Behavioral IDS Case Study - CylantSecure

CylantSecure has been nominated for Best Security Solution at the upcoming
Linux World Conference & Expo.

	CASE STUDY

Challenge
The advent of high-speed Internet access, DSL and cable networks has
brought unprecedented freedom to individual users, providing them with the
speed necessary to run their own servers.  For example, individuals can now
host their own Web sites and run their own mail and Domain Name Servers.
But, with this increased freedom comes a drawback.  Now, thousands and
thousands of individual users running their own services are as susceptible
to hackers and DoS attacks as the largest ISP.

A telecommuting professional in Illinois recently found himself facing this
double-edged sword after deploying mail, Web and name service on his Linux
server. He works from the main server workstation and has four additional
computers running from it.

With these services up 24x7, his network was the subject of constant and
regular attacks.  So, he needed protection for his server, just like the
"big guys".

Solution
The user turned to CylantSecure to protect his server from vulnerabilities.
Created by Cylant (a division of Software Systems International),
CylantSecure is a host-based intrusion defense software system that takes a
proactive, rather than reactive, approach to security. Through behavioral
measurement, CylantSecure is able to detect malicious activity in real time
and control the operation of the software to report and immediately stop
any aberrant behavior.

The user purchased CylantSecure through the company's "Geek to Geek"
program, a special pricing program introduced in May 2002 which is targeted
to individuals with a single server.  The "Geek to Geek" program enables
the smaller user to purchase CylantSecure for just $299 per license, which
includes one server agent and the CylantSecure console.

Most attacks change the behavior of the software being exploited in a
measurable way.  CylantSecure uses sensors to monitor the behavior of the
software, along with a statistical analysis engine to identify any
abnormalities in the behavior.  Through continuous behavioral monitoring,
CylantSecure can send users early warning of attacks, so appropriate
measures can be taken.  Such measures might include shutting down the
program, shunning traffic from the attacking IP or performing system state
analysis.

And, since CylantSecure runs from the kernel, it is able to stop attacks
very rapidly.  In addition, it allows the administrator to manually ban
specific IP addresses, an important feature to this user.  He had
researched other IDS products, but didn't feel that they were as
"heavy-duty" as CylantSecure, especially since they did not provide
kernel-level protection.

He also liked the fact that, with CylantSecure, he could set the
sensitivity level of his "kill threshold" (the point where the system
considers behavior aberrant and stops it) to his individual preferences.
He has decided to set his preferences to a very sensitive level, but also
has the freedom to override a ban if he chooses.

Result
In the months since CylantSecure has been protecting his server, it has
thwarted more than 80 attacks, including attempted intrusions from Florida,
Colorado, California, Canada and frequently as far away as China and Korea.
It has also thwarted one denial of service attack (DoS) on his mail server.
Commonly, hackers have attempted to access his server through his URL port
(port 80), but CylantSecure has detected the aberrant behavior and
immediately shut down the offender's IP address before any infiltration
could be achieved or damage caused.

Now, this user can confidently keep his servers up and running 24 hours a
day, with no worries that it will be compromised.  His own words best sum
up the value that CylantSecure has provided.  "Thanks to CylantSecure, I
now have total peace of mind."

###