ArcSight Counters Threats Unseen

By Jeremy Jarrell

Updated: As malicious breaches of network and information security steadily increase, the pursuit of methods for anticipating and controlling such attacks intensifies.

The need to spot and combat attacks is essential, and current Security Information Management (SIM) technology, with sufficient rules in place, enables security analysts to do just that. However, of rising concern for security managers are ways to identify attacks that they don’t know exist. All too often, “zero day” and “low and slow” attacks go entirely unnoticed until it is too late.

Sunnyvale, Calif.-based ArcSight, a provider of enterprise security information management software, said Monday it has the cure. The company is releasing TruThreat Discovery 1.0, a network-wide application that makes use of complex data mining processes to alert enterprises of potential security threats.

Visible throughout an entire network, TruThreat Discovery analyzes previously unnoticed associations between the innumerable alerts generated daily by company firewalls and their intended targets, establishing heretofore unseen or overlooked relationships between the two and allowing companies to better counter threats, even those that have not yet been successful in their attempts.

Similar to those utilized in monitoring business trends, such as new customer behavior, TruThreat Discovery employs sophisticated techniques to discover connections among threatening patterns that may be hidden within millions of security alerts, logs and intrusion detection systems.

“Most attacks have multiple aspects to them,” Scott Crawford, senior analyst at Enterprise Management Associates, told “If it’s a blended threat, they’ll have a number of components — a transport mechanism, a replication mechanism, a propagation mechanism — and you need some way to correlate each one of those attributes when they’re detected in order to truly characterize what it is.”

Whether it is automated or a human threat, the core components of an attack
are typically the same. “People will do a similar thing,” explained Crawford. “They will scan a network, locate a vulnerability, exploit that vulnerability and gain access.”

“There will always be multiple dimensions to and a sequence of events that characterize an attack. That is what [ArcSight] is pulling together, and it gives better visibility into the real nature of the threats. [TruThreat Discovery] will due a better job of filtering out false positives because it is not flat; it’s not one-dimensional. It combines the multiple aspects of an attack as well as its context within the network”

ArcSight’s application is also designed to discover and manage internal security assaults, particularly those operating within a standard set of rules or behavior that seemingly fits within the limits of typical network activity. TruThreat Discovery examines and establishes correlations between such ostensibly benign patterns and offers early warning of emerging threats.

“I would characterize this trend as ‘contextually aware security,'” said Crawford, “but it is also, in general, a reflection of greater intelligence and greater correlative ability in management.”

TruThreat Discovery effectively operates without the need for pre-programming, offering a broad post-detection analysis and response system within its Security Information Management software. Available to an enterprise’s security analyst, the application’s decision support system offers a variety of tools with which to evaluate suspicious activity discovered by ArcSight’s Discovery Engine, and allows immediate action to be taken, such as initiating a direct response to the threat or automatically creating a rule to detect future forms of the threat.

Corrects prior version to clarify Security Information Management (SIM)

News Around the Web