Security UPDATE, commentary, February 26, 2003

Are you aware of the networks that track events and trends related to specific threats and ongoing attacks? You can participate in these threat-analysis networks, and in return, they offer information that can help you become aware of potential threats to your own network, sometimes well in advance of any actual attack.

Several networks (e.g., DShield.org, myNetWatchman, Symantec's DeepSight Analyzer, Internet Security Systems'--ISS's--X-Force Threat Analysis Service--XFTAS) collect security information and offer it to the public in the form of a worldwide security trend monitoring report. These networks receive input from a wide array of users' networks around the globe, all contributing information into a central repository. Intrusion Detection Systems (IDSs) and firewall logs running on the participating local networks provide the information.

Each threat-analysis network provides client-side software that gathers log information, parses it into a common format, and transmits the data back to a central repository. DShield.org client software works with more than three dozen various types of IDS and firewall systems; myNetWatchman client software and Symantec's DeepSight Analyzer service client software work with about two dozen IDS and firewall systems each.

DShield.org \[http://www.dshield.org\] is by far the most open of the networks. Anyone can visit the related Web site and immediately view both graphical and text-based reports that show current threat trends and historic data. For example, when you visit the Web site home page, you'll find a prominent graphical map of the world with pie charts for various continents. The pie charts give a quick view of threat trends based on aggregate information that shows which ports are being probed most often. Next to the graphic is a brief list of the port numbers and the services typically associated with those ports.

When I visited the DShield.org Web site Monday morning, I saw that port 1434, which is related to Microsoft SQL Server, is still among the top targets. This information might mean that the Slammer/Sapphire worm is still trying to spread around the Internet.

One interesting feature of DShield.org is that you can obtain graphic and text-based data files of threat trends to incorporate into your own Web pages. The data shows the current most frequently probed ports as well as the IP addresses that are conducting the most probing. This can provide information about current trends at a glance. DShield.org operates in association with the SysAdmin, Audit, Network, Security (SANS) Institute \[http://isc.sans.org\], which hosts the Internet Storm Center. The Internet Storm Center offers additional information, such as threat-analysis reports.

myNetWatchman \[http://www.mynetwatchman.com\] is a free public service without any membership requirements. The myNetWatchman Web site home page is basic and doesn't provide the extensive information that DShield.org provides, but it's useful in conjunction with the other threat-analysis information networks.

Symantec's DeepSight Analyzer \[http://analyzer.securityfocus.com\] is a free service, but only participants who provide IDS and firewall logs can view aggregate information that the service provides. The service's Web site home page has a basic display of threat counts, but no further useful details for visitors. To learn more about the service, visit the Web site, and consider joining the network if it supports your particular IDS or firewall. Symantec also offers a paid service, DeepSight Threat Management System \[http://enterprisesecurity.symantec.com/products/products.cfm?productid=158\], which offers alert and notification information tailored to your IT infrastructure.

ISS's XFTAS \[https://gtoc.iss.net\] is a paid annual service similar to the Symantec paid offering. Customers receive access to helpful security-related information and can personalize their accounts to obtain the information they need.

Joining one or more of these networks can increase your ability to keep your network secure, which leads to a better Return on Investment (ROI) for your overall security budget (and might even increase productivity and free up time and money for other security resources). If your budget allows, consider subscribing to the paid services that ISS and Symantec offer. If you can't afford such security resources right now, know that you can participate in DShield.org and myNetWatchman by investing some of your time.

Please take a moment to respond to the current Security Administrator Instant Poll question \[http://www.secadministrator.com\], "Do you participate in an 'early warning' network that gathers forensic information from firewall and Intrusion Detection System (IDS) logs?" If you know about additional threat-analysis networks, send me an email message about them.