Security Start-up Seeks to Spot, Solve Compromises

Intrusic Inc. will unveil its flagship solution at the RSA Conference next week.

A new security start-up backed by the intellectual capital of perhaps the best-known security personality of the past five years is set to unveil its flagship solution at next weeks RSA Conference.

Intrusic Inc. will be showing off its Zephon system, which is designed to pick up where todays existing security technologies leave off. The solution does not attempt to detect or block scans, attacks or intrusions. Instead, it combs networks for evidence of successful compromises and then provides detailed statistics and recommendations on how to remediate the problems. The idea is to eradicate the actual problem and not just the symptoms of the problem.

"Because were doing compromise detection, we can stop things completely rather than doing one-off fixes," said Bruce Linton, CEO of Intrusic. "If somebodys already inside the network, whats their driver to do more attacks? There isnt one, so you probably wouldnt see them with normal security products once theyre in."

Intrusic, based in Waltham, Mass., is the brainchild of Justin and Jonathan Bingham. But the guy who is drawing attention to the company is Mudge, also known as Peiter Zatko, one of the original members of the L0pht and @stake Inc. Mudge left @stake two years ago and has been semi-retired. Hes now Intrusics chief scientist.

The companys solution sits on a network tap in passive mode and records every packet that moves between users and the various hosts on the network. At the beginning of its operation, the system takes a snapshot of the network to establish its current security state. Zephon then copies all of the packets and then analyzes the traffic in three distinct phases. It first examines the packet, searching for any sign of an internal compromise.

The system then looks at the traffic on the session level and finally on the hot level, with each inspection being independent of the others. Any data showing evidence of a compromise is moved to whats called the Master Confidence Table, a database where a second analysis is done.

All positively identified compromises are displayed in the GUI, where administrators can see statistics showing the total number of compromised hosts, total compromises and other vital data.

Zephon has three levels of reports, from executive overviews to detailed, host-level descriptions for administrators. But its really meant to be simple enough for people with no security background.

Intrusic will sell Zephon on a per-server basis with an annual maintenance fee after the first year. Exact pricing hasnt been set.