New Tools Automate Attack, Intrusion Responses

Security event management solution releases all offer real-time responses.

As security specialists continue to scramble to make sense of the flood of data from their network devices, a trio of vendors this week will introduce security event management solutions that reduce the workload of IT staffs.

The releases from ArcSight Inc., Network Intelligence Corp. and OpenService Inc. include active response functionality that enables administrators to outline automated responses to attacks and intrusions. The solutions, all of which will be unveiled at the Infosecurity show in New York this week, differ in their approach, but all emphasize real-time attack responses and use highly distributed architectures for greater efficiency.

The moves from the passel of smaller players come as larger vendors, including Symantec Corp., of Cupertino, Calif., and Computer Associates International Inc., work to include similar capabilities in their SEM products. Symantecs newest SEM product includes neither active response nor event compression, although the company will likely include such features—from technology it acquired in its purchase of Recourse Technologies Inc.—in future releases.

In the meantime, the space belongs to companies such as ArcSight, of Sunnyvale, Calif., whose new Active Response Controller—an upgrade to its ArcSight 2.0 release—pulls alert data from security devices on a network. The tool adds that data to information regarding each target, including the machines vulnerabilities and business value. The combined report is used to create a threat-severity index that dictates the softwares response.

Responses can range from simply logging the attack and sending a low-priority alert to an administrator to executing a re-configuration script on a vulnerable machine or blocking all access.

"This has given us visibility into things we wouldnt have had before," said ArcSight customer Bob Justus, vice president of corporate information security and IS/IT contingency planning at Union Bank of California N.A., in San Francisco. "The real-time response shows how well your security environment is working."

In large networks, the ArcSight system can be distributed to reduce the load on individual servers. The machines can be configured in a peer-to-peer architecture or in a hierarchy.

Network Intelligences LogSmart software is designed for large, high-traffic networks and can be deployed in a peered architecture. The solution comprises a cluster of three appliances: a data server, an application server and a collection server.

LogSmart includes a proprietary database that can handle data from 3,000 devices and analyze as many as 60,000 events per second, about 10 times the number of events that current products handle. The product includes compression technology to reduce event data by 95 percent.

For its part, OpenService, of Westboro, Mass., is introducing Security Threat Manager, which also relies on a distributed architecture and includes real-time responses to incoming attacks. The solution ships with several correlation models but allows customers to set their own custom weightings for events.