Saturday, June 19, 2004

Network Monitoring Products Reviewed by NWC

A few years ago while consulting for Foundstone I was asked to name a product which would inspect traffic exiting the enterprise. The goal was to identify unauthorized transmission of sensitive documents or data. Aside from a customized signature-based approach, I could not think of any off-the-shelf product with this capability. After reading Monitoring Data Departures by Lori MacVittie in the 27 May 04 issue of NWC, I learned of Vontu's Vontu Protect 3. Some of its claims are amusing, like "No false positives — every incident reported is a genuine policy violation." This is also true for signature-based intrusion detection systems, if one accepts (as I do) that an IDS which alerts based on a rule is merely doing what it was told to do. It's up to a decision maker to guide the policy that an administrator implements, and it's an analyst's responsibility to judge the likelihood that a given event respresents a security incident. If Vontu would like me to take a look at their product, feel free to contact me at blog at taosecurity dot com.

Two weeks earlier, NWC's Well-Connected Awards were published, complete with the most disgusting cover I've ever seen on a technical magazine. That earned the print edition a place in my circular bin, but the security awards were interesting. The "Network Behavior Anomaly Detection" award went to Q1 Labs, whose QVision tool seems to have been renamed QRadar. NWC liked this network behavior visualization product better than similar offerings from Arbor Networks and Lancope. Anyone interested in having me do a technical review of your product, please email blog at taosecurity dot com.

No comments: