Sourcefire 3D

An example of this is the Slammer attack. If you have machines running SQL Server that have been patched, any detection of a Slammer attack will be ignored. There is no point in sending alerts for something that isn't real. Compare this with the average firewall which will send an alert because it has detected a Slammer attack but which doesn't know anything about your internal systems.

The result should be a massive reduction in false positives, allowing your security team to concentrate on what they really need to deal with rather than chasing ghosts.

The last element, the Defence Centre is about rules, management and reporting. It acts as a filter engine dealing with the data from the Intrusion and RNA Sensors allowing the operators to manage security from a single point rather than have to touch each sensor constantly.

Most security products look at an alert and simply respond to that. The Defence Centre uses pivot tables to allow you to find correlations between attacks. This is critically important in an age where attacks can easy circumvent your network protection via USB drives, mobile phones, MP3 players and the like.

When an attack is detected, you can go back and find the machine that was the zero point. From here you can look at its communication with other computers and see unexpected bursts of traffic or excessive connections. This allows you to map and predict the spread of an attack internally.

You can then start to isolate and stop attacks, clean the network and build a profile of how the incident occurred. This is extremely sophisticated and well ahead of other products in the market.

To make this process easier to see, there is a set of 3D modelling tools so that you can use to see the spread of an attack. This provides more than just security information; it can provide an organisation with an insight as to the relationships and information flow throughout their business. This also pays into the compliance requirements in that it can show how likely it is that information has breach internal safeguards.

While Sourcefire owns the intellectual property for Snort is has kept it free and available to the wider community. Taking that knowledge and then pulling it back with additional features into their Intrusion Sensor is a clever move. It means that there are a number of qualified developers in the market and the product is widely accessible. As other security companies look to use Snort for their products, it has the added advantage of ensuring that knowledge gained is not knowledge lost should you choose to change security vendor.

Sourcefire takes advantage of the Snort Rules Engine integration with the Detection Engines to simplify the deployment of new rules. This single rule, multiple engines approach is a very fast and simple way to deploy security. It also ensures that when rules are being updated, there is no mismatch between the rules base for each of the different engines, which could open a temporary vulnerability. Sourcefire sends out new rules every two weeks, or sooner should a specific threat emerge.

The GUI is perhaps the most disappointing aspect of the whole system. The problem is that there is so much to do and so many things to work with that the GUI is really fighting against information overload. Sourcefire needs to think about how it can improve this.

Sourcefire could also do a little more in terms of extra wizards and tutorials. It also needs to work a little more on the certified training side and align it with some of the wider industry objectives on security. Despite these criticisms this is the most sophisticated security tool I've ever tested and sets a real standard for other vendors to try and match.