NetForensics Effectively Handles Hacks

Tool ably separates threats from false alarms, but setup is arduous.

Version 3.0 of netforensics corp.s namesake flagship product takes interoperability and capability to new heights, presenting a formidable challenge to the other security event management products in this emerging field.

NetForensics 3.0, which shipped last month, should be considered by IT managers as an effective tool for distilling relevant security events from the torrents of data commonly generated by security devices.

In eWeek Labs tests, NetForensics 3.0 captured security alerts from a variety of firewalls, IDSes (intrusion detection systems), system log files and other tools and consolidated them so we could quickly investigate fast-developing attacks on IT resources.

Tuning the system will take some time, however. Although we were able to get the product up and running in about a day, we think most IT managers will be tweaking the tool for at least several weeks after it is put in place.

NetForensics more direct competitors, including GuardedNet Inc.s NeuSecure and e-Security Inc.s e-Security Management System, appear to be girding for the battle to establish a clear leader in the field. IT managers should use the vendors jockeying to wheedle additional security device support and better event correlation services. For example, if an organization has a relatively obscure IDS or firewall, IT managers should not be shy about demanding support for the device before signing the event management product purchase order, regardless of which vendor they choose.

The company built on Version 2.3 by making Version 3.0 of the product scalable for midsize and large enterprises. We could install multiple engines, which are applications installed on Red Hat Inc. Red Hat Linux 8.0 systems, and direct their output to two Oracle Corp. databases. This meant management consoles for the real-time monitoring and data stores, which are the basis of the extensive security reports supplied with the product, can function locally or enterprisewide. This is important because IT staff at a network operations center can get a big-picture view of security events while local administrators can drill down and take action to thwart threats to the network.

The product comes with everything needed to support a full implementation, at a competitive price of $60,000.

NetForensics 3.0 is unique among these products in that it comes with an Oracle database and specific tools for database management. This means that NetForensics 3.0 likely wont add a great deal of burden to a database managers chore list. In fact, we used only NetForensics database tools to maintain our installation, likely a significant cost savings.

NetForensics 3.0 works by taking in messages from a wide variety of security devices, normalizing the data, correlating events, and providing analysis and a real-time console to locate specific problems. The product also comes with a large number of report types that we found useful and easy to set up to run as frequently as needed, using new data as it came in.

This is a proven model from the network management world, although one that doesnt always work perfectly. During tests, we spent quite a bit of time adjusting the sensitivity of NetForensics alarms so real problems rose to the top of our reports and false positives were kept to a minimum. We suggest that IT managers hire the consulting service that comes with the product.

NetForensics 3.0 can be set up to take a wide variety of actions when it sees security problems developing. For example, we were able to set up a rule that paged us whenever a particular IDS saw a denial-of-service attack.

NetForensics claim to fame is that IT managers will be able to keep their head count static while improving vigilance by automating the process of looking for patterns in security data from many devices.

Tests showed that experienced security personnel should be able to use the product to great advantage. However, NetForensics 3.0 is no substitute for keeping a careful watch on the network.

We think the highest maintenance costs will be seen early in the adoption process. IT staff will need to closely monitor reports and log files, then code NetForensics to monitor for problem patterns. It was clear from our work that the products great flexibility means that it will likely adapt to most enterprise environments but only with a significant amount of careful planning and implementation.