New Security Sensor Gives Admins Better View of Network Attacks
A new security tool developed by Department of Energy engineers is designed to give security and IT administrators the ability to more quickly identify and respond to an issue on the network.
Hone is the brainchild of Glenn Fink, a senior research scientist with the Secure Cyber Systems Group at the DOEs Pacific Northwest National Laboratory (PNNL) in Richland, Wash. Hone is what Fink calls a cyber-sensor that essentially discovers and monitors the relationship between network activity on a computer and the applicationssuch as Microsofts Internet Explorerand processes running on it.
By greater visibility into those relationships, IT professionals will be able to more quickly understand and deal with cyber-attacks. In addition, IT administrators can use the tool for a host of network- and security-related tasks, according to Fink.
In developing Hone, he said he wanted to help people see whats on their networks.
I want people to understand whats really happening on these very complex machines, Fink said in an interview with eWEEK.
He initially created the framework of what would become Hone as a postdoctoral researcher at Virginia Tech. Fink said he saw what visualization technology was doing elsewhere, and asked why people didnt use it in security. Such deep visualization into the system and the network would be hugely beneficial to security administrators, he said.
This was the hammer to hit their nail, he said.
Fink took his ideas with him when he went to work for PNNL, where he was able to secure the internal funding and collaboration needed to get going on work on what eventually turned out to be Hone. Its really easy to get people to say, Yeah, thats cool, he said. Its another thing to get people to say, And heres the money.
The problem is what he sees as an inefficient way of dealing with security issues. Right now, security and system administrators spend much of their time searching for unusual patterns in communications between computer systems and the network, Fink said. The problem is that once such a pattern is found, theres nothing to say which program is doing the communicating, so the administrators closely watch the system hoping to see the program work again and allowing them to get a better read on the situation.
However, Fink said, they may never see the dangerous program again. However, Hone creates an ongoing record of the communication, not only showing the communications between systems on a network, but also which specific programsincluding Web browsers, system updates and malicious programsare involved in the communication.
If a systems administrator sees a problem with a system or on the networkunusual communications patterns or systems running slowlythey can immediately determine how the system and any programs are connected. That is the kind of information that will give administrators the ability to better monitor, understand and respond to attacks, and information they cant get from firewalls.
Hone gives users a glanceable type of view of whats happening on the network and whats happening on the machine, he said.
Hone also is a tool that has uses beyond understanding and responding to attacks, Fink said. It can be used to help programmers debug new networked applications being developed. In addition, security administrators can use data from Hone to ensure that only certain processes on their systems can communicate with the network, and to monitor what their systems are doing, which would help them identify such threats as viruses, spyware and rootkits.
Hone currently is in the beta stage, Fink said. Its available for Linux operating systems in kernels 2.6.32 and later, and he is hoping that tech professionals will clone the Linux version and give it a good run. Hone is available as an open-source code.
At PNNL, researchers are using Hone to analyze computer traffic as part of a project looking at how attackers use a scheme called pass the hash to break into systems.
Information collected by Hone is provided in the Packet Capture-Next Generation (PCAG-NG) format, which can be viewed in the Wireshark network analysis program. However, PNNL engineers also are developing a way to visualize the information collected by Hone, with hopes of licensing it in the future. Fink said it was too early to talk about spinning off a product from the Hone project, though he could envision licensing the visualization technology. Its too early to say, he said.
While Hone currently works with Linux, versions for Windows XP and Windows 7 are both being developed, and a version for Apples Mac OS X also is being planned, Fink said.