"It's pretty astonishing what shows up knocking on your firewall trying to get in," says Prism Microsystems CEO, A.N. Ananth. Even so, he adds, "Data in the second half of 2007 showed that the internal threat, while less frequent, is more expensive." With insiders now added to a list of threats that includes mutating viruses and target-specific attacks, Ananth believes his company's security information management software, EventTracker, offers a viable solution. EventTracker is a log management solution that incorporates a change monitoring solution—an approach that combines blacklisting with whitelisting.
The security industry, Ananth says, has invested heavily in blacklisting. "It might be limited, but you have to have it. And when we talk about security information management, yes, you have to look at logs but you also have to look at config. We do both."
When it comes to log management versus configuration management, he says, "Most people are grappling with one or the other—log management is more understood." EventTracker blends whitelisting, defining your known good state and comparing it against your systems, with blacklisting.
"Whitelisting is only new as far as hosts are concerned—on the network side we've been doing this for years." But, he adds, "To do whitelisting manually takes hours. You have crises to deal with, then projects you're working on, then beyond that is routine maintenance. How much time do you have to make sure everything is copacetic? Four hours a week? Without a tool to automate whitelisting, you'd be dead."
Roughly speaking, EventTracker's approach involves building a blacklist, then defining a "golden baseline" of a company's systems. Then the solution takes snapshots of the systems and compares them to the golden baseline or to the previous day's activity. "We tune the snapshot, define what's noise and what's interesting," Ananth says. The snapshot is upgraded if valid changes occur, such as the installation of software. Snapshots are stored locally on the machine then moved to a server and compressed. Logs are kept and alerting can be configured as can correlation of events (i.e., an event by itself might not warrant alerting, but certain patterns or combinations of events might justify alerting).
The solution can be scaled down (a major steakhouse chain across the U.S. uses it on the single server at each restaurant location) or scaled up (the U.S. Army and other military forces are also EventTracker users). A day after I spoke with Ananth, the company announced on May 21 that the Department of the Navy had added EventTracker to its list of approved software applications for use in Naval and Marine Corps information technology centers.
The company's sweet spot is the mid-tier market, between 25 servers to 1,000 servers, where, Ananth says, companies are "dependent on IT but have constraints." If you have constraints, or are curious about EventTracker's approach, see the Prism Microsystems Web site for more information: http://www.prismmicrosys.com.