As readers of this column know, I’m always on the prowl for the new, unusual and, above all, useful. A start-up company in Michigan has come up with exactly that in their flagship product, the Threat Analysis Console (TAC). The TAC implements theories that I have supported for years. Essentially, the TAC recalls such fundamentals of information security as security policy domains and permitted communications between different levels of security. The theory is solid and time proven and the TAC implementation is equally solid.
The idea behind the TAC is that it examines all logs generated anywhere in the enterprise. While this is not uncommon in a SIM/SEM product, in this case, the product is not looking for event correlation. It is looking for inter-domain communications that are not supposed to be there. In today’s enterprises, common practice is to break the enterprise up into zones using VLANs. These zones generally are congruent with organizational groups, e.g., human resources, sales, R&D, etc. In most cases, there are restrictions on which zones, or policy domains (sometimes called enclaves) can communicate directly (file transfers or server access, for example) with each other.
The inter-domain communications policies are entered into the TAC along with each security policy domain and its included addresses. When the TAC reads logs fed to it, it analyzes source and destination for adherence to the configured policies. The result is that any communications that violate the policies are flagged. Clicking on the source address reveals a variety of attributes including a traceroute, whois, DNS reverse lookup, and a connection to the DShield abuse reports for the address. Right clicking on the address reveals the line in the log where the TAC extracted the information.
The product provides an easy to use, well-designed desktop laid-out somewhat differently than the usual crowded dashboards we are used to seeing. The layout is reminiscent of a website and browsing through it is intuitive. Address pairs are categorized as being authorized or unauthorized communications and source addresses from unknown origins are displayed separately. This allows flagging of communications that originate from public addresses not recognized as authorized.
In addition to these features, the TAC can update itself to receive news feeds and alerts as well as notify the administrator when new versions are available. The product uses custom normalizers: software interfaces to various types of log generators, such as Cisco NetFlow data, firewall logs from a variety of vendors and IDS logs. The TAC also generates a variety of reports, including an analysis of existing security domain policies and a histogram showing trending for time comparisons of various domain activity levels. Documentation is about the easiest to use that I have seen.
A nice feature of this product is its ability to be a "manager of managers." When a violation is discovered, the TAC allows the administrator to drill back to the source log that generated the raw data. Unlike the one line summary from a right click on the address, this takes the user to the device (IDS, firewall, etc.) that generated the log and allows a detailed analysis.
The TAC does not replace existing tools such as IDS/IPS, firewalls, SIM/SEM appliances or any other source of log data. Rather, it leverages those devices by adding a level of analysis to what they are doing already. This is called second order analysis and can be valuable in identifying a security problem within the network.
The TAC is a very interesting product and the only drawback we could find has to do with the state of the network on which you plan to use it. The TAC depends for its success on a well-defined set of security policy domains, properly and completely identified and attributed addresses and appropriate inter-domain communications policies.
If your network is a hodge-podge of addresses with little policy domain organization, it is going to take you quite a while to tune the TAC to your network. However, once that is done, the benefits are considerable. In fact, in our tests we found that the act of running the TAC repeatedly as we tuned the domains helped us understand the network under test and configure it better.
— Peter Stephenson
Star ratings are not available for this product.
