Security Management Solutions
Security Management Solutions
Overview | Management | Board & Investors | Careers | Contact Us
Overview | NerveCenter | InfoCenter | ThreatCenter | LogCenter | InfoCenter on IBM BladeCenter
Overview | Compliance Solutions | Security Management Solutions | Network Management Solutions
Overview | Professional Services | Education & Training | Customer Support
Overview | Case Studies
Overview | Premier Partners | Strategic Partners | Technology Partners
Press Releases | Articles & News | Tradeshows & Exhibits
Security Threat Management & Network Security Management

ThreatCenter


Chances are your IT staff, and your security team, hasn't grown in headcount recently. Yet at the same time you probably have new IDS sensors, firewalls, anti-virus systems, denial of service prevention devices, vulnerability scanners, web application filters... and any number and variety of new network security devices, not to mention new systems to protect and manage.

In a typical network, just the security events can exceed 100,000 events per day.

ThreatCenter brings the events from all of these devices together in one console. Better yet, it consolidates, correlates, and analyzes the overwhelming data streams for real threats.

Instead of shouting every time some web crawler probes your network, it calmly analyzes the events looking for patterns of attack. Not just IDS and Virus signatures, but patterns of behavior.

Our first challenge is that each vendor calls each attack something different. Just figuring out which events can be an overwhelming challenge. ThreatCenter addresses this by using a metabase of each separate vendor's signatures and alerts, and cross references them against each other and common databases of what the events mean such as, CVE or Bugtrak. So instead of a event 99 from vendor X for worm Y, and an event of ABC outbreak from device Z, the security staff can see a single event with a common description and can click through to the vendor signatures, if needed, to find out how best to respond. With OpenService's update service, the metabase is kept up to date even as vendors add and change signatures.

What does a correlated attack look like?
It can be as simple as single packet, or as complex as a multi-headed attack spanning multiple days.

In the instance below, a worm (SQL Slammer) was sent against a device that is vulnerable to that specific worm. A single packet was identified by an IDS sensor (Snort), and reported, then correlated with vulnerability scan data (Nessus), and found to be headed towards a critical server that is vulnerable to the given worm. The administrator received an instant page and email, and was able to prevent data loss and further infection by dealing with the situation immediately.

OK, so Intrusion Prevention Systems (IPS), claim to do the same thing right?

The problem is, IPS devices depend on IDS signatures, and require those data patterns to be blocked. So which signatures should be in prevention (IPS) mode? If you block everything, the network doesn't work, and if you chose the vendor defaults, how do you know it's working?

Here again, ThreatCenter is the answer. Even in highly secure networks, ThreatCenter provides the auditing and feedback mechanisms missing in today's threat prevention devices to help tune them and ensure they're getting the job done.

ThreatCenter shines in a complex attack. Here an experienced hacker may start with a "low and slow" scan of your network. Then, after probing and finding the open ports on your firewalls, listening devices and applications, he begins his real attack. The operating system and applications are fingerprinted with targeted probes. Then a "buffer overflow" or other attack that a system is vulnerable to is sent. The system is compromised, and may be further hacked with RootKits, Back Orifice, netcat, or other remote-access hacks, giving the attacker unfettered control of the compromised system indefinitely. Worse yet, your newly hacked system may become a "zombie" used by the hacker to amplify or bounce future attacks off of, making you appear to be the source of attacks against others. This scenario would trigger dozens of individual meaningless events in a sea of log noise from various devices. However, ThreatCenter absorbs that log noise, sees the progression of this attack, and responds by increasing the threat level, alerting administrators, and even running automated responses.

In some cases a zero day attack (worm, virus, Trojan) breaks out on the internet. At first, IDS sensors don't yet have pattern matches, and don't report it as a threat. But many other devices, perhaps a router, will report an annoying and anomalous volume of traffic on unknown or unusual ports. ThreatCenter can detect and correlate these obscure messages into a threat, warning of a possible zero day attack, and which systems are affected. Administrators can respond by blocking ports on firewalls and isolating infected systems before the entire network is infected.

And when you need to create a report to prove to your auditors that your network is secure, simple drop down reporting options allow administrators to create reports of both real time and recent historical data without writing complex SQL queries and trying to merge multiple device logs. When combined with LogCenter, the same drop down reports can be run against longer term data for compliance reporting and forensic analysis.

So, if you're ready to simplify security manage ment, and need a solution to find and thwart attacks in real time, give us a call.

 | Privacy Policy  | Copyright  | ©2002-2008 OpenService, Inc. All Rights Reserved