to
prevention at any time across any or all profiled applications or protected machines.
Back to top »
Don't other products stop unknown
attacks also?
Stopping unknown attacks is a common claim in the industry. Most often the protection
from zero-day attacks is limited to a subset of types of known attacks for which
protection is available. Because Primary Response requires no advanced knowledge
of an attack type or a specific attack, it protects from any new exploit or any
new class of exploit.
Back to top »
Scalability
How does Primary Response
adapt to changes in the IT environment such as application changes
or system patches?
Primary Response can easily adapt to changing IT environments. First, the security
administrator can suspend Primary Response Agents on affected machines, implement
the operating system update, application upgrade or security patch, and then
resume the agents and instruct them to readapt. The administrator can perform
these operations on agents grouped either by application or by machine type (for
example, group application patches by application, operating system patches by
machine). As the agent readapts, it automatically profiles incremental application
changes. While readapting, the agent will not detect, prevent or alert on system
call sequence behavior. However, during this time, the agent will continue to
detect, prevent and alert on any code injections and buffer overflows, which
account for the largest class of attacks in the enterprise. Due to the incremental
impact of change management on application profiles, the adaptation to change
is typically much quicker than the initial adaptation.
Back to top »
Do I need a unique agent
for each application I want to monitor?
No, Primary Response does not require agents for individual applications. Rather,
a single Primary Response Agent can profile multiple applications on a server,
including standard applications (such as IIS, Apache and iPlanet Web servers),
complex applications (such as Microsoft Exchange, Peoplesoft, SAP and Oracle)
and custom, in-house developed software and applications.
Back to top »
We frequently scan and patch
our servers. Do we still need Primary Response?
Yes. Vulnerability Scans are good at identifying known potential exploits within
applications and operating systems across the enterprise. However, Primary Response
provides protection from both unknown and known threats that can exploit vulnerabilities
in applications and in the operating system, providing a protective shield around
servers and applications. Primary Response allows you to schedule security patch
deployments and avoid time-consuming security patch fire drills. In addition,
Primary Response protects applications that are unsupported and no longer receive
patches, for example applications running on Microsoft Windows NT.
Back to top »
What is the impact of Primary
Response on the IT staff?
With no rules or signatures to tune, Primary Response can be installed, configured
and ready to protect applications and servers in less than 20 minutes. This allows
more effective utilization of IT and security resources. Customer feedback indicates
this is a very different experience than the one offered by rules-based solutions,
which require a much higher level of tuning effort to ensure the appropriate
security posture across the enterprise. Additionally, Primary Response's role
based user management and management groups scale to large deployments easily.
Back to top »
Manageability
What administration process
is required to secure an application and manage Primary Response?
The Primary Response administrator deploys Primary Response Agents to selected
servers and designates the applications to profile. This can be accomplished
in minutes from the Primary Response Management Console. Once the agents are
deployed, applications have out-of-the- box protection from code injection and
buffer overflow attacks. The agents automatically profile application behavior
in order to detect and prevent additional types of attacks. There are no rules
to tune and no signature libraries to keep up-to-date.
Back to top »
How long does Primary Response
take to profile application behavior?
The adaptation period is autonomously determined by the Primary Response Agent,
depending on the type and complexity of the application it is monitoring. The
agent monitors the quantity of new system call code paths, which it observes
over time, and lowers its adaptation sensitivity threshold accordingly. Because
server-based applications typically perform repetitive tasks, Primary Response
can build a profile of normal behavior in several hours. In the case of applications
exhibiting more erratic behavior, the agent may profile the application for a
few days before it has completely learned the normal application behavior.
Back to top »
How does the Primary
Response Management Server communicate with agents?
Primary Response Agents communicate with the Management Server using a web-based
authenticated and encrypted protocol (self-certified SSL). Because this is a
standards-based protocol, it enables web-based remote management across routers
and firewalls. Primary Response Agents do not require new ports to be opened,
nor are they listening on existing open ports.
Back to top »
How does Primary Response
handle upgrades?
Upgrades and patches to Primary Response, including new agents, can be installed
from the Management Console. The Administrator downloads the patch from the Sana
Security Customer Support site, and then uploads them to the Primary Response
Management Server from the Management Console.
Back to top »
Does Primary Response
support Management Groups?
Yes, Primary Response Agents can be managed in user defined groups. A Primary
Response Group is a set of agents and applications protected by the agents. Agents
can belong to more than one group, and multiple users can be assigned to manage
each group.
Back to top »
Does Primary Response support
Role Based User Management?
Yes, Primary Response supports two types of users, Administrators and Group Managers.
The Group Manager role provides privileges for managing a group of agents. The
Administrator role has full access privileges in Primary Response. Administrators
are responsible for global settings, creating groups and group managers and assigning
machines, applications and group managers to groups.
Back to top »
Can Primary Response integrate
with other management consoles?
Yes, Primary Response agents can be managed in user defined groups. A Management
Group is a group of agents and applications they protect. Agents can belong to
more than one Group, and multiple Group Managers (type of user role) can be assigned
to manage it.
Back to top »
What platforms does Primary
Response support?
Primary Response supports Windows NT 4.0 Server, Windows 2000 Server, Windows
2003 Server and Solaris 8 Server (32-bit and 64-bit) Operating Systems. For a
detailed list of system requirements, including processor, RAM and disk space
requirements by platform, visit www.sanasecurity.com/products/pr23Requirements.php.
Back to top »
What does Oracle database
support allow me to do?
Primary Response stores alerts, system configuration information and other data
in a repository. The repository can be either a database internal to Primary
Response or an Oracle database. With Oracle, administrators can use Oracle database
tools to manage data, create detailed, custom reports using reporting packages
such as Crystal Reports and integrate Primary Response data with other applications.
Back to top »
What are System Alerts?
Primary Response provides administrators with system visibility into their enterprise
infrastructure. Administrators receive system alerts on activities such as agent
startup and shutdown, unexpected agent shutdown, agents going offline, and new
agent registrations.
Performance
Back to top »
What are bootless agents?
Primary Response does not require stopping and restarting servers to install
the agents, unlike other HIPS products. This capability is known as bootless
agents.
Back to top »
What is the Primary
Response Agent performance impact on protected servers?
Primary Response Agents typically consume less than 5% of CPU utilization, up
to 10% during sustained attacks. For a detailed list of system requirements,
including processor, RAM and disk space requirements by platform, visit www.sanasecurity.com/products/pr23Requirements.php
Back to top »
|
