Most security professionals agree that we can’t effectively stop malware by blacklisting signatures; the approach used by most antivirus applications. But, what about other legacy anti-malware solutions like behavior-based HIDS or HIPS (Host-based Intrusion Detection/Prevention Systems)?

The promise of HIDS/HIPS solutions was big: by monitoring system behavior and network traffic these solutions would be able to determine which behavior is normal, and which may indicate an attack. However, it turns out that this approach is not so easy. Defining the policies and rules that determine which behavior is ‘normal’ and which indicates an attack is a very difficult and time consuming task that requires deep understanding and expertise. As a result, most of the HIDS/HIPS rules and policies are not deterministic enough, resulting in many false-positive alerts. HIDS/HIPS administrators have problems keeping false-positives to a minimum. In some cases, false-positives become so annoying that the alerts are ignored because they are triggered far too often. If the alerts are ignored, what’s the point of having them?  Of course this dramatically hinders security efforts and security administrators should never let it get to this point.

To minimise false-positives, constant tuning of HIDS/HIPS rules and policies is needed. Every time a new application is installed, updated or patched the HIDS/HIPS solution must be tuned. This creates a huge burden on the solution administrators that need to understand each alert when it is triggered. It also increases the total cost of solution ownership (TCO). The cost of professional resources required for initial setup and ongoing maintenance, tuning and administration of the solution, along with training and user support drives the solution costs very high.

False-positives are also very annoying to the end user.  Most enterprise users are not security experts. They don’t understand (and often don’t care about) security alerts that pop-up on their screens. All they know is that these alerts are preventing them from doing their job. If this happens too often, users will demand that the solution is removed from their desktop, rendering the solution ineffective. Again, we should never get to this point.

A New Approach

Unlike behavior-based HIDS and HIPS solutions, Trusteer Apex provides accurate and effective malware protection that is completely transparent to the end user and requires minimal IT resources. It doesn’t monitor all system behaviors trying to identify abnormal behaviors. Trusteer Apex focuses on targeted applications (see previous blog on Shielding Targeted Applications) and uses ‘Stateful Application Control’ to validate the application state when the application performs a sensitive operation – for example, writing a file to the file system. Trusteer Apex identifies all legitimate application states for each of the targeted applications. It’s important to note that legitimate application states for targeted applications don’t change very often, even when the application is patched or updated to a newer version. The focus on targeted applications and their legitimate application states allows Trusteer to manage the complete list of legitimate application states and immediately provide updates as needed. Security administrators don’t need to create or tune any rules to determine malicious behaviors. They just need to turn the protections on.

Trusteer’s Stateful Application Control provides accurate context to the application operations. Because exploits take advantage of application vulnerabilities they create unknown application states. When the application state in unknown, and doesn’t have a legitimate context, the exploit is blocked and the files it tries to download are quarantined. The accuracy provided by Stateful Application Control ensures that there are no false-positives.

Trusteer Apex is completely transparent to the user: the solution stops exploits in the background, allowing the user to continue working as usual. Only the security administrators are provided with alerts to enable awareness and further investigation.   To support forensic investigations, the alerts contain important details about the victimised application, the infected machine and even a sample of the downloaded files.

Recommendations

We’ve come a long way since the days of HIDS and HIPS solutions. Trying to determine that an action is malicious only by examining host behavior has proven to be an ineffective method because it lacks the context of the operation. Only by understanding both the application operation and its context (indicated by the application state) is it possible to accurately determine if the operation is valid or not.

The automation provided by Stateful Application Control enables Trusteer, an IBM company, to provide a solution that is accurate and effective, yet transparent to the user while requiring minimal investment of IT resources. So, our customers really do get the best of both worlds.