Primary
Response FAQ
General
Protection
Scalability
Manageability
Performance
What is Primary Response?
Primary Response is host-based intrusion prevention software (HIPS)
that provides the most accurate, automated and effective detection
and prevention of attacks for standard, complex and custom server
applications on major platforms. Unlike rules and signature-based
solutions built on static architectures, Primary Response significantly
reduces IT management overhead with its unrivaled ability to
self-protect servers and applications in heterogeneous, multi-platform
environments. Primary Response was designed to meet key enterprise
requirements in the areas of protection, scalability, manageability
and performance.
Back to top »
What makes Primary Response
unique from other application security solutions?
Primary Response Agents profile normal application behavior and
automatically detect and prevent intrusions and attacks with patent
pending SanAPT technology. Based on seven years of research by
Dr. Steven Hofmeyr at UNM and MIT, SanAPT technology is inspired
by the principles of the human immune system--detecting and preventing
application attacks in a manner similar to the way the human body
fights disease.
Back to top »
How does Primary Response
work?
Primary Response Agents autonomously trace application process
system calls in the OS kernel via a kernel loadable module, or
device driver, and automatically create a profile of normal system
call code paths. All spawned child processes are automatically
included in the profile. Within a few hours the agent recognizes
repeatable system call code paths and lowers the adaptation threshold.
The adaptation threshold continues to decrease over time, taking
several hours to a couple of days depending on the profiled application.
The agent automatically detects and prevents anomalous code paths
exceeding a set threshold at any time, including during the adaptation
period. Primary Response Agents are centrally managed from a web-based
management server via an encrypted and authenticated protocol.
Back to top »
What are the key benefits
of Primary Response?
Because SanAPT technology enables the agent to automatically and
autonomously learn normal behavior, thereby detecting and preventing
threats, Primary Response is the most accurate, effective and automated
application security solution. This translates into several key
benefits that can be found at: www.sanasecurity.com/products/index.php
Back to top »
I already have a firewall
and a Network Intrusion Detection system (NIDS) at my perimeter.
Do I still need Primary Response to protect my server-based applications?
Perimeter defenses, such as firewalls and NIDS, provide an important
security measure for computer networks. However, they do not provide
a sufficient level of protection for server-based applications.
Because many applications communicate with each other and with
end users over the Internet, application-level attacks will often
penetrate a perimeter via a legitimate access point. Moreover,
firewalls and NIDS are unable to inspect encrypted (SSL) traffic,
which is not decrypted until it reaches the host. Attacks that
successfully navigate the perimeter security layers are often targeting
specific application vulnerabilities and are easily detected by
Primary Response. According to Gartner Research, 75% of successful
attacks exploit application vulnerabilities. Most security experts
recommend a layered approach to information security. Primary Response
is an application security solution that complements NIDS and other
network-layer products, and protects server-based applications
more effectively and accurately.
Back to top »
Why can't I just install
NIDS in front of my servers?
NIDS play an important role in securing network traffic. They are
effective at detecting certain types of attacks, such as Denial
of Service (DoS) and Distributed Denial of Service (DDoS), and
can detect known attacks before they reach servers. However, NIDS
do not effectively protect server-based applications even if deployed
in front of server farms or individual servers. Because they have
no knowledge of application behavior and often no knowledge of
what applications are present on which servers, NIDS generate thousands
of false alarms forcing administrators to make tradeoffs between
accuracy and efficacy by turning off rules and signatures governing
their security policies. Moreover, NIDS are incapable of inspecting
encrypted traffic such as SSL. Most security experts recommend
a layered approach to information security. Primary Response is
an application security solution that complements NIDS and other
network-layer products, and protects server-based applications
more effectively and accurately.
Back to top »
What is the difference between
Primary Response and an application firewall?
Application firewalls are designed to protect web traffic by inspecting
the incoming and outgoing HTTP/HTTPS packets against a set of predefined
web server-centric filters. Because they are not capable of monitoring
actual (web) application execution processes, application firewalls
require difficult manual fine tuning to protect highly customized
web servers. In addition, application firewalls are susceptible
to spoofing, evasion and DDoS attacks.
Back to top »
We have invested heavily
in our signature-based solution. Why should we spend more for
another product?
Signature-based approaches require previous knowledge of an attack
and require a developed signature for a specific type of attack.
Products that use a signature-based approach must have up-to-date
signatures installed in order for this type of system to work.
