Trying to dig up deeply hidden packets in huge amounts of data has always been among the most important tools in my analysis arsenal. But, then along came massive numbers of regulatory requirements and SIMs/SEMs became SIEMs with the focus moving to suites of reports to satisfy compliance audits.
My favorite threat analysis tool couldn't do all of that reporting, but, still for me as an analyst, it was my strong right arm. Big organizations did not always agree with me when I said that it has the fastest backend database in the industry bar none. But I am stubborn, and I made Nitro Security one of my innovators in the threat analysis category in last year's innovation issue. Now I am vindicated. The latest release of NitroView is all anyone ever asked for back in those days. It's all I needed then and now it's a whole lot more.
First, it is not enough to know what attacks there are/have been against the network or its assets. That is important, of course, but just because someone is attacking, does not mean that there is a real risk. For example, if there are no vulnerabilities to attack, the attackers can pound until the cows come home to no effect. Or, perhaps, the important targets are well protected. So they are not reachable. Even though that does not reduce risk to the extent that not having vulnerabilities does, it does raise the risk bar considerably.
So the challenge is many-faceted. What vulnerabilities do we have? Are they reachable from potential attack points? If we do have a successful attack, can we trace it? Any SIM that I would use would need to address these important questions (among many others, not quite so critical). In other words, they would need to address risk head-on. That is a huge challenge, because while everyone wants to address risk, there is little agreement on how to measure it, and the concept of measuring risk and risk trends in real time, both as an analysis measurement and as a defensive mechanism, is as foreign as aliens -- the little green ones from outer space.
One reason for this is that it is hard to do. You need to address vulnerability, threat and impact, and just about no tool does that well. NitroView does. It starts with a greatly enhanced policy editor that lets you build off of the very large number of supplied policies, and create just about any you need for your special requirements.
It supports over 300 data sources, so pulling data from anywhere (and everywhere -- more data always is best) is a cakewalk. Now, with its new correlation capabilities, there is almost no place on the enterprise from which you cannot monitor and correlate data and events.
It can detect and trace malware, and the idea of drill-down is optimized in this product better than in any I have seen. When testing this new release, we were able to drill down from 21 million events to 1,200 that could be of interest. A big number still, to be sure, but light years better than 21 million. Coupled with malware detection, this offers the ability to trace that needle in a pile of needles that trojans and other malware sometimes give us. To help in the analysis process, you can assign weightings to various types of events, allowing you to focus on the important issues.
The ability to correlate data from vulnerability analysis tools brings us to the risk domain. We now can ascertain susceptibility and reachability. With this we can tie individual hosts, and that gives us the ability to define risk groups. But data capture and analysis does not stop there. For example, you can look at databases (most of the popular SQL databases are covered and all soon will be), so you are not restricted to the infrastructure. Applications are part of the capability (some of these functions are optional).
In short, this new product from Nitro Security is both content and context aware, the first such tool in this genre which I've seen. Plus, it auto-learns data sources, a real simplification over earlier versions and a real time-saver.
Oh, and those compliance reports? They're there. Plus a whole lot more, including case management for such things as patch management. The NitroView 8.3 is one of those tools that makes my job easier, more interesting and more rewarding. You really should look this one over.