New IDS Tools Automate Response

New security event management products are on tap that could eliminate the need for host-based intrusion detection systems by not only detecting intrusions but by also responding to them.

New security event management products are on tap from a variety of developers this week that some say could eliminate the need for host-based IDS by not only detecting intrusions but by also responding to them.

The releases from e-Security Inc., GuardedNet Inc. and Securify Inc. are among the first to go beyond the current log-aggregation role of existing security event management software and give administrators the ability to prioritize and respond to attacks in real time.

E-Security and Securify will make their announcements at this weeks Computer Security Institute show in Chicago. Such capabilities give the products a clear advantage over traditional host-based intrusion detection system software, experts say.

"Now people can start doing the work they should have always been doing in prioritizing their assets," said Pete Lindstrom, an analyst at Spire Security LLC, an analyst company based in Malvern, Pa. "That level of intelligence is crucial. Security event management can eventually replace the need for host IDS. Its more important to threat management than IDS."

E-Security plans to unveil its Advisor product, which includes Symantec Corp.s SecurityFocus Vulnerability Database and is the third product in a suite that also includes e-Sentinel and e-Wizard. Advisor collects incident data from the e-Wizard sensors and then compares it against the SecurityFocus Vulnerability Database to look for matches against known vulnerabilities. The software then produces a detailed report showing the specifics of the attack, its severity rating, which vulnerabilities it exploited and which machines on the network are affected.

The report includes remediation advice and a link to the vendors patch for each vulnerability. "Just telling someone that theyve been attacked isnt enough anymore. Presenting the data and doing something with it is the way things are going," said Joe Payne, president and CEO of e-Security, based in Rockledge, Fla.

Securify, of Mountain View, Calif., takes a slightly different approach to the problem with its new SecurVantage 3.0 release. Instead of collecting alerts from agents spread across the network, the software uses a new feature called Automatic Policy Generation to take a snapshot of the networks traffic over a given period of time. It then develops policies—which administrators can change at any time—about what the acceptable behavior for each device is and treats any other traffic moving in or out of that device as malicious.

The system comprises three discrete pieces: Studio, Monitor and Enterprise. Incident data is collected by Secur- Vantage Monitor and passed to the Enterprise component for aggregation and analysis. The Studio piece enables administrators to develop custom policies. This concept of security based on a "white list" of whats acceptable instead of a database of attack signatures makes the system more flexible and effective, users say.

"With a firewall, you block packets. With an IDS, its looking for specific signatures, and theyre geared to the latest attack," said Adam Hansen, lead information security engineer at Sonnenschein, Nath & Rosenthal, a Chicago law firm and a Securify customer. "This fills a different void."

For its part, GuardedNet will release NeuSecure 1.6, which includes an updated business rules engine that enables users to write their own stateful rules. There is also a new analytics package with a tool for creating custom reports. NeuSecure, unlike many security event management tools, does not place an agent on each device. Instead, it uses its Event Aggregation Module to distill all the incoming events into usable data, which is then passed to the Central Management System for correlation, analysis and prioritization. The agentless architecture is designed to make deployments faster and improve scalability, officials said.

"The winner is going to be the one that can scale," said Tom McNeight, CEO of Atlanta-based GuardedNet. "We havent found any upper limit on the amount of traffic our system can handle."