It's Time for Host-Based Security Platforms
03 March 2004
John Pescatore, Mark Nicolett

Document Type:  Research Note
Note Number:  T-22-1793

Business-critical platforms require host-based security to protect the expanding enterprise perimeter. Mobile computing and Web services will drive this need across the enterprise.

What You Need to Know

Host-based security carries high costs, but brings strong security to complex environments. Develop architectures that will incorporate host-based security platforms no later than 2006.

Analysis

Strategic Planning Assumptions
By 2006, 50 percent of enterprise servers and 30 percent of corporate PCs will incorporate host-based security agents (0.7 probability).
By the second half of 2005, host-based security platforms with improved discovery, integration and standards components will be available; by year-end 2006, these products will be stable and mature enough for widespread enterprise use (0.7 probability).

The enterprise perimeter has changed greatly during the past several years. It now passes through mobile devices, because laptops and PDAs often are used outside the corporate firewall. Wireless LANs allow external connections that bypass firewalls. The increasing use of Secure Sockets Layer, particularly as part of Web services, and other forms of encryption (session and data) can blind perimeter firewalls and intrusion prevention systems. Threats have changed, with rapidly propagating worms causing tremendous costs to enterprises when these worms spread across the infrastructure.

These trends are increasing the need for host-based security protection, which is expensive, complex and often resisted by the IS organization. Despite these obstacles, by 2006, 50 percent of enterprise servers and 30 percent of corporate PCs will incorporate host-based security agents (0.7 probability).

Definition of a Host-Based Security Platform

"Enterprise IT Security Management Defined" examines three major functional areas of IT security management: monitoring/discovery, reporting and control/automation. Although host-based security agents may perform some of these functions, Gartner defines a host-based security platform as security software that runs on PCs or servers to perform all three functions.

Monitoring/Discovery

The monitoring/discovery function scans the server or PC for new software or configuration settings, externalizes the real-time status of security and relevant events, and generates alerts in response to error conditions and the violation of security policies. Host-based intrusion detection and configuration management products implement different aspects of the monitoring functions. Configuration changes that result in exposure to known attacks will trigger an alert from a configuration management function. Incoming traffic that looked like an attack will cause a real-time intrusion detection alarm.

Reporting

The reporting function accumulates security information over time, and provides historical, consolidated and trended views and specialized reports. Configuration changes that result in noncompliance with the standard corporate image, but don't create high-risk exposures to attacks, will result in a report rather than a real-time alert. Reporting is generally a "pull" function, with a management function periodically requesting detailed or summarized event information. Security management and log consolidation products that use host-based agents can perform filtering and data reduction at the source, thus reducing the load on the network.

Examples of products that include monitoring/discovery and reporting functions are agent-based configuration management, patch management and security configuration/policy compliance tools. Many of these products also can implement policy-based control/automation functions.

Control/Automation

A host-based security platform can implement a number of control actions that are managed by a security administrator or that are generated automatically in response to the monitoring and reporting functions. Host-based intrusion prevention, antivirus, personal firewall and patch management software implement different aspects of control and automation.

The control/automation aspect of host-based security platforms often crosses the responsibility between enterprise security groups and IT operations groups. Security groups usually do not have the authority to change the software on production systems. IT operations does, but its primary motivation is to maintain systems. System administrators often disable or remove security software that is suspected of interfering with the proper operation of the server.

Examples of products that include control functionality are Cisco Systems' Cisco Security Agent, Network Associates' NAI Entercept, Sana Security, Platform Logic and Microsoft's recently announced Active Protection Technology.

Host-Based Security's Advantages and Disadvantages

The monitoring/discovery, reporting and control/automation functions can be implemented in network-based security platforms (see "Network Security Platforms Will Transform Security Markets") or host-based security platforms. Network-based security platforms are placed in-line and inspect network traffic to perform monitoring, reporting and control functions. Host-based security platforms consist of security software that runs on individual hosts and only inspects the traffic to and from its host server or PC.

Host-based security has many advantages over network-based approaches, but also has many disadvantages.

Advantages

• Detailed data can be collected and "changes only" reports sent after the initial system scan, thus reducing the amount of network bandwidth required.
• Data can be filtered at the source, solving the problem of encrypted connections.
• More-intense real-time monitoring is possible because it is performed by the local agent.
• The processing load is distributed across all instrumented systems.
• Abnormal system or application behavior can be sensed and blocked before it affects the network or other systems.

Disadvantages

• Agents must be installed on all devices, but the most-dangerous systems (from a security perspective) are those that are not managed by the IT security organization and do not have a security agent installed. (Network-based security solutions don't depend on the installation of an agent.)
• Costs (acquisition and operational) scale with the number of devices.
• The IT security organization must depend on other support organizations to install, maintain and operate agents.
• A poorly designed agent may consume too many host resources or destabilize the system.

Improving Host-Based Security Platforms

Although the "pain" of host-based security approaches previously outweighed the "gain," changing threats have raised the cost of IT security incidents. Technologies such as wireless, mobile computing and encryption have increased the likelihood that threats will penetrate perimeter protections. With these factors increasing the gain of host-based security approaches, Gartner believes that with some reduction in the pain, host-based security platforms will be ready for widespread enterprise use.

Areas that should be improved include:

• Discovery — Host-based security management consoles must include network discovery capabilities that detect servers and PCs that do not have the security software installed. Host-based security platforms will not replace the need for network-oriented autodiscovery and scan functions that collect as much information about the discovered resources as possible.
• Integration — To reduce the cost of installation and the likelihood that a server or PC will not include the security software, host-based security platforms must be integrated into the standard shipping versions of servers, PCs and appliance platforms.
• Standards — XML-based industry standards that enable security events and system configuration, and that log data to be correlated and classified across multiple vendors, must be defined and supported.

By the second half of 2005, host-based security platforms with improved discovery, integration and standards components will be available; by year-end 2006, these products will be stable and mature enough for widespread enterprise use (0.7 probability).

Key Issue
What are the most-effective technologies and best practices to protect networks, systems, applications and data?

© 2004 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.