ch21lev1sec4.html

CSA Capabilities and Security Functional Roles

CSA has unique capabilities and plays many roles within the network, mainly because of its strategic positioning on the host system. With the in-depth knowledge of real-time events occurring on the system, CSA can monitor and control a wide variety of security functions and roles. CSA can control how the endpoint interacts with other surrounding systems and how users interact with the local system.

From the very beginning when CSA is first installed and launched, it begins monitoring the local system by maintaining a state table of each event and enforces security policy accordingly. As mentioned earlier, CSA monitors all system- and application-related calls, whether invoked by a user or by auto-executed malicious code that is attempting to gain unauthorized access. If the access is classified as inappropriate behavior, CSA will take real-time dynamic action and send an alert to both the local system and the CSA Management Center for global correlation.

CSA in a single agent software plays security functional roles on the host system beyond just preventing known and unknown (day-zero) attacks. Table 21-1 lists various CSA capabilities and their functional role descriptions.

Table 21-1. CSA Capabilities and Security Roles
CSA Capabilities Functional Role Description
Basic security functions and controls CSA offers various system hardening functions such as SYN-flood protection or malformed packet protection.
Provides resource protection, including file access control, network access control, Registry access control, and COM component access control.

Control of executable content, for example, protection against e-mail worms, protection against automatic execution of downloaded files or ActiveX controls.

Application-related functions, such as application run control, executable file version control, protection against code injection, protection of process memory, protection against buffer overflows, and protection against keystroke logging.
Detection capabilities, for example, packet capture and packet sniffer, unauthorized protocols, network scans, and monitoring of OS event logs.
Host integrity role CSA is the industry standard host-based intrusion detection and prevention solution with the capability to stop zero-day malicious code without reconfiguration or updates.
CSA has a proven track record of stopping zero-day exploits, viruses, and worms over the past several years. Examples include the following:

In 2001—Code Red, Nimda (all variants), Pentagone (Gonner)

In 2002—Sircam, Debploit, SQL Snake, and Bugbear

In 2003—SQL Slammer, SoBig, Blaster/Welchia, and Fizzer

In 2004—MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), and Buffer Overflow in Workstation Service (MS03-049)

In 2005—Internet Explorer Command Execution Vulnerability and Zotob

In 2006—USB Hacksaw, Internet Explorer VML exploit, WMF, Internet Explorer Textrange, and RDS Dataspace
In 2007—Rinbot, Storm Trojan, Big Yellow, MS-Word (MS07-014), Microsoft ANI 0Day, and Microsoft DNS 0Day
Application inventory feature CSA can now track all the applications installed on a computer or group of computers across the network, which of these are actually run, which of these use the network, whether the application is a network client or a network server, and which remote IP addresses the application communicates with.
CSA can track which applications are residing on which systems.
Application inventory can also track unknown and unauthorized applications (that listen on a port but do not accept connections) running on a standalone system and other systems on the network, analyzing their behavior, creating patterns, grouping them into suspected spyware or adware categories, and creating rules to limit or prohibit their behavior. CSA offers this unique spyware protection at no additional cost.
Policy control CSA can define policy controls based on the corporate security policy. Some types of behavior are not malicious but are undesired because they violate acceptable use within corporate policy—for example, music sharing via peer-to-peer (p2p) applications, instant messaging using noncorporate IM servers, external device protection, that is, devices that cannot be used (USB memory, multimedia devices, CD-ROM), or use of unauthorized applications or unauthorized versions of certain applications. CSA offers default policy control modules, including data theft prevention policy, instant messenger control policy, music download prevention policy, and network lockdown policy to enforce the previous examples.
Compliance enforcement CSA can be used as an enforcement tool to implement controls for regulatory compliance, such as PCI, Sarbanes-Oxley, and other mandates.
User education CSA can play the educator role. On many occasions, a user may invoke a request that may not be unauthorized from the operating system context but is restricted because of a corporate security policy. For example, a corporate policy may restrict usage of external devices, such as USB keys, and the user inserts the USB key on the system. Technically, the operating system will allow this; however, the CSA can intercept and deny this action and display a pop-up window educating the user on why this action was denied. This way, the user is educated on the corporate policy and acceptable use conditions when using the corporate equipment.
Traffic marking and prioritization The host system has many applications; some are mission critical and others are normal business applications. Some applications may be tolerated, but not business related. For example, an enterprise resource planning (ERP) system should be given higher priority than other applications in the event of congestion. This can be done by assigning a unique Differentiated Services Code Point (DSCP) value that identifies the mission-critical traffic. Similarly, other business-related applications such as e-mail and browsers are important but not critical; hence, a separate unique DSCP value can be associated to them so that a relevant action can be taken accordingly.
Network integration CSA can actively integrate with other network devices and work in close collaboration. CSA inputs can be valuable to influence actions in other solutions implemented within the network. Examples include the Network Admission Control (NAC) enforcement, Network IPS, QoS services via routers and switches, log collectors, and network correlation devices such as CS-MARS and VPN devices.

