Security threats Toolkit

Pre-emptive security prompts alarms

Ruby Bayan Tech Republic

Published: 14 Jun 2004 11:20 BST

Firewalls and antivirus applications used to suffice. When intrusions gained momentum, security staff worked late coding patches and hot fixes. But now that "zero-day exploit" is the name of the game, security experts struggle to devise ways to defuse malware and other nefarious intent before catastrophe strikes.

An early warning solution would be an asset, especially to a global enterprise with thousands of network devices serving millions of customers. Fortunately, such "security alarms" are now available. Our experts recommended the leading brands, along with strategies on how they can be deployed most effectively.

Consider flow-based detection with zone-based policies
"Initially an intrusion-detection appliance, StealthWatch is designed to identify zero-day, unknown, and undocumented attacks by alerting network teams about 'not normal' network traffic," according to Chris Hovis, VP of marketing and business development at Lancope.

StealthWatch is a standard, rack-mount PC running a hardened Linux operating system that passively watches traffic on the network and rates the suspiciousness of new traffic by comparing it to recognised traffic. It can tell what is normal by gathering baseline statistics, then uses complex algorithms and network heuristics to rate suspicious events according to a concern index that shows how unusual or serious the event might be.

Hovis gave an example: "Say you have a Web server that you do not use for FTP, and one day that server starts to service FTP requests. StealthWatch will send an alarm to the administrator with a notice of an important change. In this example, the administrator may find that a hacker has compromised the server and is using it to distribute pirated software or music."

StealthWatch categorises network traffic into "flows" to profile activity and detect nefarious behavior. It quickly identifies known or unknown attacks, internal misuse, or misconfigured network devices, regardless of packet encryption or fragmentation.

Along with flow-based network anomaly detection, StealthWatch offers zone-based security policies. Network administrators can configure groups of hosts, adapting them to the logical or hierarchical security structures and methodologies of the organisation.