eEye Blink Server Edition Overview:

Server Antivirus is Not Enough: Eight Layers of Protection for Solid Security

While signature-based anti-virus security solutions continue to be the primary for servers to meet regulatory compliance and business continuity requirements, a major shift is developing toward integrated threat management to enhance server security. Server administrators are constantly struggling to prevent attacks against server-based applications, mis-configurations, and zero-day threats. Successful exploits can leverage anything from network services to web applications and signature based anti-virus solutions are not enough on their own to repel these threats. Each time a new vulnerability, remote exploit, or other application threat is identified, organizations need to assess the risk to the critical server infrastructure and take appropriate mitigation steps. Ignoring the new threat or relying on outdated defenses only increases the risk of a successful breach.

Further complicating the server security equation is the breakdown of client-server network architectures. Mainstream adoption of virtualization, mobile, cloud, SaaS and remote access technologies force the traditional network perimeter to provide filtered access to critical servers. Application exploits for web servers, databases, and other vulnerabilities represent an easy opportunity for malware and data loss to propagate through trusted connections. In response, perimeter and network security capabilities are increasingly important on servers and endpoints to secure the connection.

Integrated Threat Management: Complete Server Protection

To enhance server security and combat threats in real-time, organizations are migrating from a standalone server anti-virus software and adopting integrated threat solutions in its place. Blink Server Edition 4, from eEye Digital Security, combines multiple-layers of server security capabilities and leverages an intrusion prevention engine that dynamically protects against new threats, in real time, even when vendor patches are not available. Since Blink Professional 4 was launched in 2006, it has successfully thwarted 100% of remote intrusion attempts on endpoints. Blink Server Edition 4 builds on that technology and provides a complete server protection platform with full-featured integrated threat management capabilities. Blink Server Edition 4 delivers a host of positive business benefits:

• Layered security protection that optimizes defenses against viruses, spyware, worms, trojans, mis-configurations, and other malicious zero-day exploits
   
• Information Security Magazine, November 2007
   
• The ability to consolidate 7+ discrete server security agents into a single Blink Server 4 agent and reap significant administrative time savings in the process
   
• Reduce system resource requirements compared to the memory footprint of maintaining 7+ discrete security products for everything from anti-virus to vulnerability assessment
   
• Combine Blink 4 with REM, eEye’s Security Management Console, to obtain centralized attack, risk, vulnerability and overall security management
   
• Reduce server security costs more than 70% by eliminating the licensing and support costs associated with buying and maintaining multiple security solutions

Features and Benefits:

System, Application, and SecureIIS Web Application Firewall - Blink performs traditional firewall duties, allows or denies traffic based on a set of predetermined rules and it monitors the source of network traffic in real time allowing traffic only from authorized applications. Blink's Web Application Firewall featuring SecureIIS works as an ISAPI filter protecting against the latest threats from cross site scripting to SQL injection and meets the strict regulatory compliance of PCI DSS v1.2 Section 6.

Virus and Spyware Protection for Servers - Blink Server provides complete signature and heuristics-based attack protection. Using patented sandbox technology, Blink Server Edition can stop new attacks as they are released without the need for updates on the server. Signatures provide an additional layer of protection for known malware. Blink Server virus and spyware protection protects the asset by using policies that have been tuned for the dedicated roles of the device.

Intrusion Prevention and Zero-Day Protection - Blink Server provides protection where a vendor has not yet created signatures or patches to protect against vulnerabilities in their operating system or application. Blink Server blocks zero-day attacks that bypass traditional signature-based solutions, protecting critical servers and their data.

System Protection - Blink Server provides control over which applications are allowed to function by authorizing or denying program file execution. Registry Protection prevents specific registry settings from being modified, stopping malicious programs or errand users from infecting or modifying systems. Storage Protection prevents data leakage by regulating USB and Firewire storage devices.

REM Security Management Console - Combined with REM, the integrated solution provides event and state analysis capabilities along with security and compliance reporting. The REM Security Management Console integrates attack-related information with local and network vulnerability assessment data, providing a complete security picture of server and endpoint security.

Blink: Protection from the Threats of Today and Tomorrow

A war is being waged against the desktop. Attacks against desktops within home and business networks occur every day, all in an attempt to gain unrestricted access to these systems. Attackers are smarter and more potent than they were in the past, many times being driven by stated intentions or monetary gain. Regardless of an attacker's intention, the exploit process, whether for intrusions or scams, follows a common script. Fortunately, we at eEye Digital Security know that script by heart.

eEye Digital Security has been at the forefront of learning how attackers exploit systems for over 10 years. While trends in attack scenarios has been moving rapidly over the past few years, eEye has been able to leverage its intimate knowledge of vulnerabilities and exploits to develop Blink, the most advanced host-based protection suite on the market. The result is best-in-class protection for every desktop, as well as ease of mind for IT security professionals.

