Recently, I wrote about monitoring outliers as an essential task in system and network management. Dan Spalding, of security compliance management company Elemental Security, sent me a thoughtful response illustrating how his company’s products support outlier detection. With his permission, here is an edited version of his note.

* * *

Elemental’s product continuously monitors enterprises’ ever-changing networks and provides a unified view of compliance with established policies. It’s an agent/server system that collects detailed network usage data for all machines on the network. It reports on traffic volumes for ports, protocols and specified destinations (IP or URL) and readily exposes usage anomalies in terms of network activity for a host or group of hosts.

In addition to network traffic, we can also monitor the hardware and software inventory on a host. Outliers here would be detected as unapproved applications or hardware devices.

Elemental also gathers information on CPU, RAM and disk space, which can highlight heavily utilized systems. Some of these may be reaching the limits of their resources through normal use, but some may be used in unauthorized or unplanned ways.

Another anomaly detection we do is tracking client/server relationships. Whether these are infrastructure services or application services, Elemental exposes changes in the number of servers or agents that are part of these communities. System managers can investigate surprises.

We also monitor trust relationships. If a machine unexpectedly becomes a highly trusted host, then either there is a usage anomaly or perhaps a potentially serious misconfiguration error. In either case we expose something that would not otherwise be readily visible.

Another kind of outlier is the rogue host: a new machine linked to the network without documentation or authorization. Using the power of our dynamic grouping technology, we can expose hosts that are unknown and potentially rogue.

We agree that outlier analysis is an important issue in the industry; based on comments from customers and analysts, the problem is challenging to address. As you can see, being able to report on many kinds of outliers on networks in near real-time and in a unified manner is an important differentiator for Elemental.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.