Hoping to cash in on the current environment of fear surrounding regulatory compliance and the problem of insider compromises, security information management vendor ArcSight Inc. this week is unveiling a new product that employs data-mining techniques to identify threats and attacks that typically slip through the nets of firewalls and intrusion detection systems.
“The point is to get the zero-day and low and slow attacks,” said Hugh Njemanze, chief technology officer at ArcSight, based in Sunnyvale, Calif. “These are the kinds of techniques used in genetic research and web-traffic analysis.”
TruThreat Discovery, which will be sold as an add-on to ArcSight 3.0, trolls through the alerts and alarms set off by a customers various security devices, looking for hidden patterns in the data. The system attempts to find connections between the source of an attack and its ultimate target by looking at the kind of vulnerability the attack exploits and what the attacker does after using the exploit.
The aim here is to ferret out attacks that utilize techniques that may not be seen as threatening by other security devices.
The results of the data-mining explorations are presented in a graphical format that shows the interconnections among source IP addresses, vulnerabilities exploited and target machines. The system includes a workbench that enables the security specialist to analyze the results and decide what actions to take. The user can design custom rules for specific threats that will fire every time those threats occur in the future.
The rules themselves can define exactly what action the analyst should take to mitigate the threats, such as taking a compromised machine offline or shutting down a particular service thats being used as an attack vector.
TruThreat Discovery will be available in July and will be priced separately from ArcSight 3.0.