Finding the calm inside the storm

Anyone who has ever spent time on the congested roads around San Francisco Bay should feel pleased for Michael Roberts.

Not too long ago, Roberts and his IT colleagues had to climb in his car and drive from branch to branch of the Bank of Alameda to remediate its PCs and servers after scanning for vulnerabilities.

No more. The bank bought Citadel Security Software's Hercules, an automated vulnerability remediation solution, and shortly thereafter one less vehicle was clogging up those Bay Area highways and byways.

"Now it takes about six hours to do all our workstations. Before Hercules I estimate it would have taken me 60 hours to do all of the same tasks, so it is a substantial saving in terms of time and manpower," says Roberts, who is the bank's chief information officer.

Roberts simply loads the information from a scan of his network into Hercules, which analyzes the data and then automatically downloads whatever patches are necessary.

"Automated" is the key word in the description Citadel gives Hercules, and it is also an important descriptor in a slew of new products that aim to make vulnerability assessment testing less of a pain.

John Pescatore, security analyst at Gartner, says that businesses have a number of choices when it comes to implementing solutions to beef up their vulnerability management.

Of course, there is the traditional scanning of the network. Then there is host-based vulnerability assessment. "I put actual software on PCs and servers that are on my network and then I can do more in-depth inspections – perhaps even determine which applications are vulnerable or what configuration vulnerabilities exist," he says.

The third approach is passive network monitoring. "I put something on my network, it watches what goes on as the traffic goes by my sensor and tries to infer vulnerability."Pescatore believes that passive network monitoring still has to prove itself. "It will be the slowest growing (of the choices) but it has the potential to be a high value-added part," says the analyst.

That may be the case, but one user of the technology is already convinced of its potential. IT integration specialist Noblestar has installed Sourcefire's Real-time Network Awareness (RNA) solution and its founder and chief technology officer, Paul Pocialik, is pleased with the decision.

He is not alone. Sourcefire claims that, since its launch in December, more than 100 customers have bought the product. "We have difficulty getting evaluation products away from customers," says Sourcefire's founder and chief technology officer, Martin Roesch.

RNA, according to Roesch, is a different way of doing vulnerability analysis altogether. "It ties it back to comply with configuration management policy and being able to leverage that information in real time to understand what posture the network has right now – as opposed to what it might be at any particular point in time when I do scanning."

When installed, RNA constantly and passively monitors network assets for potential vulnerabilities and then alerts administrators in real time to anomalous behavior. RNA also enables a useful contextual interface with intrusion detection and prevention systems.

That contextual awareness is one of the strengths of RNA, according to Noblestar's Pocialik. "What I really like about it is that it provides contextual awareness and change detection, so it automatically recognizes when a new device comes on to the network in real time. And it is all-pervasive. I don't have to do any special study; the RNA server is collecting all the information about what is on my network at any given time automatically, which is pretty powerful," he says.

According to Pocialik, conventional solutions prior to RNA operated in a vacuum. They did not really know what was on the network or what vulnerabilities truly affected those assets. "Those rules-based IDS solutions are very good at picking up known threats that break the rules, but to date they have not been very smart at escalating the issue, so you read a lot about false positives," he says.

In a nutshell, RNA builds a profile of the network and then cross-references a threat to those configurations so there is no escalation when there is no issue with that particular device. "It's a very attractive concept to be able to cross reference the vulnerabilities to your network assets in real time. It is a very powerful concept," says Pocialik.

Sourcefire has been busy signing agreements with a slew of companies, particularly in the security information management and managed security services spaces. IBM, Symantec, TruSecure, ArcSight, GuardedNet, netForensics, NetSec and, most recently, LURHQ are among the vendors that have added support for RNA, and Sourcefire's other products to their own portfolios and vice versa.

Pocialik and Roesch say they know of no other similar passive monitoring products on the market – yet. However, competition is expected from Netscreen, now a subsidiary of Juniper Networks. "On paper the implementation seems different, but its positioning has been fairly identical," says Roesch.

Sourcefire's task, according to Gartner's Pescatore, is to convince customers that by constantly monitoring a network, "you can really get up close to the level of information we can get from a vulnerability scanner."

Sourcefire is far from being alone in claiming to be a better alternative to traditional vulnerability scanners.

Skybox, a relative newcomer to the market, says that its Exposure Risk Management (ERM) solution uses threat-simulation technology that cuts through the clutter of vulnerabilities to identify those one or two percent that pose a real threat to a business.

"We are the only company, as far as we know, that has created a commercial environment that can simulate attacks," says Gidi Cohen, the company's chief executive officer.

To begin with, ERM automatically models – on a continuous basis – a firm's network environment. Then it simulates all possible attack scenarios. Next, it takes the threat information and merges it with business-specific data to automatically calculate the impact of each attack scenario and what the risk is to the business.

"We can then find the vulnerabilities that are critical to the organization and then we automatically recommend ways to remediate them," says Cohen, who adds that Skybox is working with patch management companies to integrate ERM with their offerings.

The development work being done by companies such as Skybox, Sourcefire and others has Pescatore believing that threats to corporate networks could be just a memory in the not-too-distant future.

The bad guys will not go away. They will just have turned their attention to other targets – web services, WLANs and voice over IP, for instance.

"Today, a lot of people who want to be secure are finding it hard to be so," he says. "Two years from now the people who want to stay secure will be secure, but those that don't care will still be broken into."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.