• United States
Editor in Chief

Security vendors peer inside

Jul 19, 20043 mins

There are hundreds of vendors in the security market, and the bulk of them are focused on the edge, but some newer entrants are looking inside.

There are hundreds of vendors in the security market, and the bulk of them are focused on the edge. But some of the newer entrants are looking inside because they recognize that 1) despite all of our perimeter defenses, bogeys still get through, and 2) compliance, acceptable use and other new requirements demand more stringent controls.

Lancope is targeting the first concern, and Reconnex, which we will look at next week, is focused on the latter.

Lancope offers an appliance called StealthWatch that constantly compares network activity against a normal baseline. That baseline is achieved by placing sensor appliances at critical points in the network – for example, at Web servers, VPN access points and core routers – and starting an auto-learn process.

Once the baseline has been achieved, the watching begins, says Chris Hovis, vice president of marketing and business development. Each packet that goes by is collected, organized into flows, and then analyzed and mapped to policies.

Policies, Hovis says, can address everything from who can talk to whom, what ports and services can be accessed, and minimum and maximum traffic thresholds. Customers then use StealthWatch to establish a behavior concern index for each host, with things like syn floods and scanning activity ranking high.

When nefarious activity is noticed, StealthWatch can sound an alarm, automatically mitigate the situation on a zone-by-zone basis (it is integrated with Cisco routers, Cisco’s PIX firewall and Check Point firewalls), or suggest a course of action that must be approved by an administrator.

On the face of it, the StealthWatch approach makes sense because studies have shown that up to 50% of today’s security events go undetected by signature-based systems such as firewalls.

The problem with signature-based systems, Hovis says, is you’re using prior knowledge to look for bad stuff that is always changing. “With StealthWatch, we are constantly aware of what is happening vis-à-vis a baseline of what should be happening.

“Customers are saying, ‘I’m not going to prevent everything, but when stuff does happen, I want to quarantine it to as small a part of the net as possible.’ When someone breaks in, we lock all the doors and windows in that room,” he says.

Prices for StealthWatch start at about $20,000. The company, which has 65 employees and 75 customers, is privately funded and just raised $12.5 million in the first quarter.

Next week, a look at Reconnex’s approach to security.