OKENA Pioneers Next-Generation Intrusion Prevention
Featured Author - Laura Taylor - January 6, 2002
prevention has evolved as a smarter alternative to intrusion detection. Pioneer OKENA has
mapped application behaviors into rules, and is using these behavior rules to prevent
intrusions up front. This second-generation approach offers substantial bottom line
savings, and frees up IT resources for other tasks.
an intrusion is useful. Preventing an intrusion is far more useful. OKENA's StormWatch
intrusion prevention technology offers break-through capabilities previously unseen by
traditional intrusion detection companies.
This is not
surprising news for anyone who knows OKENA's founder Shaun McConnon. Mr. McConnon founded
Raptor Systems in 1994, and at Raptor introduced the first firewall built for NT. In an
already competitive market, and defying security critics who downplayed the marketability
of an NT firewall, Mr. McConnon lead Raptor to become one of the most respected names in
firewall engineering, and later sold it to AXENT. (Just last year AXENT was sold to
Symantec, and has since introduced a souped up Raptor based firewall appliance called
visionary security technology seems to be one of the things that Mr. McConnon does best.
The word "OKENA" means "to fulfill" in Hawaiian, and OKENA's
pro-active approach to network and system intrusions holds promise to fulfill a segment in
the security market not yet developed by other vendors.
||71 Second Avenue, Waltham, MA, 02451
||Boston, Chicago, New York,
San Francisco, Washington D.C.
Information and Strategy
firewall, StormWatch works through the configuration of a rule-set. Unlike traditional
intrusion detection systems, StormWatch works at the application level, not the network
level. Each application that StormWatch locks-down has a rule, or set of rules, associated
with it. StormWatch does come bundled with a default set of rules, however, more rules can
be added at any time for no additional cost.
rules are in essence, behavior rules that understand how the application they are
safeguarding behaves. If an application typically writes new data to a particular file, a
corresponding StormWatch rule will make sure that the data isn't written to other files,
owned by other users or other applications. Hackers often use strategies which involve
manipulating processes into writing data to incorrect files.
works by installing intelligent agents on the systems targeted for application protection.
A correlation engine that lives within the installed agents, makes decisions on whether
the instruction an application receives is within standard behavioral guidelines or not.
This is one of the elements of the product's INCORE (an acronym for Intercept, Correlate,
Rules Engine) architecture, and is fundamental to the pro-active technique that StormWatch
uses to protect applications from being lead astray.
proposed action is suspiciously unusual, for example, instructing the application to write
to non-standard files, the rules that govern the application's behavior will prevent the
unacceptable action from executing. In response to unacceptable behavior patterns, the
StormWatch agent will begin a dialogue with a central management console that will begin
further analysis of the offending file. The management console records the unacceptable
activity, and if it finds similar reports of this unacceptable activity, it will update
the other intelligent agents on the network of the impending threat.
are able to prevent unauthorized modifications of the registry from taking place by
intercepting system calls. The management console communicates with the agents through a
secure encrypted SSL link making sure that the rules on the agent systems are always up to
date. If a new rule is written, distributing it to other agent systems is for the most
part automated. A test mode exists which allows administrators to test out new rules in
action, before installing them on production systems.
rules that ship with StormWatch prevent inadvertent actions to your system caused by
trojans, worms, viruses, buffer overflows, syn floods, and port scans. Writing a rule for
a new or custom application requires knowledge of the application's files, executables,
directories accessed, and ports accessed, which does require some knowledge and expertise.
However, this process is not much different than the learning curve required in writing
Government agencies of all sizes
||Central Management Console
Server & Desktop agents
advantage of StormWatch over traditional intrusion detection systems is that StormWatch
doesn't rely on attack signature analysis. Traditional intrusion detection systems compare
network traffic patterns with attack signatures, and the effectiveness of this methodology
depends on the vendor staying ahead of current system and network attack exploits, and
writing signatures which their product uses with pattern matching algorithms. If the
vendor misses a new exploit, if the attack signatures are not engineered properly, if the
customers do not download and keep their intrusion detection system up to date, the attack
signature-based intrusion detection system does not operate to its potential, and leaves
the customer network exposed.
One of the
problems with traditional intrusion detection systems is that they typically require
time-consuming hands-on management and administration. Traditional intrusion detection
systems compare suspicious activity with attack signatures. The problem with this approach
is two-fold: numerous false positives and false negatives are generated, and new attacks
are unending, which means that the intrusion detection system needs to be constantly
updated with new signatures. The usefulness of these systems depends on the vendor's
ability to keep up with new attacks by populating the signature database with new attack
Sandia National Labs did some research which showed that detecting false positives can
only be reduced at the expense of increased false negatives. Balancing false positives and
false negatives is an added chore that traditional intrusion detection systems give to the
IT staff that manages it. By preventing intrusions up front, balancing false positives and
false negatives is not required. This frees up a significant amount of administrative
time, and reduces the cost of ownership of the technology itself. Correlating false
intrusion attempts is an expensive use of company resources. It is enough work just to
analyze real intrusion breaches and attempts. With StormWatch, the analysis of false
negatives and positives is not something that will be added to an organization's security
agenda. StormWatch's ability to pro-actively prevent intrusions from happening in the
first place reduces the analysis of false positives and negatives.