Mass Exploitation vs. Targeted Attacks

Mass exploitation incidents (such as the notorious Italian Job MPack release) are widespread, effective and troubling. Such incidents can result in a large botnet being formed within only a few hours, becoming a very powerful attack tool used by the perpetrators for later malicious activities. Furthermore, the speed at which these incidents occurs is so rapid that, by the time it is reported publicly, the mass infection has already achieved the malicious goal of the attacker.

Perhaps more important is the type of attack that doesn't gain public notoriety for a number of reasons: targeted attacks. In these scenarios, an attacker has a specific goal within an organization or individual. Depending on the value of the target, many times an attacker will employ zero-day exploits as well as custom malware that bypass AV signatures. Both scenarios are very serious for any organization, but the one that ends up with the most serious impact will tend to be the targeted attack, as this is when intellectual property and data are at the most risk.

While most businesses are able to react to mass exploitation scenarios, nearly none are able to quickly react to a targeted attack. Worse, many attacks achieve their goal and disappear before anyone in the target network has even noticed the malicious activity.

The Move to Client-Side Attacks

Hackers are moving from network-based attacks to client attacks. Recent trends show that client-side applications pose the greatest risks today. Unfortunately, the large NIDS/NIPS market that so many organizations rely on is rendered useless against most client-side exploitation attempts, which operate below their radar. Whereas most network-based protocols are simple and commonly documented in RFCs or knowledge bases, client-side file-formats are rarely documented and are incredibly convoluted.

The other main threat facing the desktop is browser-based vulnerabilities. Browser-based vulnerabilities are very simple to exploit since user-interaction is typically easy to influence. Under some circumstances, even a visit to trusted site could be dangerous. Even though this traffic is being sent across the well-documented HTTP-protocol, it can be obfuscated by the attacker to render any in-line network-based IPS system useless against the traffic since the NIPS does not have the functionality capabilities of the end-user's web browser (i.e. JavaScript / VBScript).

Unfortunately, file-format and browser-based vulnerabilities represent a majority of the exploits being launched in successful real-world attack scenarios today.

Generic Memory-Based Protection is Essential

When unknown zero-day exploits are unleashed against a system, the only defense that users have is generic protection from their host-based security solution. eEye has developed Blink's System Protection functionality. A portion of this functionality is the monitoring for potentially malicious activity within a process and protecting the system from exploit code by terminating and restarting the process prior to exploitation. There is literally no other way to protect system from the unknown. While Blink is not the only host-based tool to protect in this manner, "Blink can provide a superb breadth of power in a single well-designed and solid package." - VB100. IN simple terms, Blink has successfully blocked every identified memory-based user-land exploit since its inception; a track record that should resonate with those who have been impacted by unknown exploits.

This gives IT administrators the advantage to roll out mitigation or patches on their own time with peace-of-mind knowing that their systems will be protected.

Generic Anti-Virus Protection Must Be Implemented

Many AV vendors rely specifically on collecting malicious binaries in the wild and writing signatures for those samples. Unfortunately, this does not proactively prevent unknown malware from infecting users before the AV company has been able to attain a sample. Because of this specific reason, Blink has multiple layers of generic detection methods above the malware signature engine. These mechanisms include several heuristic modules, as well as a distinguishing utility known as a sandbox. Within this sandbox, a binary is run in a full Windows emulated environment to detect the full behavior of the binary prior to it executing on the host operating system. This allows for a very unique perspective on the functionality of a binary without previous knowledge of the sample, allowing for a very powerful extra-layer of defense for malware.

Blink Version Comparison:

Feature	Blink Personal	Blink Professional	Blink Server	Blink Server Web Edition
Host Based Virus, Spyware, and Phishing Protection
System and Application Firewalls and Host Based Intrusion Prevention
Embedded Retina Vulnerability Assessment Engine
Centralized Management via the REM Security Management Console
Optimized for Server and High Volume Communications
Predefined Server Profiles and Policies
File System and Directory Monitoring
Microsoft IIS Web Application Firewall featuring SecureIIS

Enterprise Vulnerability Management:

Designed for a range of small business, medium business (SMB), to large enterprises, Retina Network Security Scanner is available as both a network security software solution plus a vulnerability management appliance solution.

• Centralized Vulnerability Managementt - Integrated vulnerability assessment, policy enforcement, policy auditing; improving enterprise network security.
• Centralized Incident Management - Prioritized vulnerability management plus client security threats and attacks; reducing security risk plus network security response.
• Enterprise Security Reporting - With integrated vulnerability, attack and policy information provided by Retina and Blink, REM provides organizations with metrics and graphical representations of their enterprise security posture.
• Executive Dashboard - Customizable reports and charts; integrated asset management, client security, risk assessment, plus vulnerability assessment.

Specifications:

System Requirements
 

Documentation:

Download the eEye Blink Server Edition Software Datasheet (PDF).