There are a myriad of security systems collecting threat data and the challenge to enterprises has been figuring out a way to make sense of all the information in order to gain real-time knowledge of attacks.
When Firefox launches another executable and that executable starts downloading other software that starts installing itself, we have visibility into all these sorts of things.
Marty Roesch, CTO of Sourcefire
Marty Roesch, the founder and CTO of Sourcefire, sees active cyberthreat intelligence as the key component to combatting targeted attacks. Under Roesch’s vision, IDS and IPS technology that monitors network activity can be combined with greater visibility at the endpoint to gain a better understanding of attacks in progress. He’s using the company’s $21 million acquisition of Immunet to build out a real-time intelligence network.
The company recently announced the launch of FireAMP, an agent-based component built from Immunet that when deployed will send threat intelligence data to Sourcefire’s servers where it will be analyzed and put into a global database and shared via alerts to other users. Roesch said the goal is to boost the capabilities of the company’s systems to detect and quickly block malicious files that target zero-day vulnerabilities and other malware that often slip past signature-based security systems.
“When Firefox launches another executable and that executable starts downloading other software that starts installing itself, we have visibility into all these sorts of things,” Roesch said. “We also have the ability to control what happens next by blocking it.”
When Roesch talks about the future of IPS, he talks about further integration with network security systems. The company is working on building deeper integration with its next generation firewall, adding more situational awareness into all its security products.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
Andrew Hay, a senior security analyst at the 451 Group, said Sourcefire is moving along with the rest of the security industry by using threat intelligence data to create more offensive security technologies. Sourcefire has had the foresight to build out its IDS and IPS appliances into other areas since the market for IDS/IPS has become somewhat commoditized, he said. Sourcefire introduced a next generation firewall built off its core IDS technology. The company surprised industry observers by buying Immunet, an endpoint security company, but the introduction of FireAMP helps give a clearer picture of Roesch’s strategic vision, Hay said.
“The more people that use it, the better it will be because it uses the power of collective intelligence and that was the idea that made Immunet an acquisition target in the first place,” Hay said.
NetWitness: Forensics tools with analytics for threat intelligence
We’re working to build visibility into unusual patterns of behavior.
Eddie Schwartz, CSO, RSA
RSA, which acquired the NetWitness network security monitoring platform last year, credits its deployment of the system in quickly detecting its SecurID breach. At a recent media day in which RSA executives shared information about the breach and the company’s future product roadmap, NetWitness was being positioned as an intelligence gathering tool that with the right analytics, could help detect and block targeted attacks. The company is working on improving the system’s analytical capabilities and engineers are busy building connectors with RSA’s Archer governance, risk and compliance suite to provide reporting capabilities and an easy-to-use management console.
But Roesch said Sourcefire and other IPS and IDS vendors shouldn’t be threatened by the NetWitness technology. NetWitness systems are not usually deployed in-line, he said, adding that knowledgeable IT professionals (typically computer forensics investigators) need to ask NetWitness the right questions in order to get any meaningful data from the system.
“That thing collects a lot of data and it’s pretty raw,” Roesch said. “It will be interesting to see if their approach scales to solving the kind of problems we solve just knowing what I know about their sensing and collection infrastructure.”
Eddie Schwartz, CSO of RSA, believes by putting more powerful analytics to the data gathered by NetWitness systems could help companies find trouble before an attack exposes sensitive data.
“We’re working to build visibility into unusual patterns of behavior,” Schwartz said. “It’s about having powerful analytical capabilities because it isn’t as simple as looking at a small amount of traffic. Looking at all the data we’re collecting gets a lot more complicated.”
RSA NetWitness plays in a niche field with its deep packet inspection technology. The company competes head-on against Solera Networks, which makes appliances that can be used by forensics teams. Fidelis Security Systems Inc. also competes in the space and uses sensors to spot malware infections and alert if a problem is detected. Fidelis claims its technology can supersede firewalls and traditional DLP products.
Correlation of large amounts of data does not mean causation, said Pete Lindstrom, research director at Spire Security. More powerful analytics could help security teams after a breach, but developing ways to make NetWitness detect attacks in progress would be difficult, Lindstrom said.
“There’s a presumption that more data is better and I don’t deny it, but I also don’t think it’s proven when it comes to security technologies,” Lindstrom said. “RSA has a great forensics tool and it’s arguably one of the best, so I don’t see them taking it in a completely different direction.”
The 451 Group’s Hay said RSA has been busy integrating Netwitness into its product portfolio. The company introduced NetWitness Panorama , which takes its full packet capture and analytics capabilities and combines it with RSA Envision SIM log collection capabilities. The company is also improving NetWitness’ reporting capabilities, tying it into RSA’s Archer GRC suite.
“They want to get closer and closer to real time and I can see that with alerting, but the fact remains that you could collect terabytes of data and you would still need human bodies in seats to look at all that data as it comes in,” Hay said. “I don’t see them putting NetWitness inline and doing active blocking.”