eEye Digital Security has announced a new end-point product that it says will help organisations stop attacks launched from the internet that use previously unknown, or "zero day", software vulnerabilities.
The company unveiled Blink, an intrusion prevention software (IPS) client with vulnerability scanning as well as network-based and host-based firewall features. The product uses intelligence about software exploits developed by eEye's vulnerability experts to spot an attack, even before security companies have formally identified the attack and issued a "signature" to guard against it, according to eEye chief executive officer Firas Raouf.
Blink works at the network layer, reconstructing calls for network services such as FTP and HTTP, and comparing that traffic to eEye's lexicon of different methods of exploits.
The approach gives Blink an advantage over competitors that work at what Raouf called the "process layer", analysing the interactions between applications and the operating system, because Blink allows companies to drop malicious traffic before it reaches critical applications such as web servers, he said.
The Blink client will work on servers, workstations and laptops running the Windows operating system, including Windows 2000, XP and Windows 2003 Server. The clients are controlled from a central management console in an organisation's data centre, Raouf said.
The product is designed for large enterprises and can be deployed, managed and updated from a central location, the company said.
For companies with mobile workers, Blink's integrated firewalls will also isolate outbreaks caused by malicious code obtained outside of a corporate network. For example, Blink can recognise activity associated with a virus or worm and shut down the infected application on a machine, protecting other network hosts. At the same time, Blink allows other, unaffected applications to keep running, preserving user productivity, he said.
Continental Airlines has been evaluating Blink on a mixture of desktop and server systems since January, according to Andre Gold, director of information security. The company is testing Blink's IPS and scanning features but does not intend to use the network or application firewalls, he said.
Although the airline has not used Blink in production, Gold said he was impressed with the amount of protection Blink provides with little or no configuration.
"It's a chore to manage [host intrusion prevention] across hundreds or thousands of machines. You have to go in and say, 'This box is a web server and this box is a SQL server,'" he said.
In contrast, Blink allowed Gold to simply "turn on" the IPS feature and get protection from virus and worm outbreaks on systems running the product. At the same time, Gold did not have to waste effort creating policies for every application on those systems.
"I don't really care whether Notepad is running or not," he said, referring to the Microsoft text editing program. "I just want to stop Slammer or Blaster."
With competing IPS products, Gold said he had to spend hours creating different policies and rules for each of Continental's many applications.
Gold gave Blink lower ratings on reporting and on the management interface, which he said were not as fully developed as some of its more mature competitors. He also said Continental would eventually need a product that could work with Unix and with Linux, which the company is increasingly using on its network - platforms Blink does not currently support.
"'Windows only' isn't a problem when you're trying to stop things that are occurring today, but tomorrow the attack vector could shift," he said.
Blink is available immediately and is sold on a subscription basis, starting with packages of 10 licences for $56 (£30) per device for an annual subscription. For servers, eEye has combined Blink with its Secure Internet Information Services (IIS) product and is selling annual subscriptions for $600 per server, Raouf said.
Paul Roberts writes for IDG News Service