Tuesday, January 30, 2007

HIPS: what's in a name?

i was reading this HIPS article and i came upon something that struck me as being considerably less than optimal right in this first paragraph:
There are numerous techniques for providing host-based intrusion prevention capabilities, but eWeek Labs believes there are two that will best complement enterprises' current strategies: vulnerability inspection and application and process vetting.
no, i'm not about to criticize eweek's choice in technologies - i'm about to point out the fact that the term HIPS (host-based intrusion prevention systems) has basically come to mean nothing...

what do i mean? i mean that everything short of virus (or spyware) scanners and simplistic firewalls get lumped into the HIPS pile... just look at this example, scanning network traffic for exploits (vulnerability inspection) couldn't be more different than application whitelisting (application/process vetting)... then there are the HIPS' that use behaviour blocking, or the ones that try to implement application-centric access control lists, or even known-exploit scanners (which are apparently different/more specific than vulnerability inspectors)...

if you were a consumer looking to compare different HIPS products meaningfully you'd be out of luck - they don't just have different technology (each anti-virus scanner has slightly different technology), they implement entirely different techniques and literally represent different paradigms... comparing an application whitelist to a behaviour blocker or exploit scanner is like comparing apples to oranges, but such distinctions aren't transparent when everything gets called an HIPS...

maybe HIPS was the buzzword bingo that all the vendors wanted in on, but the big losers are average folks who don't know the difference and are mislead by this meaningless umbrella term that implies all those technologies are equal - they aren't and folks are being done a disservice when they aren't told up front what's what... they can't compare them, they can't combine them intelligently, all they can do pay their money and say thank you sir, may i have some more...

2 comments:

Anonymous said...

An very tiny minority of consumers even care about such issues. The vast majority of consumers will not want this type of protection anyways if it inconveniences them even one second of an iota. This is why the consumer must really be ignored until the problem becomes so rampant for enough of them that they will actually care to learn about malware and av instead of expecting things to "just work" 100% of the time.

kurt wismer said...

just because most users don't care doesn't mean it isn't important, it just means that (once again) their wants and their needs are out of alignment with each other...

in order to properly protect themselves they need to know what tools they're using and what those tools are capable of so that they can properly choose complementary tools to make up for the weaknesses in the ones they're already using...

that most users don't appear to care about something which could help them to better protect themselves is simply a symptom of their lack of awareness...