There is no shortage of data sources to help organizations identify potential security risks, but making sense of all the data can be a challenge. To that end, Hewlett-Packard announced new analytics services at the HP Protect 2015 conference to help organizations improve security.
The overall theme of HP’s Protect news is about adding more value to analytics and making it easier to consume, said Mike Armistead, vice president and general manager of HP Enterprise Security Products, ArcSight.
“Analytics is a broad term that can mean anything from a fast search of unstructured data to a deep forensic analysis,” Armistead told eWEEK. “So we had a decision to build a general-purpose platform or build analytics into specific products that add value.”
HP decided to build focused products for analytics, including the new DNS Malware Analytics (DMA) platform. DMA is a two-part product, Armistead explained. One part taps into an organization’s on-premises DNS event stream with an appliance, which looks to detect malware from that data. The second part is the cloud component, where the on-premises device sends the data for additional analysis and reporting. Domain Name System (DNS) is an essential Internet component that links domain names to IP addresses.
The release timing of HP’s DMA product is interesting, given that Cisco recently closed its acquisition of DNS security vendor OpenDNS. Armistead said that the timing is purely coincidental and that HP has been working on DMA for several years.
“Three years ago, our own cyber-defense center at HP was having a really tough time keeping up with all the malware they were seeing and were getting too many false positives,” Armistead said.
Armistead noted that the traffic volume that HP’s own DNS servers generate is on the order of 20 to 24 billion events per day. As such, the challenge for HP was to figure out precisely how to filter out the bad elements. HP Labs data scientists concluded that DNS was a great place to identify potential malware if they had the right product. So HP Labs worked for several years to develop technology that was then given to HP’s own cyber-defence labs for use and refinement.
“About nine months ago, it became clear that the HP product team could have a product suitable for general availability customers,” Armistead said.
DMA is not a whitelist/blacklist type of solution, but rather, it detects characteristics of malware, Armistead said. DMA can, in effect, catch zero-day malware as the system doesn’t need to know what a specific piece of malware is, but rather, is able to define malware based on analytics, he added.
In addition to DMA, HP is also introducing the Fortify Scan Analytics service, which provides insight into code for potential security risks. Armistead has a particularly strong connection to the Fortify product group, as he was a co-founder of Fortify, which HP acquired in 2010.
The core of Fortify’s technology has always been static code analysis, which enables users to scan application source code for defects.
“The big thing with static analysis is all the results you get,” Armistead said. “What Scan Analytics does is we are using machine-learning techniques to take scans and point to things that matter.”
The Fortify Scan Analytics service can help an organization prioritize defects based on what Fortify has seen in the past and also based on what it has learned from the scans of other organizations.
“What this service does for us, through the use of analytics, is further refine our ability to prioritize bugs,” Armistead said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.