Review: Eye-Opening End-Point Security

Responsible vulnerability disclosure seems to have lost its luster. Zero-day exploits are on the rise and Microsoft is increasingly forced to issue fixes outside of the "Patch Tuesday" cycle. Traditional pattern-matching technology to detect malware and intrusion just isn't going to cut it anymore.

The unfortunate trend of traditional antivirus companies considering viruses, Trojans, spyware and attacks as separate items requiring separate tools is over. It's time to say goodbye to the overstuffed—and more resource-intensive—desktop security software we've been forced to live with.

MSPs have worked hard to transfer ownership of desktop management from traditional time-and-materials to service-level-agreement-based pricing models. That also means that MSPs have transferred the risk of preventing malware infestations to those same SLA-based pricing models.

As they absorb that risk, pattern matching for detecting malware and intrusion detection just isn't going to provide the risk protection MSPs—and their customers—are looking for in this world of zero-day exploits. It used to be that security intrusions on customers' networks meant time and material billing dollars. In many cases, it now means lower margins as the cost of cleanup is borne by the MSP. In the bigger picture, the real goal is to prevent the customer from incurring the cost of downtime in the first place.

EEye Digital Security is helping solution providers and MSPs meet this challenge with Blink Professional 3.0 with Anti-Virus, its end-point security offering. Through its innovative approach to protocol analysis, Blink is able to detect and block zero-day attacks that bypass standard signature-checking solutions. Priced at $1,129 for coverage of 20 assets, Blink has a small footprint and combines several protection methods that include system firewall, application firewall, intrusion prevention, antimalware, eEye's Retina vulnerability assessment, identity theft protection and IP white/black listing in a single integrated application. All of this is based on protocol analysis and is backed up by traditional pattern matching.

As an example, Blink users were inherently protected from all five of the April 2007 Microsoft "critical" updates long before the vulnerabilities were ever discovered. As a matter of fact, since Blink was introduced, it has inherently protected against every Microsoft critical vulnerability that has been announced.

EEye is savvy enough not to promise that all future vulnerabilities will be inherently protected as well, but Blink technology does provide a significant advantage and nimbleness over previous methods of antivirus protection.

So, what exactly makes Blink so different? It uses innovative protocol analysis and heuristics at the network-driver and file-system levels to determine if a particular request is malicious or not. It then uses pattern matching to determine the name of the attack that it just blocked. This is a game-changer. Blink has a very small footprint at only 66 Mbytes of RAM with all services fully configured, which is less than half of comparable hodgepodge pattern-matching solutions.

It also uses "sandboxing" to test-run applications in protected memory to see if they attempt any malicious behavior before allowing them to run in the core operating system. Sandboxing creates a protected, limited area in computer memory where applications are allowed to execute without risking damage to the system that hosts them.

Next: The Bottom Line Blink can be administered locally on each desktop, but the hot ticket for management is to add eEye's centralized REM Security Management Console. REM is not only the centralized console for the popular Retina Network Security Scanner, it also allows for centralized Blink policy management and reporting.

Blink can be configured to run on the desktop in hidden mode so that the user does not even know it is running, one of four modes that allow varying degrees of end-user visibility. The data is stored in a SQL database, which means reporting is very flexible. It allows for several different views, most importantly the ability to view the data from a whole asset perspective rather than just by each scan.

Keep in mind that REM provides centralized administration and reporting for end-point system and application firewalls, IPS, antivirus, antispyware, Trojans, vulnerability assessment, identity theft protection, system protection (process, registry and execution) as well as managing trusted and banned IP addresses. That means you can ditch the four or five separate tools you are currently running on each desktop.

The Blink/REM combination is well-suited for the MSP environment. REM is multitenant, which means that it does include the ability to group and report on data by customer and allows individual login permissions that restrict the views to the data. The MSP adds value by understanding the implications involved in changing the configuration from the default configuration values.

If you are looking to mitigate the risk of creating SLA- based services on desktops and servers, taking a few minutes out of your busy schedule to evaluate Blink 3.0 and REM Security Management Console would be time well invested. By minimizing the attack surface, you will significantly reduce your exposure to attack and ultimately provide better uptime for the customer.

If you are looking for a competitive edge as a VAR selling security solutions, Blink offers significant differentiation from the other solutions out there. Alvaka Networks has found that whether you are a VAR or an MSP, eEye's Blink is a compelling new product to sell.

Rex Frank, CISSP, is the CTO of Alvaka Networks, a provider of network management, monitoring, security and integration services based in Huntington Beach, Calif.