Marty Roesch pushes collective analysis, underscores cyberthreat intelligence

There are a myriad of security systems collecting threat data and the challenge to enterprises was working out how to make sense of the entire information with a view to gain real-time knowledge of attacks.

When Firefox launches another executable and that executable starts downloading other software that starts installing itself, we now have visibility into these types of varieties of things.

Marty Roesch, CTO of Sourcefire

Marty Roesch, the founder and CTO of Sourcefire, sees active cyberthreat intelligence because the key portion of combatting targeted attacks. Under Roesch's vision, IDS and IPS technology that monitors network activity should be combined with greater visibility on the endpoint to achieve an improved understanding of attacks in progress. He's using the company's $21 million acquisition of Immunet to construct out a genuine-time intelligence network.

The company recently announced the launch of FireAMP, an agent-based component built from Immunet that once deployed will send threat intelligence data to Sourcefire's servers where it will become analyzed and put right into a global database and shared via alerts to other users. Roesch said the goal is to enhance the capabilities of the company's systems to detect and quickly block malicious files that concentrate on zero-day vulnerabilities and other malware that frequently slip past signature-based security systems.

“When Firefox launches another executable and that executable starts downloading other software that starts installing itself, we've visibility into some of these kinds of things,” Roesch said. “We even have the power to regulate what happens next by blocking it.”

When Roesch talks concerning the way forward for IPS, he talks about further integration with network security systems. The corporate is operating on building deeper integration with its next generation firewall, adding more situational awareness into all its security products.

Andrew Hay, a senior security analyst on the 451 Group, said Sourcefire is moving in conjunction with the remainder of the protection industry with the aid of threat intelligence data to create more offensive security technologies. Sourcefire has had the foresight to construct out its IDS and IPS appliances into other areas because the marketplace for IDS/IPS has become somewhat commoditized, he said. Sourcefire introduced a next generation firewall built off its core IDS technology. The corporate surprised industry observers by buying Immunet, an endpoint security company, however the introduction of FireAMP helps give a clearer picture of Roesch's strategic vision, Hay said.

“The more those who use it, the simpler it will likely be since it uses the ability of collective intelligence and that was the concept made Immunet an acquisition target within the first place,” Hay said.

NetWitness: Forensics tools with analytics for threat intelligence

We're working to construct visibility into unusual patterns of behavior.

Eddie Schwartz, CSO, RSA

RSA, which acquired the NetWitness network security monitoring platform last year, credits its deployment of the system in quickly detecting its SecurID breach. At a up to date media day during which RSA executives shared information regarding the breach and the company's future product roadmap, NetWitness was being positioned as an intelligence gathering tool that with the best analytics, could help detect and block targeted attacks.  The corporate is operating on improving the system's analytical capabilities and engineers are busy building connectors with RSA's Archer governance, risk and compliance suite to supply reporting capabilities and a simple-to-use management console. 

But Roesch said Sourcefire and other IPS and IDS vendors should not be threatened by the NetWitness technology. NetWitness systems aren't usually deployed in-line, he said, adding that knowledgeable IT professionals (typically computer forensics investigators) must ask NetWitness the proper questions that allows you to get any meaningful data from the system.

“That thing collects quite a lot of data and it's pretty raw,” Roesch said. “It shall be interesting to see if their approach scales to solving the type of problems we solve just knowing what i do know about their sensing and collection infrastructure.”

Eddie Schwartz, CSO of RSA, believes by putting more powerful analytics to the information gathered by NetWitness systems could help companies find trouble before an attack exposes sensitive data.

“We're working to construct visibility into unusual patterns of behavior,” Schwartz said. “It's about having powerful analytical capabilities as it isn't so simple as staring at a small amount of traffic. Taking a look at your entire data we're collecting gets much more complicated.”

RSA NetWitness plays in a spot field with its deep packet inspection technology. The corporate competes head-on against Solera Networks, which makes appliances that may be utilized by forensics teams. Fidelis Security Systems Inc. also competes inside the space and uses sensors to identify malware infections and alert if an issue is detected.  Fidelis claims its technology can supersede firewalls and conventional DLP products. 

Correlation of enormous amounts of knowledge doesn't mean causation, said Pete Lindstrom, research director at Spire Security. More powerful analytics could help security teams after a breach, but developing the right way to make NetWitness detect attacks in progress could be difficult, Lindstrom said.

“There's a presumption that more data is healthier and that i don't deny it, but I also don't believe it's proven in relation to security technologies,” Lindstrom said. “RSA has an outstanding forensics tool and it's arguably the best, so i do not see them taking it in a wholly different direction.”

The 451 Group's Hay said RSA have been busy integrating Netwitness into its product portfolio. The corporate introduced NetWitness Panorama , which takes its  full packet capture and analytics capabilities and combines it with RSA Envision SIM log collection capabilities. The company can also be improving NetWitness' reporting capabilities, tying it into RSA's Archer GRC suite.

“They like to catch up with and in the direction of real time and that i can see that with alerting, however the fact remains you could collect terabytes of knowledge and also you would still need human bodies in seats to study all that data because it is available in,” Hay said. “I don't see them putting NetWitness inline and doing active blocking.”

Dig Deeper

• Those that read this also read...