EEye Digital Security has announced a new end-point security product that it says will help organizations stop attacks launched from the Internet that exploit previously unknown software vulnerabilities.
Blink, an intrusion prevention software (IPS) client, has vulnerability-scanning as well as network-based and host-based firewall features. The product draws on intelligence about software exploits developed by eEye's vulnerability experts to spot an attack, even before security companies have formally identified the problem. This way, the software can protect computers on "zero day," when a vulnerability is first exploited, even before a "signature" is available to guard against the particular attack, according to Firas Raouf, eEye's chief operating officer.
Blink is now available on a subscription basis, starting with packages of ten licenses for $56 per device annually. For servers, eEye is combining Blink with its Secure Internet Information Services (IIS) product and sells annual subscriptions for $600 per server, Raouf says.
Early Detection
Blink works at the network layer, reconstructing calls for network services such as FTP and HTTP and comparing that traffic to eEye's lexicon of different methods of exploits. The approach gives Blink an advantage over competitors that work at what Raouf calls the "process layer," analyzing the interactions between applications and the operating system for dangerous behavior. Blink allows companies to drop malicious traffic before it even reaches critical applications such as Web servers, he says.
The Blink client will work on servers, workstations, and laptops running Microsoft Windows, including Windows 2000, XP, and Windows 2003 Server. The clients are controlled from a central management console in an organization's data center, Raouf says.
The product is designed primarily for large companies and can be deployed, managed, and updated from a central location, according to eEye.
For companies with mobile workers, Blink's integrated firewalls will also isolate problems caused by malicious code obtained outside of a corporate network. For example, Blink can recognize activity associated with a virus or worm and shut down the infected application on a machine, protecting other network hosts. At the same time, Blink allows other, unaffected applications to keep running, so users can keep working, Raouf says.
Tester's Comments
Continental Airlines has been evaluating Blink on a mix of desktop and server systems since January, says Andre Gold, director of information security. The company is testing Blink's IPS and scanning features but won't use the network or application firewalls, he says.
Though the airline has not used Blink in production, Gold says he is impressed with the amount of protection Blink provides with little or no configuration.
"It's a chore to manage [host intrusion prevention] across hundreds or thousands of machines," he says. But Blink let Gold simply activate the IPS feature to protect a system from virus and worm outbreaks, he says. And he didn't have to create policies for every application on those systems.
"I don't really care whether Notepad is running or not," for example, he says. "I just want to stop Slammer or Blaster," two of the most devastating worms of recent years.
IPS products have required spending hours creating different policies and rules for each of Continental's many applications, Gold says.
He gives Blink lower ratings on reporting and its management interface, which he says are not as fully developed as some of its more mature competitors. He also says Continental will eventually need a product that can work with Unix and Linux, which the company is increasingly using on its network. Blink does not currently support those platforms.
"'Windows only' isn't a problem when you're trying to stop things that are occurring today, but tomorrow the attack vector could shift," Gold says.
