Start-up picks up bad behaviors

Start-up Determina makes its debut this week with server-based intrusion-prevention system software that blocks attacks – such as buffer overflows often seen with computer worms such as Blaster and Sasser – that can compromise corporate computers.

Start-up Determina makes its debut this week with server-based intrusion-prevention system software that blocks attacks – such as buffer overflows often seen with computer worms such as Blaster and Sasser – that can compromise corporate computers.

The IPS, called SecureCore, runs on all variants of Windows-based servers, and Determina also is developing versions of its IPS for Linux and Windows desktops.

The start-up competes against Sana Security, Network Associates with its Entercept software and Cisco with its Security Agent, which is based on the StormWatch software it gained with the Okena acquisition last year. Start-up PivX introduced host-based IPS in March.

Determina’s behavior-blocking technology, dubbed Memory Firewall, is derived from years of research at Massachusetts Institute of Technology, according to CEO and co-founder Nand Mulchandani. He says Determina’s SecureCore software works by recognizing what are called “memory-based” attacks against Windows servers and blocking them automatically without having to configure for specific policies or add signature-based updates.

“These memory-based attacks, such as buffer overflows, corrupt memory,” he says. “We’ve seen this with Sasser and Blaster.” The worms exploited unpatched computer systems to compromise machines.

SecureCore doesn’t guard against other types of attacks, such as denial-of-service, cross-site scripting or privilege escalation, Muchandani adds.

Determina’s assertion that SecureCore easily can be added to the server to safeguard unpatched computers is a claim borne out by some security managers who have tested the IPS.

“You put the disk in, say ‘accept,’ and then re-boot the machines, and that’s it,” says Michael Kamens, global network and security manager at Thermo Electron, a global laboratory equipment manufacturer in Waltham, Mass., which has been testing Determina’s software for the past three months.

Kamens says he installed SecureCore on 15 servers left unpatched and near the firewall’s access to the Internet to see if SecureCore could recognize and block attacks without registering false positives.

“It blocked Sasser,” says Kamens, alluding to the worm that spread a few weeks ago and infected unpatched Microsoft-based computers across the world. He said he has gained enough confidence in SecureCore to add it to Thermo Electron’s 800 servers.

Although Kamens doesn’t plan to forego other security protections, such as anti-virus software, he says SecureCore was more effective than anti-virus software during the Sasser worm outbreak.

Determina’s software works by blocking suspicious computer behavior, and thus this type of security software is also called “behavior-blocking.” In his keynote speech at the RSA Conference in February, Microsoft CEO Bill Gates said he wants to build behavior-blocking features into Microsoft products.

Determina SecureCore is sold with a management console for deploying the Determina SecureCore Agents to Windows servers. The company offers specific software packages for Microsoft SQL Server, Internet Information Server and Exchange. The management console, which centralizes logging and event monitoring, only generates an alert if there is an attack. Pricing for SecureCore starts at $500 per server.