Network security vendor NetCitadel Inc. is trying to streamline and automate security threat assessment and response with a platform it contends will reduce the time required to determine valid security threats.
The platform, ThreatOptics, collects event logs and alerts from multiple network security platforms, analyzes those events and remediates threats by making
The product collects events logs from security products from FireEye, HP ArcSight, Palo Alto Networks and IBM QRadar. It analyzes that data and combines and correlates it with external information from NetCitadel for additional context. Once it has determined that an event is an actual threat and not a false alarm, it can write changes to security infrastructure and -- if security engineers have authorized it to do so -- execute those changes on a variety of security products from Cisco, Juniper Networks, Palo Alto Networks, Check Point Software Technologies, Blue Coat Systems and Fortinet.
"They're trying to speed up threat response by adding additional automation and information-gathering and response tools," said David Monahan, research director at Boulder, Colo.-based Enterprise Management Associates.
Security threat assessment and response is noisy and time-consuming
Threat response is typically a long process for network security pros. They receive alerts from multiple systems, most of which are false positives. Then they must dig through them and look for correlations and patterns that point to an actual vulnerability that they can respond to.
"You get flooded from all the different event alerts occurring from your edge devices all the way into your end-user computing devices," said Kevin Moore, director of IT at Fenwick & West LLP, a Mountain View, Calif.-based technology and life sciences law firm that has beta-tested NetCitadel's product. Moore said his team often struggles to weed out false positives from his FireEye appliances, Symantec Web Gateways, Palo Alto firewalls and Cisco ASAs with IPS modules. Tracking down an infected end-user device that's causing those alerts can take hours or days, he said.
"Going to each of these [security appliances] and going through their logs of events that are occurring or responding to email alerts sent to you by all those devices is time-consuming," Moore said. "We're trying not to respond to all of them because you don't have enough hours in the day to do that. So you try to figure out which ones are the most important through triage, which, in today's environment with targeted attacks, isn't always the best method of operation."
In his beta test of ThreatOptics, Moore and his team have been able to consolidate network security operations by using the appliance's console as a single pane of glass that correlates events and logs from all his other security appliances. He's also enabled it to write rule changes to the firm's Cisco firewalls to remediate problems.
"Let's say it can see command and control traffic going to an IP address that I know is in Eastern Europe or China," Moore said. NetCitadel can automatically write a change to his Cisco firewall to block egress traffic to that IP address, he said. That rule change gives his service desk time to clean up or reimage the infected desktops that are sending that traffic.
Security threat assessment and response: Balancing resources
Threat response remains a challenge for many enterprises, and vendors are attacking the problem from multiple directions, according to Lawrence Orans, research director at Stamford, Conn.-based Gartner Inc. "You're seeing more money being funneled into incident response. [Many] are doing it from the endpoint perspective, and here's a vendor [NetCitadel] that's doing it from the network perspective." Both camps are competing for the same budget, he said.
NetCitadel will appeal to enterprises that have a shortage of security engineers, particularly smaller companies, Monahan said. "Buying one of these is cheaper than hiring security guys," he said. "The smaller the security staff, the more automation you need."