CyberWolf prowls for cyber alerts

A wolf is a feared and stealthy hunter in nature and now cyber intruders should also fear the "wolf" prowling around numerous Defense Department and other federal agencies.

CyberWolf 1.8 from CyberWolf Technologies Inc. helps federal information technology security analysts prioritize the alerts produced by intrusion-detection systems, firewalls and other security measures, said Tom McDonough, chief executive officer of the company, a provider of enterprise security management software and services.

Few incidents ultimately require human response, and CyberWolf is designed to identify those by recognizing patterns in seemingly random alerts, signaling that an invasion or attack is under way.

McDonough said many agencies within DOD and the intelligence community are using CyberWolf but could not be identified due to security concerns. He added that the Falls Church, Va.-based company, originally called Mountain Wave Inc., should have at least three new government customers before the end of May, which also is about the time that Version 2.0 will be released.

Jack Beavers, chief architect at CyberWolf Technologies, said that Version 1.8 is a refinement released last month, but 2.0 will have bigger changes. Version 1.8 has new cross-correlation and user capabilities that enable an organization to more quickly recognize and respond to attacks, he said.

CyberWolf is designed to capture and prioritize alerts from firewalls, antivirus software, authentication technology and intrusion-detection systems. It tracks incidents to identify and "memorize" attack warnings, which can be precursors to organized attacks.

"Contemporary intrusion-detection systems have alerts scrolling by all the time, from high alerts to cryptic [announcements], so it's tough to know what's really going on," Beavers said. "CyberWolf puts together a short list of incidence/trouble tickets, organized by severity and helps managers respond quickly. You can stop the bad guy before he hurts you...[and security personnel] can go and do something instead of sifting through reports and cross-correlating from multiple devices."

McDonough echoed those sentiments and offered an example: Before deploying CyberWolf, one agency had nine analysts working three shifts in front of more than 10 monitors. Within weeks of using CyberWolf, it only took two analysts watching one monitor to do the same job.

"They could re-deploy seven security employees for other duties and get the most efficiency and effectiveness out of the people they've got," McDonough said.

Version 2.0 will respond to feedback from government users who requested improved real-time reporting, and it will have an enhanced graphical user interface, Beaver said. He added that all customers would automatically get an upgrade once a new version is released or as new firewalls and other security platforms are added.

CyberWolf can be deployed in a few days, although some "tweaking" is usually necessary over the first few weeks to work out the false positives and focus on the most serious security threats, the company officials said.

The average price is $150,000 to $200,000, and the company uses the perpetual license model, which costs 20 percent of list price per year and includes all upgrades and support, McDonough said.