ISS to proactively thwart attacks

Internet Security Systems is scheduled to announce plans for a system that prevents network attacks before threats are publicly identified.

The company says it will improve upon its Proventia intrusion-prevention line with appliances and host-based software products that depend less on the use of signatures of publicly known exploits to block computer worms and other attacks. Rather, the company says Proventia Enterprise Security Platform (ESP) will block threats based on advanced knowledge of vulnerabilities that ISS researchers glean by working closely with software vendors.

"Avoiding a threat in the first place is a hell of a lot better than reacting to it," says ISS CEO Tom Noonan.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Internet Security Systems is scheduled to announce plans for a system that prevents network attacks before threats are publicly identified.

The company says it will improve upon its Proventia intrusion-prevention line with appliances and host-based software products that depend less on the use of signatures of publicly known exploits to block computer worms and other attacks. Rather, the company says Proventia Enterprise Security Platform (ESP) will block threats based on advanced knowledge of vulnerabilities that ISS researchers glean by working closely with software vendors.

"Avoiding a threat in the first place is a hell of a lot better than reacting to it," says ISS CEO Tom Noonan.

He says Proventia ESP will include security agents for desktops and servers that will continuously perform assessments and report security vulnerabilities to an ISS management console called SiteProtector.

Noonan says this will be possible because ISS has a research team that investigates operating systems and applications of all types for vulnerabilities, frequently in cooperation with Microsoft and other software vendors. Though ISS typically doesn't reveal knowledge of vulnerabilities until a software vendor is prepared with a patch, the idea behind Proventia ESP is that a kind of virtual patch can be put in place in advance through the intrusion-detection system (IPS) appliance and host-based software.

Noonan adds that ISS has quietly begun doing so in some cases, particularly for buffer-overflow vulnerabilities, with its Proventia and SiteProtector products.

While the company won't announce specific products under the Proventia ESP brand until later this fall, some ISS customers say they welcome new strategies that might provide protection before patches can be distributed.

"What ISS is proposing is absolutely the right direction," says Lloyd Hession, chief security officer at Radianz, a company with a network that connects about 5,000 financial firms around the world. He says the plan, which entails interaction between host-based vulnerability assessment and the network-based IPS, could be a preventive approach.

ISS is the first firm to outline a product-development strategy of this sort, though some others, including Sourcefire, are working to combine vulnerability-assessment information with intrusion-detection capabilities to improve the accuracy of IDS.

IPS products, which block traffic, face a greater burden of accuracy because organizations fear an IPS might block legitimate traffic through false alerts.

Read more about security in Network World's Security section.