Feature

SIMs maturing and suitable for mid-market

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."

Download it now to read this article plus other related content.

More Precise Active Threat Response
Active threat response is a dangerous way to deal with security alert information. When active response is in play, the SIM actively modifies the behavior of the network in response to some identified security threat. The experience of managers who have been burned by this technology has led many to shy away from the idea of a robot wandering about their network, shutting off switch ports and adding rules to firewalls. But this hasn't kept vendors from developing active response toolkits.

One of the early entrants in the advanced toolkit space was Cisco with its Security Monitoring, Analy-sis and Response System (MARS) appliance. Rather than assume that all networks have a single firewall at the edge where all active responses go, MARS learns network topology and uses that information to focus any remediation as close to the source of the problem as possible.

Cisco had been the only vendor offering active response capabilities, with MARS, but now other vendors also provide the technology with their SIMs. ArcSight released Threat Response Manager, based on technology it acquired from ENIRA Technologies in 2006. The idea behind Threat Response Manager is that network configuration information, gathered from existing devices, is the most effective source of knowledge about network topology. Using configuration information and its own expert system, Threat Response Manager is designed to determine

    Requires Free Membership to View

the most effective and least disruptive way to remediate a threat. However, threat remediation can cause a self-inflicted denial of service (DoS)--a problem ArcSight is quick to acknowledge. Executives at the company said one of the key goals for Threat Response Manager is giving security and network management staff the tools to follow written procedures--in effect, to respond to threats based on policy rather than by shooting from the hip.

Threat response isn't just a high-end feature; TriGeo has been touting its security policy compliance capabilities very heavily in a Windows-centric way. Not content to remediate threats using only network devices, TriGeo's remediation tools include a Windows agent that can start and stop processes, block different types of network connections, and enforce policies on USB peripherals.

This was first published in June 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: