New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Multi-Detection Approach to Intrusion Prevention
Current Scenario: Traditional IPS is an inline, perimeter solution at the network ingress/egress points. IPS was not designed to address attacks on the network interior. This results in a major security hole. The four things that organizations have: Firewalls Anti-virus Patch procedures Policy & control What else you need to protect your network? With the evolution in security (and risks) organizations need to be concerned with: Zero-Day attacks Targeted Attacks Patch management Policy management With newer attack vectors, your network is vulnerable. So what is the next level of defense?
Current Scenario: Traditional IPS is an inline, perimeter solution at the network ingress/egress points. IPS was not designed to address attacks on the network interior. This results in a major security hole.
The four things that organizations have:
What else you need to protect your network? With the evolution in security (and risks) organizations need to be concerned with:
With newer attack vectors, your network is vulnerable. So what is the next level of defense?
Tomorrow's Technology Today: CounterStorm-1: How It Works Unlike traditional IPS, CounterStorm-1 employs a multi-detection approach by using three proprietary engines. A unique patent-pending correlation engine allows Counterstorm-1 to synthesize this data without the use of signatures to yield immediate and accurate attack detection and shutdown malicious activity within seconds. In addition, CounterStorm-1 adjusts to future threats, including slow and stealthy attacks often missed by other solutions. Behavioral Attack Recognition Engine This engine uses behavioral patterns, or heuristics, to detect indicators of malicious activity on the network. Behavioral patterns differ from signatures in the sense that they do not identify specific vulnerabilities or exploits. Instead, they identify common characteristics of malicious software that appear in the network traffic generated by an infected or compromised host. CounterStorm-1’s behavioral engine detects a variety of malicious behaviors: many worms and viruses, for example, scan the network when they seek to propagate throughout an enterprise. The behavioral attack recognition engine quickly and accurately identifies this scanning behavior regardless of the particular attack vector that is being used. Other types of attacks, such as Trojans and Botnets often attempt to make network connections to external control hosts that feed them instructions. They can also attempt to contact other local devices to form a peer-to-peer network of infected devices that share those instructions. Both the external connection attempts and internal peer-to-peer connection attempts are characteristic malicious behaviors that CounterStorm-1 can quickly and accurately identify. Dynamic Honeypot The dynamic honeypot illuminates unused IP addresses on enterprise networks. This enables quick identification of malicious devices on the network, since it is not necessary to wait for an infected device to discover a legitimate host or service. This engine is dynamic in the sense that it doesn’t require any specially configured or dedicated address space to operate. It monitors the used addresses in the network and automatically responds to queries that are destined for unused addresses. This allows the other CounterStorm-1 engines to observe traffic at layers three and four, whereas previously only layer two traffic would be visible. Anomaly Detection Engine This engine monitors the flow of traffic between different network hosts and services to build a statistical baseline of normal activity. Once this statistical profile is built, the anomaly detection engine monitors the network for any traffic that deviates from that baseline CounterStorm’s anomaly detection engine is a purely statistical approach that observes the characteristics of normal network activity and easily adapts to changes in the environment over time. Its main purpose is to provide supporting evidence for the behavioral engine and honeypot components, thus helping to dramatically reduce false positives. Real-Time Correlation Engine This engine correlates data from each of CounterStorm-1’s engines in order to process evidence into actionable alarms in real-time. Sophisticated and proprietary correlation logic synthesizes alert information from the behavioral, anomaly detection, and honeypot detection engines into highly accurate alarms – dramatically reducing the overall false positives of the sensor. Evidence from a single data-point often warrants an alarm in other solutions. This is what leads to false positives. CounterStorm-1 utilizes multiple data points which are correlated together. A network anomaly, for example, is rarely enough evidence to warrant an immediate response. Once it correlates with an alert from the behavioral engine or dynamic honeypot, however, the alarm may be issued with a high degree of accuracy. This assimilation of multiple attack reference points yields fast and accurate detection and stopping of attack traffic without negatively impacting mission-critical operations. Quarantine Engine The quarantine engine activates the appropriate responses when hosts are deemed malicious or infected. The CounterStorm-1 Command Center maintains a site-wide policy that defines which responses should be employed on which network segments. This policy is synchronized with each Sensor, and the quarantine engine is consulted before any response is taken. Importantly, the presence of the quarantine policy on each Sensor allows these Sensors to operate autonomously – performing detection and response activities without delays or failures due to potential network problems when communicating with the Command Center. Actionable Visibility CounterStorm-1 provides unique real-time visibility of internal security incidents that traditional network management systems do not provide. The information gleaned from CounterStorm-1 empowers the security manager to make crucial security decisions that would not be possible without it. CounterStorm-1: Simple Deployment CounterStorm-1 is designed for ease of use in installation, maintenance, and day-to-day operation. Tthe sensors are deployed in strategic areas of the network which include the key core and distribution layers, areas of high-value and areas of high risk. Because the device is deployed out-of-band, many of the issues associated with an in-line device are eliminated such as concerns about redundancy, latency and scalability. Traditional IPS CounterStorm-1 Protection Perimeter Interior Zero-Day Wormstorms Vulnerable Protected Targeted Attacks Vulnerable Protected Stealthy & Sophisticated Vulnerable Protected Internal attacks Vulnerable Protected Deployment Inline (redundancy and latency issues; security target) Out-of-path (no redundancy, latency or security issues) Detection Requires signatures no signatures needed Accuracy Trade-off with performance and protection Greater than 90% Rapid blocking Unable because of low accuracy rate manual to fully automatic Adapt to future attacks No Yes Long reach/long visibility No - Perimeter - segment by segment basis only Yes - full view and control of entire internal network
Tomorrow's Technology Today:
CounterStorm-1: How It Works
Unlike traditional IPS, CounterStorm-1 employs a multi-detection approach by using three proprietary engines. A unique patent-pending correlation engine allows Counterstorm-1 to synthesize this data without the use of signatures to yield immediate and accurate attack detection and shutdown malicious activity within seconds. In addition, CounterStorm-1 adjusts to future threats, including slow and stealthy attacks often missed by other solutions.
