Network Management & Open Service Security Management Solutions

OpenService ThreatCenter real-time event correlation enables you to block attacks - even zero day threats

Before intrusion detection systems can prevent attack, vendors must identify and load the attack signature on all of their platforms. But ThreatCenter can act on day zero. Long before IDS vendors establish an attack signature, many other devices in your network are likely to subtly change their behavior - changes detectable by ThreatCenter, the real-time threat management component of OpenService InfoCenter.

Perhaps a router will report an anomalous volume of traffic on unknown or unusual ports. Neither may sound an alarm among traditional rule-based security devices, but the powerful algorithms of ThreatCenter can correlate these obscure messages into a threat warning. Instantly you will know the suspected nature of the attack and which systems are affected - information you need to block firewall ports and isolate infection.

"Meaningful threat management empowers fast action. That requires proactive risk analysis, broad-based data collection, and proven analytics. Frustrated by the limits of emerging security technology as IT managers, we founded OpenService to create a truly vigilant threat management system."

Mike Schmitt, OpenService President

Even highly secure networks benefit from ThreatCenter auditing and feedback

ThreatCenter complements today's threat prevention systems by supplying auditing and compliance reporting features they lack. ThreatCenter analytics can also guide and tune IDS/IDP systems to make them more responsive and ensure they are getting the job done. When your network is secure, proving it to auditors should be uncomplicated. ThreatCenter includes simple drop-down menu options to create reports of real-time and recent historical data. There is no need to write complex SQL queries or struggle to merge multiple device logs. When you combine ThreatCenter with LogCenter, the same reports can be run against longer-term data for compliance reporting and forensic analysis.

ThreatCenter shines in uncorrelated and correlated attacks

Attacks can strike in a single packet or as complex, multi-headed sieges that unfold over several days. In the instance at right, a worm (SQL Slammer) was sent against a vulnerable device. A single packet was identified by an IDS sensor (Snort), which ThreatCenter correlated with vulnerability scan data (Nessus) and found destined to a critical server. ThreatCenter issued an instant page and email to an administrator in time to prevent data loss and further infection.

ThreatCenter also detects the progression of complex attacks. Hackers may start with a "low and slow" scan of your network. Then, after probes find open ports on your firewalls, listening devices, and applications, the hackers begin their real attack. They fingerprint your operating systems and their applications with targeted probes. When they find a vulnerability, they send a buffer overflow or other attack. Once they have compromised their target, it can be further hacked with root kits, Back Orifice, netcat, or other tools that give the attackers unfettered control. After stealing or corrupting your data, attackers may use your system as a "zombie" to serve as the apparent source of attacks against others.

This scenario would trigger dozens of individual events likely to be meaningless in the sea of log noise, yet ThreatCenter can correlate them to identify the threat and inform administrators with the information they need to take action before it's too late.