Wouldn't it be nice to know a few days or even a week ahead of time when a potentially devastating virus such as Code Red was about to start spreading across the Internet? SecurityFocus claims it can do just that.
The San Mateo, Calif.-based security service provider has launched Attack Registry and Intelligence Service (ARIS) Predictor, which feeds off the company's vast collection of security event and alert data to predict when a serious attack is imminent.
SecurityFocus is perhaps best known for its security Web site of the same name, home to the popular BugTraq mailing list, which keeps thousands of companies up to date as new vulnerabilities are discovered. In part because of the feedback it gets from BugTraq and other areas of its Web site, SecurityFocus has developed an extensive database of security vulnerabilities, says Arthur Wong, the company's CEO.
ARIS Predictor is the next step.
Fifty new security vulnerabilities are discovered in various server and other enterprise software systems each week, Wong says. That makes it exceedingly difficult for IT organizations to keep up with all the required fixes, even if they know about them in advance through a service such as SIA.
ARIS Predictor is intended to alert customers to those vulnerabilities that are likely to be exploited in the near-term, so customers still have time to apply the appropriate patch or workaround.
ARIS Predictor relies on data collected from some 7,000 companies in 138 countries to determine which vulnerabilities are most pressing. These companies agree to install the ARIS Extractor, client software that sits on the administrator console of an intrusion detection system (IDS). The extractor collects data regarding specific attacks and sends it to SecurityFocus.
"Nobody else can get this kind of information gathered from as many sources," Wong says.
In return for supplying this data, the participating companies get to use the SecurityFocus ARIS Analyzer free of charge. The Analyzer helps them correlate information from multiple IDSs, giving them a global view of their enterprise.
SecurityFocus has a team of experts that examines aggregate data coming from all the Analyzers in the field. For any given attack, it's typical for multiple spikes of activity to appear before the attack spreads widely, Wong says. This is attributed to hackers testing code on low-profile machines and to launches that fizzle out. Analysts examine such spikes and the type of vulnerability they exploit to pinpoint those that have a chance to become widespread, or are just starting to spread widely.
One example is the Lion worm that hit early this year. It exploited a vulnerability in the BIND Domain Name Server that Wong says was discovered Jan. 29 of this year. The SecurityFocus SIA service issued an alert within a few days. The ARIS Predictor team first detected automated Lion attacks on March 20 and issued an alert the same day. The press began reporting about the worm March 23 or later, by which time it may well have been too late to apply a patch.
Both the SIA and ARIS Predictor services are priced on a subscription basis. SIA pricing starts at $10,000 per year and goes up to as high as $200,000, depending on configuration. A license that includes ARIS Predictor costs $100,000. The average Predictor deal is in the $250,000 range.