Prevx intrusion detection puts agents on desktops

Prevx is following Cisco's lead in intrusion detection with its latest product, which relies less on signatures and more on looking for suspicious application behaviour

Security software company Prevx launched an enterprise security product on Wednesday that uses desktop-based agents to flush out attacks and intruders. Pervx's Intrusion Prevention System (IPS) will compete directly with Cisco's Security Agent, which was launched earlier this year.

Unlike traditional intrusion detection systems (IDS), Pervx does not rely on predefined signatures to recognise attacks. Using signatures limits IDS systems to only recognising attack code that has been used before, so unknown attacks exploiting undocumented vulnerabilities can easily slip through the system. Instead, both Pervx's IPS and Cisco's Security Agent look for suspicious application behaviour by placing a small agent on each desktop that connects to a central management console that logs any attacks.

"Lots of IDS sit on the network, sniff network packets and look to match those packets against known attack signatures," said Nick Ray, chief executive of Prevx. "If it is a new attack or an adaptation of an attack that doesn't match the signature database, it is not going to get picked up, so these systems are always vulnerable to zero day attacks," he said.

According to Ray, signature-based systems often ignore encrypted traffic, which has left a hole that is being exploited by hackers. "Hackers are beginning to use methods that arrive over encrypted transport layers. Most network sniffing technologies don't sniff encrypted traffic because decrypting traffic slows the system down and there are issues regarding confidentiality," he said.

Prevx's IPS attempts to recognise suspicious behaviour, regardless of whether a vulnerability or exploit is already known. As an example, said Ray, the most common attack creates a buffer overflow, where an attacker is able to execute alien code on the target system: "There are thousands of these attacks around that are exploiting thousands of different vulnerabilities in underlying software but there are some features that are common in all buffer overflow attacks -- they include attempting to execute code in a writable area of memory." If we detect code that attempts to execute in a writable area of memory, we know it is not a process started by the system, therefore it is an attack, said Ray.

Ray concedes that very large companies will probably opt for Cisco's Security Agent, but he was adamant that the Prevx system is less complicated to use and much cheaper to maintain: "Cisco relies on mapping complicated behaviour and comparing that behaviour with known 'good behaviour'. That's quite a complicated thing to do," said Ray, who pointed out that purchasing a security system is usually less expensive than maintaining it: "The licence cost of these products can begin to pale into insignificance when compared to the ongoing management costs. People find they spend £100,000 on an IDS system and then £500,000 a year running it because of all the staff they have to employ."

The Prevx IPS costs £4,000 for the console that can handle up to 7,000 desktop agents and then £395 per Windows server or £795 per Solaris server.