I have been hinting that something big was coming for a few weeks now, and it is finally time to talk about it.
The big news is the release of MSI’s first enterprise security product – HoneyPoint.
HoneyPoint is designed as a direct response to the pain that I have been hearing about from network security folks for several years now. That pain is the general failure of network-based Intrusion Detection and Intrusion Prevention systems (IDS/IPS) to live up to the hype that surrounds them. Over the years, the idea of IDS has grown from a simple system of matching packets against a few signatures to a much larger beast.
Today’s IDS and IPS systems are broken. Most depend on signatures (be that against network packets or system & application logs). They compare the current traffic or events against that signature base and make a decision about the malicious intent of the traffic or events they are seeing. This was a great idea, to be sure, but it has largely failed to reach the promises vendors have been making for nearly a decade. There are simply too many signatures, too many nuances of traffic, networks have become too complex for effective IDS management and there is too much noise on modern networks for the signature-based approach to remain fully viable.
Now, before every IDS/IPS vendor in the world calls to tell me about their latest technology or technique to auto-tune, establish relevant baselines or use traffic patterns instead of signatures, I want to simply say this. Great! Good for you. But, I am not interested in hearing much about it. The current idea of IDS/IPS simply does not work. It is broken. Period.
Another reason why I say that is this – I have spent the last year talking directly with IDS/IPS users and hearing about their pain. They are spending way too much time tuning, updating and managing their IDS/IPS solutions. Even those that outsource their management, say they still spend way too much time working on false positive events or tracing issues that turn out to be nothing or worst of all, fighting against bot-nets, client side exploits, zero-day issues and other items that their detection systems failed to identify or stop. To put it simply, as one person did for me, they are “spending more time on managing the IDS than they are on responding to the 10K and more alerts it gives them each day.” To add insult to injury, of these 10K alerts – the majority of them turn out to be false positives.
Since threats are evolving and pushing into the organization at a much deeper level than the perimeter, and every trade magazine and security visionary is telling security teams to switch to enclave computing and begin to take an asset-centric approach to security, that is exactly what security professionals are doing. The problem is, they are finding that traditional IDS/IPS solutions are really not meeting the needs of securing the internal network in a meaningful way.
Thus, the paradigm shift that is HoneyPoint. The idea is an old one. The implementation is new. The idea of honeypots goes back a long way. They are essentially based upon the idea that if you create artifical systems or services on your network, an attacker will not know if what they see is real. The idea is that in order to determine what is real, they will have to probe and attack all of the visible targets. In doing so, they will, in more cases than not, probe a honeypot – thus alerting security folks to their presence. Obviously, the more honeypots, the higher the likelihood of their being probed instead of a real system.
This is the basis for HoneyPoint. We use it to make our systems offer services across the network that appear to be vanilla and homogenous. Imagine a big 10×10 grid of light sockets. If you had a light bulb and were asked to screw it into some of the sockets in the board, but some of the sockets were real and would light the bulb, while others would set off an alarm – how would you go about identifying which ones were real and which were alarms? You might carefully examine them, but if they all look similiar, the only way to know would be to try them.
That is exactly what we do with HoneyPoint. We dialate ports across our systems with similiar appearing services, and then wait for attackers to try and figure out which ones are real and which ones are HoneyPoints. Just by doing what attackers do – that is, probing the network and services they find – they fall into our trap and alert us to their presence. Once identified, they can be quickly isolated and shut down by network security staff.
The most beautiful part of all of this is the lack of false positives and signatures. Since the services offered by the HoneyPoints are not real, there is absolutely no reason at all for anyone to be using them. That means that ALL TRANSACTIONS WITH A HONEYPOINT ARE REAL EVENTS. Since the HoneyPoints key in on the idea that a transaction has occurred, and not what it was; they have no need for signatures (thus, no need to update and tune them). They simply capture the traffic they see, identify the source and alert the console of the event. Simple. Easy. No muss, no fuss – no additional management. The alerts from the console system can then be handled by the security team as an incident.
Alerts can be delivered via email, SMS (with a gateway), syslog or Windows Event logs. The console and HoneyPoints run on Win32, Linux/UNIX and OS X. Given their flexability, they can emulate thousands of services ranging from complex HTTP applications to RFC compliant implementations of your chosen mail platform. The variations are as flexible and endless as your imagination.
The HoneyPoint solution is built upon the idea of “deploy and forget.” HoneyPoints need only be installed and configured one time (leaving more time for vacations). They then operate as services or daemons (depending on OS) and simply wait for attackers to probe them. They have miniscule file sizes and memory demands, meaning you can run thousands on an average workstation size system with little impact, should you so desire. We suggest that you deploy them across your enterprise on your existing systems. No new hardware is needed.
Take a few minutes and visit the HoneyPoint web site at: http://www.microsolved.com/honeypoint for more information. Take it for a spin by filling out the form and get your FREE 90 day trial.
I think you will quickly come to understand why we are so excited and why security teams from many of our customers are telling us we have changed the way they think about securing thier environments!
Thanks for reading and for being patient while we brought HoneyPoint to life. I think once you use it, you’ll agree – it was well worth it!