Primary Response 2.1. Sana Security, (650) 292-7100. www.sanasecurity.com
Grade: C+
Primary Response has no rules, no policies and no signatures. Instead, it learns the normal behavior of a system, and thereafter allows only what is deemed normal.
We initially placed the agent software in monitor-only mode. We could set an adoption window from one to 18 hours. Sana recommends using the server normally during this period, and after three similar adoption windows, the machine was profiled, learning system calls, access directories and program behavior. Any events that didn't occur during this adoption period were thrown up as alerts, and we could then specify whether to allow that event to occur. If your backup software runs only once a week, for example, it might not be learned during the adoption period. When it runs, the backup would create an alert, and you could then allow it.
One technique we used after profiling was to leave the machine in monitor-only mode, watch for all permissible but infrequent events and create our exceptions. We then locked the machine down.
Primary Response doesn't let you see the policy file, but that's OK because it can't be modified anyway. We could only create and undo exceptions, which are merely granted permissions outside the norm. We found the hidden profile disturbing. The profiling also assumes that the machine is clean during the adoption period, which is not always the case. If a machine changed radically, or we installed a service pack, we had to readapt. On the other hand, buffer-overflow protection was on during the learning period, and Sana says that having this learning capability makes administering the product easier. We have to agree--protecting our network was hardly any work at all. However, call us paranoid, but we didn't like not being able to look at or modify the policy.
Discover the benefits of scalable backbone and network services for application and cloud providers.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
