9 Replies Latest reply on Nov 1, 2012 9:48 AM by greatscott

    HIPS vs. App Control?

    kjhurni

      We have/had a product from Cisco (CSA) that's discontinued.  CSA was quite robust in features so you could get very granular like:

       

      IE can run, but it can't do these things to these items

       

      (just a quick example)

       

      We had originally evaluated HIPS (probably version 5.x) and it lacked the ability to accurately track programs (for example:  We used ZENworks to run the setupvse.exe which in turn, calls instmsi.exe which then called msiexec.exe which then ran the VSE 8.5 install).  HIPS (back then) failed to see "chain" and only saw that msiexec.exe was called.  So you'd have to basically "allow" msiexec.exe to do stuff (which isn't always a good thing).

       

      Anyhow, flash forward to today.

       

      We had been told a while ago, by our McAfee rep that the chaining issue had been fixed in a new release, so we bought HIPS version 8 and went to test it (should've tested it first before we bought).

       

      Seems that in HIPS version 8, you can no longer do the CSA-equivalent of my IE example, nor can it accurately track chaining (one app launches another which launches another, etc.)

       

      Our new McAfee person told us that THAT feature set got moved from HIPS and shoved  into the SolidCore/App Control product, but based upon my limited reading, app control is simply whitelisting.  Meaning:  iexplore.exe is allowed to run and do whatever it wants wherever it wants, not granular like my previous example.

       

      Is that the case/true?

       

      Can you not "tweak" HIPS to get semi-granular ( behavioral/rule based) using my previous example?

      If that is true, then does the App Control actually let you have fine-grained control as well not just whitelisting the app itself?

       

      Thanks!

        • 1. Re: HIPS vs. App Control?
          Kary Tankink

          This may not be exactly what you're looking for, but the closest I think HIPS comes to "chaining" is Application Hooking.  In HIPS 7.0, this was done via the Application Blocking module, but in HIPS 8.0, this module was removed and this functionality was moved into the IPS module.  See the below KB for app hooking details (Signature 6010).  You might need to clarify your request with your Sales Rep.

           

          KB71794 - How to configure application blocking/hooking functionality with Host Intrusion Prevention 8.0

          • 2. Re: HIPS vs. App Control?
            ron.sokol

            HIPS and AppControl allow very granular control.  IMHO, HIPS is less granular than AppControl for application whitelisting, meaning the exclusions either require lots of tuning or are overbroad.  AppControl updates a list of most common off the shelf (COTS) apps on a regular basis to reduce the tuning effort.

            • 3. Re: HIPS vs. App Control?
              kjhurni

              ron.sokol wrote:

               

              HIPS and AppControl allow very granular control.  IMHO, HIPS is less granular than AppControl for application whitelisting, meaning the exclusions either require lots of tuning or are overbroad.  AppControl updates a list of most common off the shelf (COTS) apps on a regular basis to reduce the tuning effort.

              I'd actually argue that the opposite is true.  With app control, either an app can run or it can't.  Unless I'm wrong, you can't use App Control to say things like:

               

              Internet Explorer can run, but it's not allowed to write to THIS portion of the file system, or THESE registry keys, or install these ActiveX controls that do ABC.

               

              Now, whether or not HIPS can do that as well is something we're trying to find out.  The old CSA product (Cisco Security Agent) had that level of granularity, although it did require a massive amount of tweaking to get it to that point.

              • 4. Re: HIPS vs. App Control?
                ron.sokol

                Point well taken - and I think you'll find that kind of granularity with HIPS with custom sigs.  But as you mention, it's tweaky   With AppControl, you can specify the 'updater' process that can call another process and modify program code, which gives you some granularity.  Normal 'authorized' execuables can't do this without being an updater.  Updaters support inheritance also.  ChangeControl will give you the additional benefits of tracking any changes, FIM and write protection for files and registry.

                1 of 1 people found this helpful
                • 5. Re: HIPS vs. App Control?
                  kjhurni

                  Thank you Ron, that was actually very helpful (hence marking Helpful Answer).

                   

                  It looks like we (well the person who decides such things) should've looked more closer at both products (App control and HIPS) as maybe we the bulk of what is needed can be handled by app control?

                   

                  Thanks again

                  • 6. Re: HIPS vs. App Control?
                    ron.sokol

                    i will say the information available when AppControl first came out was very limited...it's much better now.

                    • 7. Re: HIPS vs. App Control?
                      greatscott

                      For super granularity, specifically in HIPS, I would rely on custom signatures. You can essentially create your own protections via factors such as executables, specific paths, reg keys, etc.

                       

                      You will find in McAfee that there is generally more than one way to skin a cat. To take it further, you can utilize other products such as VSE, to create protections. You could control applications via the Unwanted Programs policy if there are certain things you know you don't want performing any actions in your environment.

                       

                      While some products dont always perform as advertised 100% of the time with McAfee, you can generally create a tailored protection from one of the product offerings. They do a job of providing a layered approach with each product.

                      • 8. Re: HIPS vs. App Control?
                        ron.sokol

                        IMHO as an admin in a large environment, to write custom sigs for every kind of threat out there is not sustainable.  The block known bad paradigm is not scalable.

                        • 9. Re: HIPS vs. App Control?
                          greatscott

                          I agree that its not completely feasable and scalable in a large environment. Trying to account for every piece of software is near impossible. In HIPS 8, you can utilize Signature 6010 and 6011, which mimics the encumbant HIPS 7 Application Blocking module. These address application invocations, and hooking protections. This will eliminate having to create a custom signature for everything.

                           

                          However, in certain instances, you may need to create a signaure. Hopefully that is kept to a minimum.

                           

                          Message was edited by: greatscott on 11/1/12 9:48:57 AM CDT