Web extra: Quick response tools

Federal information technology managers need a mix of tools to quickly respond to security incidents.

The more effective technologies will combine tracking of IT assets with vulnerability management capabilities as well as event correlation functions, expert say.

With incident response, there has been a heavy focus on the network, intrusion detection and hackers as the driving force behind incidents, said David Meltzer, founder of and chief technology officer at Cambia Security. A correlation of real-time information from the asset side with attack information is needed. “The internal violations of policies are the incidents you want to know about,” Meltzer said.

As a result, the company offers Cambia CM software, which discovers changes that might have occurred in systems on the network. The product works with several leading third-party vulnerability management companies. Cambia CM provides users with intelligence about the hardware and software on the network and when changes create risks.

Cambia CM has a scanning engine that collects data by active scanning, probing devices on the network or passive network monitoring. The software runs on Wintel hardware on Microsoft Windows or Linux operating systems.

Even content filtering tools can offer some protection against incidents.

For instance, Blue Coat Systems, a developer of proxy appliances that manage Web activity, offers Blue Coat Reporter. The product imports and displays information about users¹ Web activity. Defense and civilian agencies that use the Blue Coat products include the Defense Advanced Research Projects Agency, the Homeland Security Department, the Energy Department, the Federal Aviation Administration, the Food and Drug Administration, NASA and the Army.

Federal agencies in particular want to control instant messaging and peer-to-peer file sharing, said JoAnne Vedati, senior product marketing manager at Blue Coat.

The company¹s Proxy SG appliance sits in the middle of a Web data stream and monitors content, including spyware, Vedati said. Reporter analyzes Proxy SG log files in 60 predefined reports. Reporter can reveal malware masked in Web content and other threats.

After responding to security incidents, IT managers will want to go back through network sessions or computer system logs to investigate how an intruder or hacker compromised a system or attacked a network. Forensics tools can help managers further investigate incidents to better defend against future threats and prosecute those who have broken into systems and networks.

Many forensics products are host-based, focusing on pulling information from systems rather than the network, said Michael Gavin, an analyst at Forrester Research. But a growing number of network products can be used for forensics, he noted.

Intrusic V2 from a new company called Intrusic can watch and analyze network traffic and detect anything that doesn¹t follow certain rules, Gavin said. It is similar to Niksun¹s NetDetector solution and Sandstorm Enterprises’ NetIntercept, which look at every packet traversing a network. The products have huge databases in which packets can be stored and sessions reconstructed.

Intrusic is different from other products because it selects only the anomalous traffic, Gavin said. Intrusic V2 finds systems that are already under malicious control and maps out the full extent of the compromise, according to a company statement. “I don¹t know how well [Intrusic] works in practice,” Gavin said.