eEye Digital Security has announced a new end-point security product that it says will help organisations stop attacks launched from the Internet that use previously unknown or "zero day" software vulnerabilities.
Blink is an intrusion prevention software (IPS) client with vulnerability scanning as well as network-based and host-based firewall features. It uses intelligence about software exploits, developed by eEye, to spot an attack, even before security companies have formally identified the attack and issued a "signature" to guard against it, according to Firas Raouf, eEye's chief operating officer.
Blink works at the network layer, reconstructing calls for network services such as FTP and HTTP and comparing that traffic to eEye's lexicon of different methods of exploits. The approach gives Blink an advantage over competitors that work at what Raouf calls the process layer by analysing interactions between applications and the operating system. This, he claimed, allow companies to drop malicious traffic before it even reaches critical applications such as Web servers.
The Blink client will work on Windows servers, workstations and laptops. The clients are controlled from a central management console in an organisation's data center. It is designed for large enterprises and can be deployed, managed and updated from a central location.
For companies with mobile workers, Blink's integrated firewalls will also isolate outbreaks caused by malicious code obtained outside of a corporate network. For example, Blink can recognize activity associated with a virus or worm and shut down the infected application on a machine, protecting other network hosts. At the same time, Blink allows other, unaffected applications to keep running, he said.
Continental Airlines has been evaluating Blink on a mixture of desktop and server systems since January, according to Andre Gold, director of information security. The company is testing Blink's IPS and scanning features but doesn't intend to use the network or application firewalls, he said.
Though the airline has not used Blink in production, Gold said he was impressed with the amount of protection Blink provides with little or no configuration. "It's a chore to manage [host intrusion prevention] across hundreds or thousands of machines. You have to go in and say, 'This box is a Web server and this box is a SQL server'," he said.
In contrast, Blink allowed Gold to simply "turn on" the IPS feature and get protection from virus and worm outbreaks on systems running the product. At the same time, Gold didn't have to waste effort creating policies for every application on those systems. "I don't really care whether Notepad is running or not," he said, referring to the Microsoft text editing program. "I just want to stop Slammer or Blaster."
With competing IPS products, Gold said he had to spend hours creating different policies and rules for each of Continental's many applications. Gold gave Blink lower ratings on reporting and on the management interface, which he said were not as fully developed as some of its more mature competitors. He also said Continental would eventually need a product that can work with Unix and with Linux, which the company is increasingly using on its network - platforms Blink does not currently support.
"Windows only isn't a problem when you're trying to stop things that are occurring today, but tomorrow the attack vector could shift," he said.
Blink is available immediately and is sold on a subscription basis, starting with packages of 10 licences for $56 per device for an annual subscription. For servers, eEye has combined Blink with its Secure Internet Information Services (IIS) product and is selling annual subscriptions for $600 per server.