• United States
Editor in Chief

An automated answer to worms?

Nov 24, 20033 mins

Last February we discussed an interesting security device from ForeScout Technologies that sits next to the firewall, tracking hacker reconnaissance efforts and then shuts down attempts to break in using information gleaned during that recon.

The company promised to complement that product with a box designed to combat internal threats. On Monday it did just that, but instead of positioning it as a way to fight hackers, the new product is called WormScout and, as you can guess, is designed to fight worms.

Why the switch? Selling the outward-facing ActiveScout has been harder than anticipated, admits CEO Kent Elliott. ActiveScout provides intrusion-prevention services but isn’t a classic intrusion-prevention product because it doesn’t require signatures and doesn’t have to be implemented inline. The extra customer education required makes the sales cycle longer.

But the appeal of a security device that helps keep out bad guys, is simple to operate and doesn’t generate thousands of false positives has earned ForeScout 130 customers, from regional credit unions to Fortune 500 shops.

More impressively, Elliott says all customers have enabled the automatic blocking feature of ActiveScout, meaning the systems simply are shutting hackers out. That’s quite an achievement because few organizations will let security products respond to anything without human review for fear that some good traffic will go out with the bad.

While ActiveScout is taking off slower than anticipated, Elliott thinks it has a good future, but he is even more jazzed about WormScout.

Although the core technology is essentially the same in both products, Elliott says the worm problem has become so rampant that it made more sense to play up the worm-containment features with this new product instead of the anti-hacking benefits.

WormScout installs either in front of assets you want to protect, such as core servers, or in front of groups that are prone to worm attacks, say sales representatives who travel with their laptops.

A worm typically searches for one type of port to exploit, such as SQL or User Datagram Protocol (UDP), so when WormScout sees something looking for Port X on IP address 1, then 2, then 3, etc., it responds offering the service sought. When the worm tries to take advantage of that resource, WormScout uses TCP reset to stop the session or invokes the help of other LAN devices to isolate the offending party.

Anything that automatically stops worms can only be a good thing, especially given the speed at which these things spread.