Tech Update Security
Dan Farber
Top down, bottom up security management
By Dan Farber
July 6, 2004
Forward inEmailFormat forPrinter

Enterprise security management has come a long way in the last few years.

A large company has dozens of devices installed -- ranging from firewalls to routers to intrusion detection appliances and identity management services -- that track millions of events. Several companies offer software to monitor systems, correlate events, prioritize severity, alert IT staff or take a prescribed action to remedy a problem. In addition, companies are implementing security practices and automated tools as an integral part of the software development process to reduce vulnerabilities.

advertisement

Two companies recently introduced new products that address the two ends of the spectrum of security management: top down, and bottom up.

For top down security management, ArcSight is adding another element to its security management suite with TruThreat Discovery 1.0, which applies artificial intelligence and data mining to the problem of identifying and resolving threats.

ArcSight, like most security management products, employs a mixture of rule-based correlation and statistical correlation, which analyze relationships among events generated by applications, system software and other assets in an IT infrastructure. Rather than relying solely on prescribed rules or functions, TruThreat Discovery looks for patterns, such as repeated attempts to access a system over a period of time, monitoring activities that are under the radar and can easily go undetected. [See screen image.]


Related Coverage

 Fortify pioneering automated, inside approach

 Peter Cochrane: Upside-down security

 David Berlind: Microsoft patch process needs patching

 More security news from ZDNN

TruThreat Discovery's search for patterns is similar to analyzing DNA sequences to find specific protein sequences, according to Hugh Njemanze, CTO and founder of ArcSight.

The results from TruThreat Discovery scans are presented graphically, showing the interconnections among IP addresses, vulnerabilities and affected machines. A workbench allows a security administrator to analyze the results and take actions, including the creation of custom rules via a simple interface to deal with specific threat patterns.

Utilizing ArcSight 3.0 as its operating environment, TruThreat Discovery v1.0 is priced at $75,000.

Ounce Labs
From the bottom up, or inside out, Ounce Labs has released Prexis 2.0, an automated code vulnerability analysis program for C and C++. Like Fortify Software, which I wrote about in April, Ounce Labs is another small company focused on identifying coding flaws and eliminating vulnerabilities, such as buffer overflows, in application code. Ounce Labs' Prexis 2.0 first parses source code into an intermediate language, capturing the structure and data elements of a program. Then, the intermediate code is analyzed contextually, using the company's Security Knowledgebase to find, validate and categorize vulnerabilities.



 

One of the unique features of Prexis 2.0 is the V-Density metric, a numerical expression used to evaluate the importance of vulnerabilities in an application and to help prioritize resources applied to addressing the problems. The metric is based on the number of vulnerabilities, number of lines of code, severity of the vulnerabilities, and types of vulnerabilities. Security administrators can set V-Density thresholds to identify non-compliant or sub-standard applications.

The Prexis/Insight security dashboard presents the information derived from the source code analysis across applications. "A bank with 1,500 applications can judge where to focus security resources based on the vulnerabilities and how critical the applications are," according to Peter Crosby, director of marketing at Ounce Labs. In addition, a company could compare the performance of in-house software versus outsourced code, and chart remediation progress and V-Density changes over time.

Another part of the toolset, Prexis/Pro, offers more detailed vulnerability analyses and specific remediation advice. The cost for Prexis 2.0 is about $100,000, including Prexis/Pro for 20 users and Prexis/Insight, Crosby said. Support for Java programs is expected this month.

Given the high cost of security breaches, enterprises must take a proactive approach that encompasses both the inside out, bottom up automated code analysis and remediation as well as the outside in, top down correlation engines that use data mining and AI techniques to assess vulnerabilities based on information gathered from every relevant data source. It's the only hope of staying a step ahead in the game of cat and mouse with malicious hackers.

You can write to me at dan.farber@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

  • Talkback
  • Most Recent of 1 Talkback(s)
we found V Sanders   | 07/20/04

What do you think?


TECH UPDATE TODAY DAILY:
Dan Farber and David Berlind deliver daily insights on the business and technology news that matters to enterprise IT.


Enterprise Alerts
Surveys
Computers: Desktops & Laptops
IT Management
Security
IT Professionals

Manage My Newsletters




Help | Advertisements | Feedback | Reprints | Newsletters
Home News Tech Update White Papers Downloads Reviews & Prices