CyberWolf prowls for cyberalerts

CyberWolf Technologies Inc. has developed software that picks up where intrusion-detection software leaves off.

CyberWolf software is designed to capture and prioritize alerts generated by intrusion-detection systems, as well as firewalls, antivirus software and other security programs. Few such alerts ultimately require human response, and CyberWolf is designed to identify the ones that do by recognizing patterns in seemingly random alerts, signaling that an attack is under way.

The company, which already has a number of federal customers, is rapidly enhancing its product. CyberWolf 1.8, released last month, has new cross-correlation and user capabilities that enable an organization to more quickly recognize and respond to attacks. Version 2.0, scheduled for a May release, improves real-time reporting of security problems and enhances the graphical user interface.

"Contemporary intrusion-detection systems have alerts scrolling by all the time, from high alerts to cryptic [announcements], so it's tough to know what's really going on," said Jack Beavers, chief architect at CyberWolf.

"CyberWolf puts together a short list of incidence/trouble tickets, organized by severity, and helps managers respond quickly," he said. "You can stop the bad guy before he hurts you...[and security personnel] can go and do something instead of sifting through reports and cross-correlating from multiple devices."

Tom McDonough, chief executive officer of the company, said many agencies within the Defense Department and the intelligence community are using CyberWolf, but those agencies could not be identified due to security concerns. He added that the Falls Church, Va.-based company, originally called Mountain Wave Inc., should have at least three new government customers by the end of May.

Federal customers have found that CyberWolf reduces the workload on the security staff. For example, before deploying CyberWolf, one agency had nine analysts working three shifts in front of more than 10 monitors. Within weeks of using CyberWolf, it only took two analysts watching one monitor to do the same job.

"They could re-deploy seven security employees for other duties and get the most efficiency and effectiveness out of the people they've got," McDonough said.

John Pescatore, research director for Internet security at Gartner Inc., said that CyberWolf has been successful in dominating the DOD market, but similar services are available from competitors, including e-Security Inc. and netForensics Inc.

"Government agencies [generally] make both their firewall and intrusion-detection systems choices best-of-breed, and then they're stuck with two separate management consoles and reporting types," Pescatore said. "CyberWolf and netForensics are powerful in pulling those things together."

CyberWolf can be deployed in a few days, although some "tweaking" is usually necessary during the first few weeks to work out the false alarms and focus on the most serious security threats, company officials said.

The average price is $150,000 to $200,000, and the company uses the perpetual license model, which costs 20 percent of list price per year and includes all upgrades and support, McDonough said.

Stephen Andriole, a senior consultant at the Cutter Consortium, an information technology consulting firm, likens the way CyberWolf consolidates and prioritizes information for users to an electronic "dashboard."

Andriole, who is also a professor of business technology at Villanova University, said that although CyberWolf is a "terrific tool and obviously valuable," the technology is "not earth shattering, since the concept has been around with network and systems management" tools for some time.

He added that the next logical step in this area — enabling the technology to respond to alerts based on "if-then" scenarios — promises even greater benefits for users through real-time, automated decision-making.

***

FEMA on alert

One customer of CyberWolf Technologies Inc.'s security software is the Federal Emergency Management Agency.

FEMA has deployed CyberWolf to monitor the agency's network perimeter defenses and is considering its use to monitor 500-plus critical Microsoft Corp. Windows NT servers, according to Steve Schmidt, chief of FEMA's Office of Cyber Security.

FEMA's current deployment of CyberWolf supports a network that has 10,000 nodes deployed in 10 regions.

The surveillance points include:

* Internet and intranet firewalls.

* Routers.

* Authentication servers.

* Intrusion-detection systems.

* Unix and NT servers and workstations.

The software sends data to a contractor monitoring the agency's network around the clock.