Of greater importance, a signature-based approach, by its very
nature, will fail at preventing zero-day, unknown attacks.
The real cost of a signature-based solution is measured in the
amount of time required to (1) install and configure signature
updates in initial deployment, (2) manage the ongoing signature
updates and general change management in the IT environment, and
(3) recover from a loss of business continuity, productivity, and
information data resulting from a successful penetration [from
an unknown attack] which signature-based systems neither detect
nor prevent.
Back to top »
I have heard about
McAfee Entercept and Cisco Security Agent (formerly Okena). Are
these products similar to Sana's Primary Response?
Rules-based solutions, such as McAffee Entercept and Cisco Security
Agent carry two hidden costs, which over time greatly exceed the
original cost of the security software itself. First is the overhead
cost associated with the amount of time required to manage the
tuning during both its initial deployment and subsequent change
management cycles. The second hidden cost is the real loss of productivity
resulting from successful penetrations from unknown attacks, which
signature and improperly configured rules-based systems neither
detect nor prevent.
Back to top »
We always penetration
test our applications before we deploy them to production servers.
Do we still need Primary Response?
Penetration testing will detect application vulnerabilities for
known attacks. Primary Response will protect the application from
both known and unknown attacks. In addition, Primary Response provides
robust forensic and analytic information that can aid in diagnosing
security issues in an application development environment.
Back to top »
How can I get an evaluation
copy of Primary Response or a One-on-One Demo?
Contact Sana Security sales at 866-900-SANA to receive a time-limited
evaluation copy of Primary Response or a One-on-One Demo.
Back to top »
Who should I contact
at Sana for more information?
Contact Sana Security sales at 866-900-SANA.
Back to top »
Protection
Why is Primary Response
better than competitive products that also claim behavior-based
intrusion prevention?
Security products such as McAfee Entercept and Cisco Security Agent
use knowledge-based policies (rules and/or signatures) to predefine
what an application can and cannot do, and what constitutes an
attack. These companies claim that rules and signatures can adequately
model normal and anomalous application behavior. While a rules-based
approach can be effective in firewalls and other network-focused
security products, Sana believes that this approach is fundamentally
flawed when it comes to application security. Application behavior
is significantly more complex and cannot be accurately defined
with a set of rules and signatures.
Because rules and signatures are not granular enough to correctly
define normal and anomalous application behavior, they force administrators
to choose between an effective security policy and a low number
of false alarms. Locking down an application with too many rules
will prevent it from meeting its core business objectives and will
make it more difficult to maintain. On the other hand, modifying
or turning off rules to enable the application to run unfettered,
or to lower false alarm rates, enables potential vulnerability
exploits. Moreover, because IT environments are diverse and constantly
changing, rule and signature modifications are necessary for each
server with every system change. This includes operating system
and application upgrades, security patches, and configuration changes,
making the rules-based solutions not only inaccurate, but also
impractical to deploy across the enterprise on production systems.
In contrast to the rules-based approach of our competitors, Primary
Response provides out-of-the-box protection from code injection.
Code injection attacks (also called buffer overflow exploits),
are the largest class of threats on enterprise servers. Examples
include Sasser, Blaster, Slammer and Code Red. Primary Response
SanAPT technology enables autonomous profiling of applications
on each server, and quickly and automatically adapts application
profiles during change management. Moreover, because Primary Response
profiles applications at a system call level, it is significantly
more effective and accurate than rules-based solutions focused
on file system access.
Back to top »
Which applications
does Primary Response protect?
Primary Response is application agnostic. Because the SanAPT technology
autonomously adapts to any server-based process, Primary Response
protects standard applications (such as IIS, Apache and iPlanet
Web servers), complex applications (such as Microsoft Exchange,
Peoplesoft, SAP, and Oracle) and custom, in-house developed software
and applications.
Back to top »
Does Primary Response protect
the host server as well as the applications running on it?
Yes. Primary Response can profile and protect core operating system
services on the host as well as applications running on it. Primary
Response includes a set of default applications for securing the
operating system with detection protection. Customers can add additional
services in the same way they would add new monitored applications.
Back to top »
What are code injection
or buffer overflow attacks?
When an attacker overflows the buffer with programmatic instructions,
the attack is a code injection. The injected code
attempts to take over the machine so the attacker can access private
data or use the machine to attack still more machines. Primary
Response provides protection against the most common forms (85-95%)
of code injection attacks, such as those used by Blaster, Slammer,
and Code Red.