Behavioral Attack Recognition Engine
This engine uses behavioral patterns, or heuristics, to detect indicators of malicious activity on the network. Behavioral patterns differ from signatures in the sense that they do not identify specific vulnerabilities or exploits. Instead, they identify common characteristics of malicious software that appear in the network traffic generated by an infected or compromised host.
CounterStorm-1’s behavioral engine detects a variety of malicious behaviors: many worms and viruses, for example, scan the network when they seek to propagate throughout an enterprise. The behavioral attack recognition engine quickly and accurately identifies this scanning behavior regardless of the particular attack vector that is being used. Other types of attacks, such as Trojans and Botnets often attempt to make network connections to external control hosts that feed them instructions. They can also attempt to contact other local devices to form a peer-to-peer network of infected devices that share those instructions. Both the external connection attempts and internal peer-to-peer connection attempts are characteristic malicious behaviors that CounterStorm-1 can quickly and accurately identify.
Dynamic Honeypot
The dynamic honeypot illuminates unused IP addresses on enterprise networks. This enables quick identification of malicious devices on the network, since it is not necessary to wait for an infected device to discover a legitimate host or service. This engine is dynamic in the sense that it doesn’t require any specially configured or dedicated address space to operate. It monitors the used addresses in the network and automatically responds to queries that are destined for unused addresses. This allows the other CounterStorm-1 engines to observe traffic at layers three and four, whereas previously only layer two traffic would be visible.
Anomaly Detection Engine
This engine monitors the flow of traffic between different network hosts and services to build a statistical baseline of normal activity. Once this statistical profile is built, the anomaly detection engine monitors the network for any traffic that deviates from that baseline
CounterStorm’s anomaly detection engine is a purely statistical approach that observes the characteristics of normal network activity and easily adapts to changes in the environment over time. Its main purpose is to provide supporting evidence for the behavioral engine and honeypot components, thus helping to dramatically reduce false positives.
Real-Time Correlation Engine
This engine correlates data from each of CounterStorm-1’s engines in order to process evidence into actionable alarms in real-time. Sophisticated and proprietary correlation logic synthesizes alert information from the behavioral, anomaly detection, and honeypot detection engines into highly accurate alarms – dramatically reducing the overall false positives of the sensor. Evidence from a single data-point often warrants an alarm in other solutions. This is what leads to false positives. CounterStorm-1 utilizes multiple data points which are correlated together. A network anomaly, for example, is rarely enough evidence to warrant an immediate response. Once it correlates with an alert from the behavioral engine or dynamic honeypot, however, the alarm may be issued with a high degree of accuracy. This assimilation of multiple attack reference points yields fast and accurate detection and stopping of attack traffic without negatively impacting mission-critical operations.
Quarantine Engine
The quarantine engine activates the appropriate responses when hosts are deemed malicious or infected. The CounterStorm-1 Command Center maintains a site-wide policy that defines which responses should be employed on which network segments. This policy is synchronized with each Sensor, and the quarantine engine is consulted before any response is taken. Importantly, the presence of the quarantine policy on each Sensor allows these Sensors to operate autonomously – performing detection and response activities without delays or failures due to potential network problems when communicating with the Command Center.
Actionable Visibility
CounterStorm-1 provides unique real-time visibility of internal security incidents that traditional network management systems do not provide. The information gleaned from CounterStorm-1 empowers the security manager to make crucial security decisions that would not be possible without it.
CounterStorm-1: Simple Deployment
CounterStorm-1 is designed for ease of use in installation, maintenance, and day-to-day operation. Tthe sensors are deployed in strategic areas of the network which include the key core and distribution layers, areas of high-value and areas of high risk. Because the device is deployed out-of-band, many of the issues associated with an in-line device are eliminated such as concerns about redundancy, latency and scalability.
Traditional IPS
CounterStorm-1
Protection
Perimeter
Interior
Zero-Day Wormstorms
Vulnerable
Protected
Targeted Attacks
Stealthy & Sophisticated
Internal attacks
Deployment
Inline (redundancy and latency issues; security target)
Out-of-path (no redundancy, latency or security issues)
Detection
Requires signatures
no signatures needed
Accuracy
Trade-off with performance and protection
Greater than 90%
Rapid blocking
Unable because of low accuracy rate
manual to fully automatic
Adapt to future attacks
No
Yes
Long reach/long visibility
No - Perimeter - segment by segment basis only
Yes - full view and control of entire internal network
Conclusion: CounterStorm-1 provides the following unique advantages: Speed – detects and stops attacks within seconds. Accuracy –low incidence of false positive/false negative Actionable Visibility –take definitive steps in stopping actual attacks. Containment – A series of flexible containment options Transparency deployed out-of-band, eliminating lengthy deployment projects Ease-of-use – Implemented through a central and secure GUI Best-of-breed protection – CounterStorm-1 works seamlessly with existing security solutions
Conclusion: CounterStorm-1 provides the following unique advantages:
CounterStorm 15 W. 26th Street, Floor 7 New York, NY 10010 USA Tel: 1-212-206-1900
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
