Endpoint systems (such as desktops, laptops, and servers) are no longer secure because the threats from viruses, worms, adware, and spyware are on the rise. Vulnerabilities in the operating systems and application codes are also on the rise, and exploits can compromise endpoints in no time.
These dynamically evolving threats cannot be mitigated through traditional signature-based tools such as antivirus software on the host systems. Endpoints need to be equipped with the sophisticated intelligence to detect and prevent known and unknown threats in real-time without the need of signature updates.
The trend in host intrusion prevention has shifted and evolved into a more proactive approach that uses policy-based and behavior-based mechanisms to stop malicious activities and unknown (day-zero) attacks.
The Cisco Host Intrusion Prevention solution using the Cisco Secure Agent (CSA) endpoint software provides self-defending solutions by deploying intelligent agents to protect endpoint systems (desktops, laptops, and servers) against the proliferation of known and unknown threats and targeted attacks across networks.
The chapter began with a basic overview of the host intrusion prevention systems followed by a comprehensive overview of the Cisco host-based IPS solution that uses the Cisco Security Agent (CSA) solution.
The chapter provided in-depth details of the CSA architecture and described the workings of the CSA interceptor and correlation techniques that are equipped with the access control process.
The chapter provided a detailed list of CSA capabilities and the security functional roles that CSA can offer.
The chapter described details of CSA components, CSA hosts and groups, CSA policies, rule modules, and rules.
The chapter also provided and illustrated implementation guidelines and supporting references for configuring and managing the CSA deployment using the CSA Management Center (CSA MC).