Back to top »
How does Primary Response
prevent code injection or buffer overflow types of attacks?
Primary Response knows what memory has been allocated to legitimate
processes. If code begins to run from another part of memory, Primary
Response takes specific steps. A code injection attack can take
one of two forms:
- In the first type, all malicious code is injected into the
buffer.
- In the second type, only a very small amount of malicious code
is injected into the buffer.
This small piece of code then activates normally benign code for
a malicious purpose. Primary Response observes when system calls
occur in invalid memory spaces. In the first type of attack, the
code must execute a fairly high number of system calls to accomplish
anything. If the number of system calls executed matches the Minimum
System Calls filter set in Primary Response for that application,
then Primary Response generates an alert. In addition, Primary
Response will block additional system calls if it has been configured
to do so. In the second type of attack, the code launches an external
process. Primary Response will block this behavior regardless of
the number of system calls used by the attacker.
Back to top »
What types of attacks does
Primary Response detect and prevent?
Primary Response detects threats that cause server behavior to
deviate from normal application behaviors. This means it will detect
a wide range of exploits of program vulnerabilities. Included is
a list of some of the major classes of attacks that Primary Response
can detect. While this selection is not comprehensive, it is simply
intended to highlight the extensive coverage provided by Primary
Response:
- Bounds overflows, including buffer overflows, stack overflows,
heap overflows, and index overflows
- Code injections, including heap, stack and static memory code
injections
- File linkage abuse
- Abuse of incorrectly set permissions
- Abuse of default and sample files
- HTTP header manipulation
- Format string
- Command injection
- Directory traversal
- Abuse of debug functions
- Null bytes
- Off-by-one
- Trojans and backdoors
- Account enumeration
- Race conditions
- Privilege escalation
Because Primary Response is a host-based intrusion prevention
solution, it will not detect abuses that are focused at the network
layer, such as connection hijacking and sniffing. Such attacks
are best detected or prevented by network-based security solutions
such as Network Intrusion Prevention solutions (NIPS).
Back to top »
Does Primary Response take
automatic action on all alerts or can it be configured to only
detect attacks and generate alerts?
Primary Response Agents can be set to either detect or prevent
attacks. Because this setting is centrally managed, it can be easily
switched from detection to prevention at any time across any or
all profiled applications or protected machines.
Back to top »
Don't other products stop
unknown attacks also?
Stopping unknown attacks is a common claim in the industry. Most
often the protection from zero-day attacks is limited to a subset
of types of known attacks for which protection is available. Because
Primary Response requires no advanced knowledge of an attack type
or a specific attack, it protects from any new exploit or any new
class of exploit.
Back to top »
Scalability
How does Primary Response
adapt to changes in the IT environment such as application changes
or system patches?
Primary Response can easily adapt to changing IT environments.
First, the security administrator can suspend Primary Response
Agents on affected machines, implement the operating system update,
application upgrade or security patch, and then resume the agents
and instruct them to readapt. The administrator can perform these
operations on agents grouped either by application or by machine
type (for example, group application patches by application, operating
system patches by machine). As the agent readapts, it automatically
profiles incremental application changes. While readapting, the
agent will not detect, prevent or alert on system call sequence
behavior. However, during this time, the agent will continue to
detect, prevent and alert on any code injections and buffer overflows,
which account for the largest class of attacks in the enterprise.
Due to the incremental impact of change management on application
profiles, the adaptation to change is typically much quicker than
the initial adaptation.
Back to top »
Do I need a unique
agent for each application I want to monitor?
No, Primary Response does not require agents for individual applications.
Rather, a single Primary Response Agent can profile multiple applications
on a server, including standard applications (such as IIS, Apache
and iPlanet Web servers), complex applications (such as Microsoft
Exchange, Peoplesoft, SAP and Oracle) and custom, in-house developed
software and applications.
Back to top »
We frequently scan and patch
our servers. Do we still need Primary Response?
Yes. Vulnerability Scans are good at identifying known potential
exploits within applications and operating systems across the enterprise.
However, Primary Response provides protection from both unknown
and known threats that can exploit vulnerabilities in applications
and in the operating system, providing a protective shield around
servers and applications. Primary Response allows you to schedule
security patch deployments and avoid time-consuming security patch
fire drills. In addition, Primary Response protects applications
that are unsupported and no longer receive patches, for example
applications running on Microsoft Windows NT.