CSA Capabilities	Functional Role Description
Basic security functions and controls	CSA offers various system hardening functions such as SYN-flood protection or malformed packet protection. Provides resource protection, including file access control, network access control, Registry access control, and COM component access control. Control of executable content, for example, protection against e-mail worms, protection against automatic execution of downloaded files or ActiveX controls. Application-related functions, such as application run control, executable file version control, protection against code injection, protection of process memory, protection against buffer overflows, and protection against keystroke logging. Detection capabilities, for example, packet capture and packet sniffer, unauthorized protocols, network scans, and monitoring of OS event logs.
Host integrity role	CSA is the industry standard host-based intrusion detection and prevention solution with the capability to stop zero-day malicious code without reconfiguration or updates. CSA has a proven track record of stopping zero-day exploits, viruses, and worms over the past several years. Examples include the following: In 2001—Code Red, Nimda (all variants), Pentagone (Gonner) In 2002—Sircam, Debploit, SQL Snake, and Bugbear In 2003—SQL Slammer, SoBig, Blaster/Welchia, and Fizzer In 2004—MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), and Buffer Overflow in Workstation Service (MS03-049) In 2005—Internet Explorer Command Execution Vulnerability and Zotob In 2006—USB Hacksaw, Internet Explorer VML exploit, WMF, Internet Explorer Textrange, and RDS Dataspace In 2007—Rinbot, Storm Trojan, Big Yellow, MS-Word (MS07-014), Microsoft ANI 0Day, and Microsoft DNS 0Day
Application inventory feature	CSA can now track all the applications installed on a computer or group of computers across the network, which of these are actually run, which of these use the network, whether the application is a network client or a network server, and which remote IP addresses the application communicates with. CSA can track which applications are residing on which systems. Application inventory can also track unknown and unauthorized applications (that listen on a port but do not accept connections) running on a standalone system and other systems on the network, analyzing their behavior, creating patterns, grouping them into suspected spyware or adware categories, and creating rules to limit or prohibit their behavior. CSA offers this unique spyware protection at no additional cost.
Policy control	CSA can define policy controls based on the corporate security policy. Some types of behavior are not malicious but are undesired because they violate acceptable use within corporate policy—for example, music sharing via peer-to-peer (p2p) applications, instant messaging using noncorporate IM servers, external device protection, that is, devices that cannot be used (USB memory, multimedia devices, CD-ROM), or use of unauthorized applications or unauthorized versions of certain applications. CSA offers default policy control modules, including data theft prevention policy, instant messenger control policy, music download prevention policy, and network lockdown policy to enforce the previous examples.
Compliance enforcement	CSA can be used as an enforcement tool to implement controls for regulatory compliance, such as PCI, Sarbanes-Oxley, and other mandates.
User education	CSA can play the educator role. On many occasions, a user may invoke a request that may not be unauthorized from the operating system context but is restricted because of a corporate security policy. For example, a corporate policy may restrict usage of external devices, such as USB keys, and the user inserts the USB key on the system. Technically, the operating system will allow this; however, the CSA can intercept and deny this action and display a pop-up window educating the user on why this action was denied. This way, the user is educated on the corporate policy and acceptable use conditions when using the corporate equipment.
Traffic marking and prioritization	The host system has many applications; some are mission critical and others are normal business applications. Some applications may be tolerated, but not business related. For example, an enterprise resource planning (ERP) system should be given higher priority than other applications in the event of congestion. This can be done by assigning a unique Differentiated Services Code Point (DSCP) value that identifies the mission-critical traffic. Similarly, other business-related applications such as e-mail and browsers are important but not critical; hence, a separate unique DSCP value can be associated to them so that a relevant action can be taken accordingly.
Network integration	CSA can actively integrate with other network devices and work in close collaboration. CSA inputs can be valuable to influence actions in other solutions implemented within the network. Examples include the Network Admission Control (NAC) enforcement, Network IPS, QoS services via routers and switches, log collectors, and network correlation devices such as CS-MARS and VPN devices.