Confidence Indexing is what makes NFR Security's Sentivist IPS stand out from other products. Through this scoring and correlation engine, Sentivist detects attacks with few false positives, allowing enterprises to use its automated response features without breaking mission-critical apps.
This is more than marketing hype. Through its Confidence Indexing -- a unique metric and methodology for identifying threats through highly configurable, actionable rules that result in few false positives -- it uses multiple variables to score threats and, based on predefined thresholds, can say with high degrees of confidence whether traffic is malicious or acceptable. For instance, a signature-based IPS/IDS may not recognize low and slow attacks based on solitary characteristics. Sentivist, however, will recognize multiple characteristics, score them and determine if they are truly attacks. It will also will correlate traffic loads, services and ports accessed, IP addresses and protocols. Based on its rules, if the cumulative score of a characteristic exceeds the defined threat threshold, the engine will either alert a security manager or initiate a policy-based response. This is significantly different from other IDSes and IPSes, which use conventional signature matching, anomaly detection or heuristics to identify threats.
Learn about the evolution of intrusion detection systems.
Key is setting the right thresholds. Security managers can customize confidence thresholds based on common attack names or potential impact on the network. Customized policies dictate what Sentivist does once a threshold is exceeded. For instance, if the volume of FTP traffic coming from a R&D subnet exceeds a certain load, it can block the traffic.
Configuring Sentivist's rules is a snap, if you know how to write custom IDS signatures; they're practically identical. Security managers can either use the predefined policies or recreate custom rules, then string them together to create threshold settings. From the policy editing window in the management console, we selected the intrusion prevention module and the rules we wanted. For example, to turn on auto-prevention for all attacks with a confidence rating of 90 percent or greater, we entered "*90 percent," and to enable auto-block for a single alert, such as Nimda, we entered "www_iis_nimda_alert."
Based on the rules and thresholds we set, the system properly blocked our *Snitch*, Apache Nosejob and numerous other exploits. Once the confidence indexing identified an attack, the blacklisting feature blocked the attacking IP addresses and they could no longer communicate through the inline device.
Sentivist's centralized management is a boon for large enterprises that collect massive amounts of event data from distributed networks. The centralized console collects data from remote sensors, as well as from regional collectors in geographically distributed networks. These sensors act as a funnel, eliminating unnecessary packet headers and ultimately reducing bandwidth consumption. Case in point: A multinational enterprise could install collectors in Seattle, New York, London and Sydney, and Sentivist IPS would aggregate data and provide traffic analysis on individual network segments.
While some shops might not have the budget for a beefy $22,000 appliance, they can opt to install Sentivist software, priced at $7,500, on a Dell, H-P, IBM or Sun server. The appliance, however, offers failover protection if the primary box crashes, is overwhelmed with traffic or loses power.
The Sentivist appliance runs on FreeBSD with MySQL. The collector sensors run on Red Hat and Solaris. All communication between sensors, collectors and the management console is encrypted with 128-bit AES. The enterprise console is written in Java and offers the option of utilizing a free backend, PostGreSQL database or commercial powerhouse like Oracle.
Real-time status, deep analysis re-ports and data with detailed attack information correlated from the entire environment are only a mouse click away on the management console. Sentivist comes with 42 report templates that provide detailed threat and response action reports that are easily understood by both IT staff and executive management. Sentivist can be integrated with Crystal Reports (not included) for expanded capabilities; its developer suite allows security managers to create custom reports.
Sentivist includes monitoring for both IPv6 and IPv4, and can detect when someone is tunneling IPv6 through IPv4. Some might scoff at IPv6 threats today, but NFR is probably right in anticipating more attacks using this protocol.
NFR Security really put its thinking cap on when it designed Sentivist IPS. It has tremendous IPS capabilities with minimal pain of false positives. Sentivist should be on every enterprise's consideration list when looking to replace aging IDSes.
About the author
James C. Foster is the deputy director for Global Security Solution Development at CSC. Foster has also worked for Guardent (acquired by Verisign), Foundstone (acquired by McAfee) and the Department of Defense.
This article originally appeared in our sister publication Information Security magazine.