to Michael Rasmussen, a security analyst with Giga Information Group, "Intrusion
detection systems (IDS) have received a lot of undeserved hype during the past few
.IDS systems, particularly network-based, are prone to false positives, missing
attacks and deception." Getting attacked creates work. Every time your staff spends
valuable corporate resources analyzing an attack, you are spending money. Every time your
staff spends valuable corporate resources analyzing an attack that didn't happen, you are
really wasting money. With StormWatch, analyzing attacks that never happened is not part
of the strategy.
engineering approach of StormWatch is based on understanding the correct way the
application is supposed to behave -- not what are the multiple ways it is not supposed to
behave. In the last few years, system, network, and application security threats have
grown by such magnitudes that online businesses are having significant problems keeping
pace with attacks, viruses, and online fraud. The sheer number of attack signatures that
need to be generated to combat all the possible exposures is growing at unprecedented
rates. In a recent survey of 538 security professionals conducted by the Computer Security
Institute, 85% reported computer security breaches in the last twelve months.
Commercial Crime Bureau in Hong Kong has reported that computer crime losses increased by
nearly 500% in the first half of this year compared with the previous six months. Keeping
attack signature databases up to date with the latest exploits has turned into a race
against the clock. While intrusion detection systems based on attack signatures offer some
protection, it is a development methodology that will become significantly harder to scale
in the years ahead.
to a joint publication by the Information Technology Association of America (ITAA) and
CERT in June of 2000, " IDS products based on current signature-based analysis
produce useful results in specific situations, but since they cannot detect novel attack
patterns, they do not provide a complete intrusion detection solution." This same
report goes on to say that traditional intrusion detection systems require
"labor-intensive signature tuning." StormWatch blocks intrusions pro-actively,
and does not make use of attack signature files.
OKENA's technology is based on intrusion prevention, industry analysts will lump
StormWatch into the intrusion detection market -- a growing and established market.
Contenders like Entercept, Internet Security Systems, and Network Flight Recorder all
offer intrusion detection products that have advanced capabilities, and proven track
records. As these other intrusion detection vendors vie for the same market share, OKENA
will face numerous contenders coming out of the starting gate. New innovative competitors
will continue to crop up, and one potential threat is a European company called SecureWave
which also claims to offer second-generation intrusion prevention protection.
acceptance is necessary for any new break-through technology to remain competitive.
OKENA's success will depend in part on its ability to win over potential customers to a
new way of looking at and managing security and network intrusions. In order to take
advantage of the technology that OKENA offers, companies need to be willing to commit the
resources up-front that are required for pro-active security.
only on Microsoft operating systems, OKENA's management console might not appeal to UNIX
shops, however, OKENA has committed to developing a Solaris platform that will debut
sometime next year.
Recommendations and Predictions
It will be
important for OKENA to educate the market on the difference between their next-generation
intrusion prevention product and traditional intrusion detection products. Like any new
company, OKENA will need to gain customer confidence that they can adequately support
large deployments with complex applications.
seasoned management team, and engineering leaders that are experienced in security,
Relevant Technologies expects OKENA to nudge its way into the established intrusion
detection market, and hold its own among some of the larger more established vendors. As
OKENA gains momentum, Relevant expects traditional intrusion detection vendors who wish to
remain competitive to initiate more pro-active approaches to system and network intrusions
similar in approach to OKENA's.
IT security market is close to a $6 billion USD. Relevant expects this market to increase
by $2 billion dollars a year for the foreseeable future. Even in today's weakened economy,
new security companies like OKENA will be able to find a big enough piece of the pie to
remain competitive, as long as they control their growth, and don't jeopardize their
bottom line with excessive spending. Since Shaun McConnon has already proven that he can
lead the innovation of a new security technology company to profitability, Relevant
predicts that OKENA will be around for the long-haul, and should be considered a viable
contender in any intrusion technology IT decisions.
security product pure-play (a company focusing on doing one thing well), in 3-5 years
OKENA is a likely acquisition target for a larger security company that is trying to
expand its product line. Creating partnerships with resellers and consulting firms will
assist OKENA is creating the competitive stance it will need to command future
marketability for potential prospects.
and agencies that are just starting to perform due diligence on intrusion detection
products will want to include StormWatch on their short list. In particular, large
organizations that are currently overwhelmed with security management, and want to take a
less labor-intensive approach to intrusions, stand the most to gain from a StormWatch
institutions that need to safeguard customer transactions, and cannot afford to lock the
barn door after the horse is stolen, are ideal candidates for this second-generation
intrusion prevention technology. StormWatch is not intended to take the place of a
firewall. It works well in conjunction with firewalls, and provides the type of
application level security that firewalls are not able to protect against.
administrators and security engineers that currently maintain firewalls, are probably best
suited for configuring and managing the StormWatch rules and agents. The management of
StormWatch requires some training, however, understanding what steps it takes to secure
your systems, networks, and applications is what it means to be pro-active about security.
Taylor is Chief Technology Officer of Relevant Technologies, a security research advisory
firm that assists IT decision makers in making best-choice technology selections. Ms.
Taylor was formerly Director of Security Research at TEC, and prior to that was Director
of Information Security at Navisite. Ms. Taylor has also served as CIO of Schafer
Corporation, a weapons and reconnaissance national security contractor. Relevant
Technologies can be reached at http://www.relevanttechnologies.com.
INCORE and StormWatch are trademarks of OKENA, Inc. Other trademarks used in this document
are the properties of their respective owners.