- By Grant Gross -
Executives at Linux security company Cylant say the computer security industry is engaged in a "conspiracy of sorts," or at least a conspiracy of ignorance, in taking a reactive approach to fighting vulnerabilities.
Cylant is pitching its CylantSecure server monitoring product as an alternative to the virus-runs-wild-then-release-patch cycle practiced by most security companies. CylantSecure for Linux, what the company calls a "host-based intrusion detection system," is a real-time monitoring system that immediately notifies the server's sysadmin when something funky is happening that shouldn't be.
The technology is based on research into software measurement done by
Cylant's chief scientist, John Munson, for large, critical systems like those designed by Jet Propulsion Labs for the U.S. Space Shuttle. The software benchmarks the patterns of execution in the Linux kernel on a server, then determines when those patterns depart from normal. When an attack occurs, notification happens within "milliseconds," says Joel Rothman, president of Cylant. The company has applied for a patent on the process of aggregating the information CylantSecure's sensors pick up and put into a profile that's the server's normal functions. Some of the software is released under the GNU General Public License, and Cylant is a sponsor of the Kernel Instrumentation Project.
Conspiracy of ignorance?
"Our approach is different from everybody else's," Rothman says. "There is a built-in way of thinking within the security community that what you want to do is track down the perpetrators. That's number one. Number two, there's what we call a conspiracy, and it could very well be a conspiracy of ignorance, that services are so key and such a big profit motive -- the patching, the updates, the upgrades, nothing to do with additional features -- it's very difficult for anyone in security to look at this product and say, 'Wow, this great.'
"In essence, what we're saying is, 'Look, you don't need the patch anymore,' because the server is going do a very small number of things, we know what it's doing, and when it starts doing something else, we're not going to let it do that."
The software can be configured to take several different steps if abnormal behavior starts happening: It can notify the administrator, shun traffic from the originating IP address for a certain length of time, or run an administrator defined program to deal with certain types of behavior. All the while, administrators can let the script kiddies think they're doing damage, while capturing data on the attack, if they want the forensics.
"Because we're getting everyone away from the idea of patching and forensics being important components to security, we get a lot of people who are very resistant," Rothman adds. "We're telling them, from our perspective, it's not important. Let the hacker on the other end think he's succeeded, if that's what you want to do."
Rothman notes that while Cylant is focusing on security, the system monitoring method has "as much application to system availability and reliability, and maybe even more so."
So why focus on Linux, which has the reputation of being both secure and reliable?
Partly because Cylant had access to the source code with Linux. Scott Wimer, Cylant's CTO, says CylantSecure takes data from about 5,000 points in the kernel. Running the software on a piece of software as complex as the Linux OS also demonstrates that it could be used on other pieces of software, he added.
"Bill Gates wasn't exactly returning our calls when we were asking him for the source code," Rothman says. "What we've done with the Linux kernel could be done with any program if you give us the source code -- Oracle 9i, any database, any other operating system, any embedded system. We don't care what the system is, it's a black box as far as we're concerned. What we care about is how it behaved during training, and how it's behaving now."
Rothman says the Linux security market was ripe for an intrusion detection product, and the Linux/Apache server market share, around 50% of Web servers out there, makes for a significant market.
CylantSecure is designed to run on Red Hat 6.2 and 7.2. I tried to get my Red Hat 7.2 review copy to work in Mandrake 8.0, but ran into glib conflicts and some dependency issues. Even after updating to Mandrake 8.1 and running a Ximian Red Carpet update on 8.1, I ran into the same problems while trying to install the binaries manually. For example, CylantSecure demands version 3.2x of mkinitrd; Mandrake 8.1 has version 3.1.6.
(Yeah, yeah, I know I need to take the time to download or buy Mandrake 8.2 one of these days. It's just that I feel a bit dishonest when I click the "I'm already a member of the Club or plan on registering soon" download link at Linux-Mandrake.com, and 8.2 isn't on the shelves of my local Best Buy or CompUSA, despite rumors to the contrary.)
When I tried to install the Red Hat 6.2 binaries manually, I got most of the way through installing CylantSecure itself. When I tried to install its Console program, there was a different kind of dependency issue: It wanted Perl version 5.00503. and I had v5.6.1 installed.
But my Mandrake issues aren't Cylant's fault; a couple of employees even tried to hand-hold me through a manual installation over IRC. They say they're working on an easier installer for later versions than the 1.2.1 review copy I have, and most potential business customers will be Red Hat users.
Short of doing my own review, at least until I find Mandrake 8.2 or switch to Red Hat, I asked Dave Wreski, corporate manager of Open Source security company Guardian Digital and publisher of LinuxSecurity.com what he thinks of CylantSecure and the company's claims that the security industry is engaged in a "conspiracy of ignorance."
"I think this statement is a bit ambitious," he says. "While I do think they have a
good product, I think it would be unwise to use it as something more
than just another level of protection."
Admitting he's sounding like plugging his own distribution, Wreski says CylantSecure, plus a security-focused distro like Guardian Digital's EnGarde Linux provides a "significantly higher level of protection."
He adds: "In other words, using an off-the-shelf distribution, and not doing
everything possible to ensure it's secure before relying on Cylant would
be foolish. After all, it only detects anomalies; if the administrator
gets lulled into a feeling Cylant will protect him based on
misinformation from a PR campaign, he will make costly mistakes. It
won't protect you from an insecure security policy."
Rothman admits other security measures beyond CylantSecure are important. Some behaviors, such as access controls, aren't going to cause a change in the server behavior for CylantSecure to catch, at least for now, he says. "We're not saying, 'don't have a firewall,'" he says. "There are important layers of security that you need to have because nothing is a panacea."
Rothman and Wimer point to a security challenge Cylant sponsored early this year. The company challenged hackers to crash a default, unpatched Red Hat 6.2 installation, with everything installed and all services turned on, protected by CylantSecure. Instead of the Honeynet Project's estimation of a default Red Hat 6.2 installation lasting 72 hours before getting cracked, CylantSecure's installation stood up to 6,500 attacks over 55 days before being successfully compromised through an access-control problem, according to the company.