HP combining IPS and SIEM to better fight malware
February 14 2011
HP this week will demonstrate at the RSA Conference how its TippingPoint intrusion detection and prevention (IPS) appliance can work with the ArcSight security and event information management (SIEM) product it acquired late last year to block anomalous threat activities against Web sites.
An IPS can already detect and block a broad range of specific types of attacks against corporate networks but HP intends to show how the use of its IPS in conjunction with a SIEM, which can analyze input from multiple security devices and host sources, will expand the capability to catch some kinds of more stealthy attacks.
One demo will show an attacker opening up shopping carts on an e-commerce site at a fast pace and filling them up, but not making transactions, which could cause something akin to a denial-of-service attack against the Web site, according to Michael Callahan, director of worldwide security marketing at HP. The ArcSight SIEM "would be able to see this," says Callahan. "But then basically you'd have to do something about it."
If it turns out an attack is linked to a specific address or botnet used in the attack, the HP TippingPoint device would then be able to make a determination to block it. The so-called "reputation database" used by the TippingPoint appliance would help determine whether the source of the attack is associated with a known malicious botnet or IP source or not. At its booth, HP will show it's possible to fully automate a blocking response in various scenarios. At a separate ArcSight booth, similar demos will be done.
Bill Veghte, executive vice president of software and solutions for enterprise business at HP, is expected to be discussing how this SIEM-IPS combo and automated blocking would work in his keynote address at the RSA Conference 2011.
Callahan acknowledged that the integration work done to allow the TippingPoint IPS and the ArcSight SIEM to work together in still relatively new but is at the stage it could be used in production networks. He adds the goal is to analyze information collected in real-world use of the HP integrated SIEM-IPS system to share information with all HP customers using the devices about newly discerned threats.
In related news, HP will announce enhancements to its Reputation Digital Vaccine Service used in TippingPoint to block suspicious addresses. HP says it's now adding additional threat-intelligence information provided by ipTrust, based on about 250 million IP addresses the firm monitors, adding that to other threat-intelligence feeds that HP uses.
HP will also offer a DV Toolkit that enterprises could use to write customized threat-protection filters when they find that a proprietary application used in house has a vulnerability. The filter written with the DV Toolkit would give the organization a line of defense filter against attacks, which would be especially important in the time period before the proprietary application was fully patched and fixed.
Sours From
View more news |