Psionic Tool Ferrets Out IDS False Alarms
Psionic Technologies on Monday introduced a security tool that works with existing intrusion detection systems to determine whether an attack is successful, in the process weeding out time-consuming false alarms.Psionic's ClearResponse answers two questions that existing intrusion detection systems don't, according to Craig Rowland, CTO for the Austin, Texas-based firm. The first is, was the attack successful? To get at the answer, ClearResponse examines the system that the attack targeted, looking for evidence that the attack succeeded.
"It's based on how our experts would investigate an attack," Rowland says, noting several Psionic engineers came from WheelGroup Corp., the IDS company that Cisco Systems acquired in 1998.
The second question that ClearResponse answers is, if the attack was successful, what can you do about it? In the initial release, the product will copy potentially valuable forensic evidence, such as audit trails and log files. Later versions will have "true remediation capabilities," Rowland says. "If we find attacks, we'll take responses that administrators can predefine."
While administrators often shy away from enabling a security device to take such automated actions on their own, for fear of responding to false positives, Rowland says ClearResponse will offer a high degree of accuracy in determining when an attack is for real.
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeedThat gets back to its investigative techniques. When it detects an attack, ClearResponse examines a targeted system to determine whether its patches and hot fixes are up to date, and looks for files that intruders typically leave behind, such as malicious Trojan horse libraries.
To match the same knowledge level that Psionic has encapsulated in ClearResponse, "a security administrator would have to be familiar with hundreds of thousands of attacks," Rowland says. Yet he says the system takes only about 5 seconds to conduct its examination.
ClearResponse is available in software-only versions and as a hardware appliance. It works with the Cisco Secure IDS and Internet Security Systems' RealSecure, with support for additional vendors forthcoming in the next few months. Pricing starts at about $20,000 to cover 50 systems. The product will be available July 1.
Forefront helps businesses protect against viruses, worms, spam, and inappropriate content. Click here to download free trial and beta versions of Microsoft Forefront products today.
