Sana Security claims cure for server intrusion

SAN MATEO, CALIF. - Start-up Sana Security this week will introduce software it says can learn normal server activity and detect or block abnormal behavior, such as buffer-overflow attempts, which aims to subvert the server's security.

The company's Primary Response offering is one of a new breed of behavior-blocking products that have been proven capable of stopping new and unidentified attacks - in contrast with signature-based defense, which depends on a specific attack definition. The downside of behavior-blocking technology is that it can require a lot of management to make it work. Sana says its product, which starts at $6,500, spares the administrator the management burden because Primary Response, which runs on Sun Solaris and Microsoft Windows servers, uses artificial intelligence to monitor and learn individual server communication patterns.

According to Sana's founder and chief scientist, Steven Hofmeyr, the administrator loads the Primary Response agent onto the server and decides whether to have suspicious activity reported to the Primary Response console or blocked. Beyond that, there's no need to configure it. But it does take a while for Primary response to determine what is to be considered typical, legitimate activity.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

SAN MATEO, CALIF. - Start-up Sana Security this week will introduce software it says can learn normal server activity and detect or block abnormal behavior, such as buffer-overflow attempts, which aims to subvert the server's security.

The company's Primary Response offering is one of a new breed of behavior-blocking products that have been proven capable of stopping new and unidentified attacks - in contrast with signature-based defense, which depends on a specific attack definition. The downside of behavior-blocking technology is that it can require a lot of management to make it work. Sana says its product, which starts at $6,500, spares the administrator the management burden because Primary Response, which runs on Sun Solaris and Microsoft Windows servers, uses artificial intelligence to monitor and learn individual server communication patterns.

According to Sana's founder and chief scientist, Steven Hofmeyr, the administrator loads the Primary Response agent onto the server and decides whether to have suspicious activity reported to the Primary Response console or blocked. Beyond that, there's no need to configure it. But it does take a while for Primary response to determine what is to be considered typical, legitimate activity.

"These software agents are profiling the normal behavior of the server program and the operating system," Hofmeyr says. "It starts off ignorant, but in a day or two, it knows what to do and has a means of detecting when the system is using something not normally used."

Click to see: Profile: Sana Security

"It really does detect changes and anomalies," says Smith & Hawken CIO Tammy Lowe. "We've had people try and attack us from [other] countries, and it's detected and blocked." After months of testing it in a data center, Smith & Hawken is rolling out Primary Response across the company.

Primary Response can monitor Web-based and customized applications, and in the coming months, Sana plans versions of Primary Response to run on Linux and AIX. Sana aims to compete against Entercept, Harris, Okena (which Cisco recently acquired) and Stratum8, among others that also market host-based software using this type of behavior-blocking defense. However, Sana has no immediate plans for a desktop version of its software.

Read more about security in Network World's Security section.