Defending the Core

Solutions seek to catch intrusions inside the perimeter.

After a decade of focusing nearly exclusively on defending the perimeter, security vendors have begun to divert more of their attention to the last frontier of digital security: the soft, chewy center of corporate networks.

The problem for these vendors isnt so much about keeping attackers out; they leave that to the firewall and IDS (intrusion detection system) crowd. Instead, a growing number of software and hardware vendors, including Sanctum Inc., Kavado Inc., Application Security Inc. and Intrusic Inc., are concerned with limiting the damage caused by intruders who slip past those other defenses.

The ways that these companies approach the problem vary widely, and two good examples of this diversity are the solutions unveiled last week at the RSA Conference by Intrusic and Application Security.

Intrusic took the wraps off its Zephon system, which is designed to pick up where todays existing security technologies leave off. The solution does not attempt to detect or block scans, attacks or intrusions. Instead, it combs networks for evidence of successful compromises and then provides detailed statistics and recommendations on how to remediate the problems. The idea is to eradicate the actual problem, not just its symptoms.

"Because were doing compromise detection, we can stop things completely rather than doing one-off fixes," said Bruce Linton, CEO of Intrusic. "If somebodys already inside the network, whats their driver to do more attacks? There isnt one, so you probably wouldnt see them with normal security products once theyre in."

Intrusic, based in Waltham, Mass., is the brainchild of Justin and Jonathan Bingham. But the man drawing attention to the company is Mudge, also known as Peiter Zatko, one of the original members of L0pht and @Stake Inc. Mudge left @Stake two years ago and has since been semiretired. Hes now Intrusics chief scientist.

The companys solution sits on a network tap in passive mode and records every packet that moves between users and the various hosts on the network. At the beginning of its operation, the system takes a snapshot of the network to establish its current security state. Zephon copies all the packets and analyzes the traffic in three distinct phases. It first examines the packet, searching for signs of an internal compromise. The system then looks at the traffic on the session level and, finally, on the hot level, with each inspection performed independently of the others. Any data showing evidence of a compromise is moved to the Master Confidence Table, a database where a second analysis is done.

All positively identified compromises then end up in the GUI, where administrators can see statistics showing the total number of compromised hosts, total compromises and other vital data.

Zephon has three levels of reports, from executive overviews to detailed, host-level descriptions for administrators. But its meant to be simple enough for users with no security background.

Application Security, based in New York, introduced a new version of its AppDetective software, which performs continuous risk assessment of a network. The solution includes collectors on hosts throughout a network that vacuum up data from perimeter devices such as firewalls, routers and IDSes. The collectors send that information to the main AppDetective server, which develops a model of the network and performs attack simulations against internal hosts to find exploitable weak spots.

The results of the attacks then go to the user interface.

In addition, the company just released a solution, called AppRadar, which acts as a kind of internal IDS to protect databases. The system is capable of detecting the most common attacks against databases, including buffer overruns, password attacks and privilege escalation attempts.

Meanwhile, Application Security and Kavado, along with Sanctum, SPI Dynamics Inc. and WhiteHat Security Inc., have formed a consortium to help define and promote application security standards.

The groups initial goal is to create a classification system for application security vulnerabilities, attacks and other threats. Many of the attacks that are used against Web applications are quite complex, and much of the terminology is outside the realm of most security specialists expertise. The group hopes to simplify the explanation of things such as cross-site scripting.