Modern enterprise security often involves multiple security technologies, including firewall, IPS and antivirus tools, which can't always integrate to provide a broader view of security events and data risks. But with attackers persistently probing a range of enterprise defenses looking for weaknesses, that broader view becomes a must-have. How can all the different collection points for network and application data be managed so security professionals can stop attacks?

Enter security vendor Sourcefire (NASDAQ:FIRE), a company that is perhaps best known as the lead commercial sponsor behind the open source Snort IDS project, and which is now attempting to build a solution that it says provides broad visibility into enterprise security.

Officially called the Razorback Framework, the new open source technology aims to collect information from multiple sources across an enterprise and then correlate that information to help IT administrators mount a more effective defense. Razorback is being licensed under the GPLv2 open source license.

"The Razorback framework is looking to orchestrate all of the defensive capability that an enterprise has," Matt Watchinski, senior director of Sourcefire's Vulnerability Research Team (VRT), told "That way, they'll have all the power they need to and have the ability to deal with attackers."

At the heart of the system is the Razorback Framework's Defense Routing System, which collects all the detection information on a network and can route suspect data through the appropriate security systems, delivering actionable data to administrators so they can identify and deal with threats.

For instance, Watchinski described how the system could handle receiving an inbound, emailed Adobe Acrobat PDF file. The company receiving the PDF wants it to be routed through multiple layers of security detection, so the defense routing system can grab the PDF and, knowing that there are multiple detection methods on the network, such as antivirus and IPS, will run the PDF though those systems, as well as a PDF dissector that will take the file apart to see if any risk exists within.

For PDFs that trigger an Adobe Flash file, the detection piece of the Razorback Framework can specifically analyze that component for risk, as well.

Watchinski added that Razorback collects and correlates possible attack information from network events, as well as data.

The concept of trying to collect network event information is one that the Trusted Computing Group (TCG) has already tried to standardize for networking gear with a protocol called IF-MAP. Watchinski noted that in its initial release, Razorback is not using IF-MAP, though he added that the system is extensible through APIs and remains early in its development.

There is also already a market in place for security information management systems. Among the technologies currently available is the Cisco MARS (Monitoring, Analysis Response System) platform for network events. With Razorback, Sourcefire isn't trying to displace existing tools, but its backers instead hope to provide a framework for collecting and acting on data from multiple sources.

"Security information managers correlate events, and we coordinate detection," Watchinski said.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.