by Jamie Beckett
HP is developing corporate "immune systems" aimed
at helping businesses prevent and defend against growing security
threats, one of the company's chief security researchers said at
the recent RSA conference in San Francisco.
Joe Pato, a distinguished technologist at HP Labs and a conference keynote, described two new HP security services -- Active Countermeasures and Virus Throttler – to combat computer worms and viruses. Both technologies are mapped to HP's Adaptive Enterprise solutions to help customers easily adapt their IT systems changing business conditions.
"Enterprises are increasingly under attack – and those attacks are coming faster," Pato said during his RSA 2004 keynote address late last week. The conference is the year's most prestigious information security event.
Protecting vulnerable points
Active Countermeasures uses the same vulnerabilities exploited by attackers to protect against a potential threat and prevent widespread damage to network systems. It's directed at "unknown machines" -- those in an enterprise that are unmapped or do not comply with security policy, and therefore represent vulnerable points in the network.
Adaptive Countermeasures works like a vaccine, Pato said, "by delivering a less virulent form of the disease, we are able to prevent that machine from being part of the environment that spreads the malignancy."
The service provides an ongoing vulnerability analysis based on the latest advisories from major security organizations and other sources, registering the threats with the highest probability and risk. The HP distributed scanning tool is then used to scan the network for machines vulnerable to those threats and automatically deploy policy-driven mitigation techniques.
"This is not just technology sitting in the research lab. These are things that HP has been developing over the past several years and that we have deployed throughout our global network," said Pato, a scientist in the Trusted Systems Lab.
The result is that attacks that have caused widespread interruption of service at other companies have largely become no more than "localized annoyances" at HP.
Slowing down attacks
The Virus Throttler dramatically slows the spread of an attack, virus or worm by limiting the number of different destinations an infected computer can attempt to connect to in a single second.
"The faster the worm moves, the quicker the techniques discover and stop it," Pato said.
By quickly choking off attacks, Virus Throttler prevents excessive network loads without affecting standard operations.
"This is significant because one of the effects of virulent worms is that it becomes impossible for administrators to use their infrastructure to control, observe or communicate using their existing network," he explained. "By reducing the bandwidth consumption, we are preserving those channels for human response."
Virus Throttler works continuously in the background and is not dependent on the arrival of virus signatures from third-party security suppliers to suppress an attack.
Tested at HP
The technology underpinnings for these new services were developed in HP Labs, where researchers worked with HP's internal IT security staff to deploy and test them on HP's own infrastructure, which spans 247,000 networked devices around the world.
HP is now testing these Corporate Immune System capabilities with a few customers, and expects to have the services generally available by the end of the year.
The two new technologies are part of long-term effort by HP to ensure a more trusted and secure IT infrastructure.
One key element of this developing this infrastructure is creating "trusted" devices, Pato said, "devices that have protected storage, are able to be verified for their integrity and can be identified as a valid instance of a safe execution environment."
HP is a founder of the Trusted Computing Group (and its predecessor, the Trusted Computing Platform Alliance), an industry standards body to develop specifications that enhance the security of the computing environment across multiple platforms and devices.
Yet security must not come at the expense of individual privacy, Pato said.
"We need to look at how to take these technologies and develop platforms that are not only inherently privacy-preserving, but . . . give individuals much more control over how their personal information
is stored and manipulated."
At the same time, he said, it is essential that individuals have the freedom to choose what type of device and software they use and how they use them.
"We as a society need to demand more," Pato said. "More from our vendors to make sure that security is built in, that features are turned on, that fundamental capabilities exist.
"We need to demand that solutions are standards-based, that we don't create silos and unnecessary walls between functions. We need to demand that the environment we create is manageable and user friendly."
Pato, who has been involved in security research and development since 1986, is a former chief technology officer for HP's Internet Security Solutions Division.
Other conference participation
HP demonstrated a number of other security solutions at the conference and discussed its work to champion the widespread adoption of security standards through collaboration with VeriSign on its Open Authentication Reference Architecture (OATH). OATH is an open-standards-based approach for improving the interoperability of identity management solutions.
In addition, Barbara Lawler, HP's Chief Privacy Officer, discussed "New Developments, Best Practices and Managing Trust" during a Chief Privacy Officer roundtable.