|
Technology
|
Device
|
Network
|
Company
|
Description
|
Use
|
|
|
Anti-Virus
|
√
|
|
McAfee
Symantec
ESOT
Kaspersky
|
Signature-based protection against known threats, usually on point devices. Low cost, easy to use and a needed primary first line defense in any IT system
|
End-Point Protection
|
|
|
Firewall
|
√
|
√
|
Palo Alto Networks
Check Point
Zone Alarm
McAfee
Kaspersky
|
Examines incoming or outgoing packets and allows or disallows their transmission or acceptance on the basis of a set of configurable rules called, policies. Although firewalls represent an indispensable shield to deploy, they require knowledge of attacks in order to be effective and thus are vulnerable to zero-day threats and sophisticated attacks. Furthermore, they have no visibility into the attack preparation, propagation, result and identity of the attacker. For example:
• How did the attack start?
• How did the attack reach the customer perimeter?
• How was the attacker able to infiltrate into the customer network?
• Who is behind an IP address?
• How much can the customer trust the IP address(es) associated with the attack being detected?
|
Policy,
Acceptable Use
|
|
|
IDS/IPS
|
|
√
|
Tipping Point
Source Fire
Cisco
Ceck Point
|
They detect unwanted manipulations of end-hosts, several types of malicious behaviors such as network attacks against vulnerable services, data driven attacks on applications, host-based attacks such as priviledge escalation, unauthorized logins and access to sensitive files, and malware. Some IDS/IPS systems have been adding anomaly detection for complement other SNORT signatures. Although IDS are capable of detecting zero-day.
|
Malicious Activity,
Policy Violations
|
|
|
Dataflow/Peakflow
|
|
√
|
Arbor Networks
|
Primarily Layer 4 visibility. Provides for anomaly detection and usually targeted for specific anomalies e.g. DDoS, synflood attack. Limited in content and context. Dataflow can be used as input to other security software, e.g. Network Intelligence type systems or into SIEM / SEM.
|
Layer 4 Behavioral Anomalies, DDoS
|
|
|
Forensics
|
√
|
√
|
Solera Networks
NikSun
NetWitness
|
Forensics entails the capture, recording, analysis of network events in order to discover the source of security attacks and misuse of network resources. Normally requires some means to capture the information including the use of Deep Packet Inspection devices.
Passive forensic analysis, sometimes called "catch it if you can" systems, requires the operator to store flow and packet records in an external database. Data is kept in memory for a limited amount of time which can be configured by the operator according to their needs and available storage (i.e., trade-off between rate of data being exported, granularity of the time scale at which forensic has to be performed and time duration that specifies how long the data has to be kept in the database).
Active forensic analysis, also known as "stop, look, listen" systems provides forensics on demand. This enables the operator to retrieve information directly from the network as required and as the analytics are designed
|
Forensic After the Fact
Analysis of Causes of Security,
Attribution
|
|
|
SIEM/SEM
|
√
|
√
|
ArcSight
Q1 Labs
|
Event manager with input of events from a variety of devices and network elements. They enable SOC efficiency by correlating dispersed and unassociated security events. a SEM system allows the operator access to all logs through a consistent central interface. The events can be parsed as they hit the SEM for significance, and alerts and notifications can be immediately sent out to interested parties as warranted.
Unfortunately, SEMs provide only basic correlation using security events, logs and SNMP traps and thus lack key pieces of information such as
• Visibility into traffic packets and flows (Layer 2 through Layer 7 OSI stack), and
• Routing (IGP, BGP)
Current SEMs are not designed to process millions of events per second since they were architected and designed for enterprise networks. These are non-signature based approaches and therefore they offer a complement to the traditional security software.
|
Correlation Across Network and End-Point Devices, Prioritization of Events
|
|
|
Network Behavior Analysis
|
|
√
|
Lancope
Mazu
|
They enable SOC efficiency of correlating and analyzing raw traffic flows and routing events and thus are complementary to a SEM system. It is common to find one of them feeding the other. Strengths of a NBAD system include
• Capable of detecting a wide range of abnormalities and threats targeting data and routing because NBADs are built on cutting edge engines using advanced data stream processing in search of network traffic abnormalities
• High scalability, i.e., designed to correlate and process millions of events per second in real-time.
Due to the wider and more complete view of the traffic activity and the associated network responsiveness, the NBAD system provides a unique insight into the attack preparation, propagation and real breadth of the attack.
|
Anomaly Detection, Non-Signature
|
|
|
Network Intelligence
|
|
√
|
Qosmos
Procera
|
Network Intelligence (NI) is a technology that builds on the concepts and capabilities of Deep Packet Inspection (DPI), Packet Capture (PC) and Business Intelligence (BI). It examines, in real time, IP data packets that cross communications networks by identifying the protocols used and extracting packet content and metadata for rapid analysis data relationships and communications patterns.
NI is used as middleware to capture and feed information to network operator applications for bandwidth and management, traffic shaping, policy management, charging and billing (including usage-based and content billing), service assurance, revenue assurance, market research legal panel analytics, lawful interception and cyber security. It is currently being incorporated into a wide range of applications by vendors who provide technology solutions to Communications Service Providers (CSPs), government and large enterprises.
|
Anomaly Detection, Non-Signature
|
|
|
Dynamic Real Time Traffic Intelligence
|
|
√
|
Narus
|
The logical extension of NBAD, network intelligence, forensics and broad analytics for a comprehensive core defense indepth solution or for total visibility into the happenings in a distributed IP network.
Dynamic real time traffic intelligence is a combination of network intelligence and sophisticated analytics, enabling a defense indepth solution to network and security risks. Since it is analytically and behaviorally based, it complements the "big three" (AV, IDS / IPS, Firewall) and provides a more robust system approach to security and network management.
Provides a Layer 2 through Layer 7 view of the total network thereby providing a total network visibility into the "digital DNA" of the network. The analytics can be predictive and help the SOC and NOC operator determine potential security risks and potential misuse of network resources.
|
Anomaly Detection, Non-Signature
|
|