Back to top »
What is the impact of
Primary Response on the IT staff?
With no rules or signatures to tune, Primary Response can be installed,
configured and ready to protect applications and servers in less
than 20 minutes. This allows more effective utilization of IT and
security resources. Customer feedback indicates this is a very
different experience than the one offered by rules-based solutions,
which require a much higher level of tuning effort to ensure the
appropriate security posture across the enterprise. Additionally,
Primary Response's role based user management and management groups
scale to large deployments easily.
Back to top »
Manageability
What administration process
is required to secure an application and manage Primary Response?
The Primary Response administrator deploys Primary Response Agents
to selected servers and designates the applications to profile.
This can be accomplished in minutes from the Primary Response Management
Console. Once the agents are deployed, applications have out-of-the-
box protection from code injection and buffer overflow attacks.
The agents automatically profile application behavior in order
to detect and prevent additional types of attacks. There are no
rules to tune and no signature libraries to keep up-to-date.
Back to top »
How long does Primary
Response take to profile application behavior?
The adaptation period is autonomously determined by the Primary
Response Agent, depending on the type and complexity of the application
it is monitoring. The agent monitors the quantity of new system
call code paths, which it observes over time, and lowers its adaptation
sensitivity threshold accordingly. Because server-based applications
typically perform repetitive tasks, Primary Response can build
a profile of normal behavior in several hours. In the case of applications
exhibiting more erratic behavior, the agent may profile the application
for a few days before it has completely learned the normal application
behavior.
Back to top »
How does the Primary
Response Management Server communicate with agents?
Primary Response Agents communicate with the Management Server
using a web-based authenticated and encrypted protocol (self-certified
SSL). Because this is a standards-based protocol, it enables web-based
remote management across routers and firewalls. Primary Response
Agents do not require new ports to be opened, nor are they listening
on existing open ports.
Back to top »
How does Primary Response
handle upgrades?
Upgrades and patches to Primary Response, including new agents,
can be installed from the Management Console. The Administrator
downloads the patch from the Sana Security Customer Support site,
and then uploads them to the Primary Response Management Server
from the Management Console.
Back to top »
Does Primary Response
support Management Groups?
Yes, Primary Response Agents can be managed in user defined groups.
A Primary Response Group is a set of agents and applications protected
by the agents. Agents can belong to more than one group, and multiple
users can be assigned to manage each group.
Back to top »
Does Primary Response support
Role Based User Management?
Yes, Primary Response supports two types of users, Administrators
and Group Managers. The Group Manager role provides privileges
for managing a group of agents. The Administrator role has full
access privileges in Primary Response. Administrators are responsible
for global settings, creating groups and group managers and assigning
machines, applications and group managers to groups.
Back to top »
Can Primary Response
integrate with other management consoles?
Yes, Primary Response agents can be managed in user defined groups.
A Management Group is a group of agents and applications they protect.
Agents can belong to more than one Group, and multiple Group Managers
(type of user role) can be assigned to manage it.
Back to top »
What platforms does
Primary Response support?
Primary Response supports Windows NT 4.0 Server, Windows 2000 Server,
Windows 2003 Server and Solaris 8 Server (32-bit and 64-bit) Operating
Systems. For a detailed list of system requirements, including
processor, RAM and disk space requirements by platform, visit www.sanasecurity.com/products/pr23Requirements.php.
Back to top »
What does Oracle database
support allow me to do?
Primary Response stores alerts, system configuration information
and other data in a repository. The repository can be either a
database internal to Primary Response or an Oracle database. With
Oracle, administrators can use Oracle database tools to manage
data, create detailed, custom reports using reporting packages
such as Crystal Reports and integrate Primary Response data with
other applications.
Back to top »
What are System
Alerts?
Primary Response provides administrators with system visibility
into their enterprise infrastructure. Administrators receive system
alerts on activities such as agent startup and shutdown, unexpected
agent shutdown, agents going offline, and new agent registrations.
Back to top »
Performance
What are bootless agents?
Primary Response does not require stopping and restarting servers
to install the agents, unlike other HIPS products. This capability
is known as bootless agents.
Back to top »
What is the Primary
Response Agent performance impact on protected servers?
Primary Response Agents typically consume less than 5% of CPU utilization,
up to 10% during sustained attacks. For a detailed list of system
requirements, including processor, RAM and disk space requirements
by platform, visit www.sanasecurity.com/products/ppRequirements.php
Back to top »
|
