This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
Price: Sensors start at $13,000.
Management platform starts at $10,000
|NFR Security's Sentivist 5.0|
Sentivist 5.0 improves on an excellent product with enterprise-grade sensors, the ability to assess network-wide attacks and an improved interface.
FR's Sentivist 4.0, with its Confidence Indexing for assessing threats, ease of use and reporting capabilities, impressed us sufficiently to be named our Hot Pick in November 2004. Sentivist 5.0 takes the product to another level and has again earned the honor. It's suitable for any sized organization, with environment- aware attack assessment, vulnerability scanning, data integration, ad hoc reporting and a revamped interface.
The enterprise value of Sentivist's architecture is its ability to scale to thousands of sensors with the same level of protection deployed to all network segments. Its scalability is supported by a three-tier architecture: management, sensors and database (which can be either MySQL for smaller implementations or Oracle for larger enterprises).
In complex enterprises deploying tens or hundreds of sensors, an intermediate "sensor server" can be used to handle some of the correlation before data is packaged and transmitted to the central database. This data handling layer is also ideal for multinational or geographically dispersed corporations.
Now a true enterprise-level product, Sentivist went from a few hundred Mbps to high-end sensors that can analyze up to 4 Gbps. Sentivist's failover pass-through, which will create a hardware-layer copper bridge to ensure network connectivity should a unit fail, is impressive.
The Dynamic Shielding Architecture (DSA) permits the sensors to be aware of their environment and tailor security accordingly. DSA collects Nessus scan data via its XML-formatted vulnerability output reports, which are parsed and input into the database for real-time correlation of network attacks. Correlation is based on attack type, port, IP and CVE. NFR plans to integrate McAfee Foundstone and Qualys data into the product in the near future. All attack signatures and sensor policies are be centrally managed through the NFR Protection Center administration and analysis system.
The analyst console for NFR is the most impressive we have seen, providing real-time views into a particular sensor or all sensors at the click of your mouse. You also have the ability to dissect the attack and alert data into common groups. These groups are customizable and are ideal for tracking potential intruders, worms or internal threats. For example, you can group alerts by any field in the packet--source IP, attack type and target vulnerability-- to determine the scope of an attack.
This was first published in March 2006