Summary

Host Intrusion Prevention is a relatively new type of technology. As a result, the HIP marketplace is not well-defined. HIPS product literature is abundant, but does not always clearly state what capabilities, benefits, and limitations HIPS products have.

HIPS can be a valuable addition to your arsenal of security countermeasures, but before you can use it effectively, you must have a good understanding of its basic characteristics. To qualify as HIPS, a product must be able to

• Block malicious code actions

• Not disrupt normal operations

• Distinguish between attacks and normal events

• Stop new and unknown attacks

• Protect against flaws in permitted applications

The ability to stop new and unknown attacks is the primary benefit of using HIPS. If an attack can be stopped before it does damage and spreads to other systems, your organization saves money by not having to clean up after the attack, losing productivity, or losing data. HIPS offers other benefits, including the following:

• Patch relief

• Internal attack propagation prevention

• Policy enforcement

• Regulatory requirements

No product is perfect, and HIPS is no exception. It is not suitable for all tasks, should be part of a defense-in-depth implementation, and has weaknesses such as the following:

• Subject to end user tampering

• Lack of complete coverage

• Attacks that do not target hosts