Product Reviews: Behavioural analysis – Huntsman 5.1

Supplier: Tier-3; Price: From £50,000 excluding VAT; Contact:

As security threats to networks become ever more sophisticated, there isa drive towards a more proactive stance and a demand for solutions thatcan identify unknown as well as known threats. Aimed firmly at theenterprise, Huntsman from Australian company Tier-3 is designed toprovide these features and more, including risk management andcompliance tools.

Tier-3's patented BAD (behavioural anomaly detection) engine keeps aclose eye on the network in real-time and looks out for unusualbehaviour. It can identify a multitude of threats, ranging fromdistributed denial-of-service attacks to worms, while also watching outfor insider activity. The latter is a critical requirement forregulatory compliance as most security threats are now known to issuefrom inside the network perimeter.

The Huntsman decision engine runs on a central system and providesfunctions such as data collection, reporting and threat analysis. Itapplies four stages of analysis to each event, which include acorrelation engine for user-defined patterns, a risk assessment and theapplication of the BAD engine. It requires an existing Oracle or SQLserver database to store data and we had no problem getting Huntsman towork with SQL Server 2005.

The decision engine uses a guardian to carry out requests and actionsdefined in security policies. Next up is the universal data sourcemonitor (UDSM), which provides data collection facilities. Its graphicalinterface allows it to be customised extensively and can function as asyslog server listener and supports a wide range of data sources,including TCP ports and databases.

The network agent monitors system activity and network traffic and, onWindows systems, runs as a service with administrative privileges.Agents can be used as network probes to collect traffic information, butyou must install them locally on all systems if you want to gatherdetailed information about them. Huntsman can then record all useractivities, for example file creation and deletion, applications run,websites visited and files downloaded. A key point to remember is thatHuntsman offers a real-time forensics monitoring service. In comparison,products such as Guidance Software's EnCase (see SC June) are forensicsinvestigators that analyses systems at a much lower level and canreconstruct deleted data on a user's hard disk.

Huntsman needs to baseline your network before it can get a feel for howthings interact and what is acceptable activity. Systems with agentsinstalled are also baselined and the information is used to determineclient behaviour. These are all predefined activities, but you can addcustom policies that Huntsman will enforce. All communications betweenagents and the decision engine are encrypted by default to 128-bit AESstandards, although you can request other schemes.

All the action centres around the Huntsman LiveView console, which openswith the query navigator. The possibilities are endless, as you can runqueries on any information the software can collect. Just select aquery, hit the play button and the output display will be updated withnew information as it comes in. You can also create custom queries whereyou pick and choose from events and alerts, select a category, applyfilters and decide which columns you want displayed.

The depth of information on offer is equally impressive. Any events thatrequire further investigation can be selected from the display andpassed directly to the incident viewer, where you create a new incidentand assign it to a Huntsman user. A case history is maintained whereevents and alerts associated with the incident are viewed, user commentsadded and, on closure, a reason can be provided for the statuschange.

The Huntsman configuration window serves to manage users, alerts andagents and enable the Guardian component. Guardian commands tie actionsto any Huntsman event you select. Actions are script-based and can beapplied to specific agents. We had no problems linking scripts withspecific Guardians and liked the fact that you can run the scriptimmediately to check that it works before going live.

The dashboard monitor provides an at-a-glance status of monitored items.There's much more, as a secure audit is kept of all activities that canbe subjected to filters. At this price, you should expect topnotchreporting, and Huntsman doesn't disappoint. All available queryinformation can be turned into one-off or scheduled reports and exportedto a wide range of formats.

Huntsman isn't something you deploy in a day, and it will take a whileto understand all of its intricacies. However, once tailored to itsenvironment, it is clearly capable of providing a complete networksecurity umbrella and can respond swiftly to known and unknownthreats.

Features: *****
Performance: ****
Ease of use: ***
Documentation: ***
Support: ****
Value for money: ***
Overall Rating: ****

For: Real-time monitoring of network and user activity, proactiveresponses to threats, licence based on CPU sockets, can becustomised

Against: A high starting price and a steep learning curve

Verdict: A versatile enterprise-level network security solution thatprovides sophisticated real-time monitoring and that all-important firstline of defence against zero-day attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.