Building intelligence into security tools

Federal agencies and enterprises could have a more accurate profile of the applications and systems on their networks that need protection from cyberattacks by year's end when Sourcefire Inc. rolls out extensions to its intrusion-management system.

The company plans to unveil the Realtime Network Awareness (RNA) appliance, which can help information technology managers better understand what assets and services are vulnerable to attack and, as a result, could put the network at risk.

The appliance is designed to fix a flaw in traditional network-based intrusion-detection systems. Although designed to alert IT managers to suspicious activity on the network, such systems often "run without any context about the network they are protecting," said Martin Roesch, chief technology officer and founder of Columbia, Md.-based Sourcefire.

For instance, if an attack such as the Code Red computer worm is spreading to servers in an organization's network and servers are running the Linux operating system, then those servers are not as susceptible to the attack because the malicious code affects Microsoft Corp. Windows-based servers, Roesch said.

Unless an intrusion-detection system is aware of the system it is monitoring, it might generate false alarms about attacks or miss attacks altogether. RNA is geared to add another layer of intelligence to threat protection.

RNA "sniffs" or monitors the network like an intrusion-detection sensor, but it has a different mission, Roesch said. The appliance passively monitors — meaning in a nonintrusive manner — network traffic to detect network assets such as IP addresses, operating systems and versions, services and ports, as well as potential vulnerabilities. It also monitors for traffic pattern changes and security policy violations.

The Sourcefire Management Console then integrates information about network changes from RNA sensors and Sourcefire network sensors with the latest vulnerability information to determine if an attack poses a threat. IT operators can then accurately prioritize their response, Roesch said.

IT managers at the National Institutes of Health's Federal Credit Union plan to evaluate the appliance when it is ready for beta testing this summer.

RNA sounds like a good product that can help agencies address the problem of information overload generated by intrusion-detection systems, said Kirk Drake, vice president of technology at NIH's Federal Credit Union.

"If it can accurately detect systems and match vulnerabilities to systems, it will help [the agency] clean up [network] traffic," he said.