Information Security Support

Frequently Asked Questions

You will find the answer to the most commonly asked questions in reguards to our products, solutions and service offerings.

• Market Analysis
  • What Is The SIM/SEM/SIEM Market?
    
    "The Heuristically Advanced Warning Konsole, (HAWK), consists of a multicomponent solution for the handling and data mining of multiple third party alerting sources. This functionally provides an analyst or administrator the ability to consolidate and correlate information into grouped sets, enabling the user to monitor for intrusion anomalies and/or otherwise critical information related to critical network infrastructure operations.
    
    HAWK uses data retained from external alert sources to logically create associations between similar activities. The similarities are drawn by utilizing datamining and analysis in order to correlate information for secure storage and future retrieval. HAWK logs the correlated data into a historical relational database for future data management."
    
    
  • How Do You View The Trending Needs In The Security Market?
    
    "Security information management (SIM) products that contain event-log correlation tools streamline the threat identification and assessment processes by looking at individual events as well as sets of events bound by some common parameter. Research firm Datamonitor reports that the market reached $174 million in 2004 and Forrester reports SIM tools are fast becoming must-haves for security teams wanting more visibility into IT activity within their environment. The market is currently growing at a rate of around 50%, and growth will continue to accelerate to $1.13 billion by 2011. Enterprises needs to filter, aggregate, and correlate event information from multiple sources for real-time monitoring and historical analysis will fuel the projected growth.
    
    Since nearly two-thirds of IT professionals are unhappy with their log data management systems, there is plenty of room for improvement. This unhappiness is mostly due to lack of correlation and normalization, areas the HAWK system addresses."
    
    
  • What Are The Top 2 Reasons For Collecting Log Data?
    
    "Analysis of the Global 2000 reveals that the two top reasons for collecting data are archiving and compliance reporting, which are obviously related. Yet, based on their storage retention uses, organizations are not maintaining these logs indefinitely for compliance purposes. Most (14 percent) are unsure of how long they maintain their logs or they rely on the O/S default for that system. Just over 11 percent store their log information for 30-90 days, and a mere nine percent store their log data for six months or more. This is due to many factors, not the least of which is the sheer volume of data these systems produce and their lack of common format."
    
    
  • Who is HAWK Network Defense, Inc?
    
    "HAWK Network Defense, Inc. is an application and network security consulting company that recognizes the strengths of an organization built upon cutting-edge technology and the commitment to providing a seamless transition between insecure coding practices and a reliable commitment to secure code. We specialize in security consulting and code auditing. Our researchers have found significant security related vulnerabilities in a number of high profile, enterprise implemented applications.
    
    We offer a multitude of information security focused services including application auditing, hardening, and compliancy checks. Why not become proactive in hardening your enterprise applications for your own benefits as well as your clients' benefits? Our solution is twofold: We will help you structure your Software Development Life Cycle to ensure security checks are in place in every stage of the SDLC, as well as audit your source-code or closed-source application for security related vulnerabilities."
    
    
  • What Is HAWK's Target Customer Market?
    
    "HAWK Network Defense has a large focus on the small to medium sized business (SMB) that include employee sizes ranging from 20 to 20,000. During the initial phases of HAWK's development, key market progress was attained through the success with private healthcare organizations and financial institutions handling sensitive information and dealing with regulatory compliance concerns. Although these clients are still a sigificant focus of HAWK's client-base, there is also need for HAWK's solution in organizations that focus on network security both internally as well as managed service providers."
    
    
  • What Are The Two Types Of Event Correlation?
    
    "There are two basic types of correlation: rule-based and statistical. Experts suggest that combining rules and statistics in correlation maximizes effectiveness.
    

    • Rule-based Correlation - As its name implies, rule -based correlation depends on set definitions (rules) to relate events and analyze them in a broader context. A rule is essentially a scenario that an event must follow to be detected as an attack or a failure, applicable to both incoming events and to historical events stored in the database. A rules engine must hold events "in state" for a period of time until other qualifying events trigger an alert or the rule times out for the initial event.
    • Statistical Correlation - Statistical correlation relies on accumulated knowledge of normal events to identify patterns, which serve as points of comparison for new events. A pre-set algorithm calculates an incoming event's threat level based on deviation from the historical norm

    The two basic types of correlation, either independently or in concert with one another, can be employed in a variety of methods, each with specific goals and focuses."
    
    
  • What Are The Differences With HAWK And Its Competitors?
    
    

    • HAWK's appliance based solution is perfect for organizations with minimal Information Technology Staff, as it adds to the ever strained network resources
    • The HAWK Security Incident Manager arrives absolutely self-contained. This removes the necessity for additional time or resources to handle device configurations.
    • The HAWK Security Incident Manager has been designed by leading Information Security Professionals to provide a cutting edge experience and expedited focus of network activity.
    • The HAWK Security Incident Manager also comes bundled with a leading edge Intrusion Detection System (SnortIDS). This removes the additional necessary overhead for configuring and tuning these types of advanced detection systems.

    
    
  • Who Are HAWK's Competitors And How Do They Compare?
    
    ArcSight - ArcSight's major market focus is aimed mainly at Fortune 500, and have a critical design alteration unique against HAWK. ArcSight normalizes the thousands of events down to approximately 150, while HAWK avoids reducing alert count and continues to focus on historical forensic accuracy. This is critical in an active and passive response system that requires additional granularity to decide upon an appropriate action effectively.
    Cisco MARS - originally Protego MARS, while considered a SIM appliance, is still very immature when compared to others in this market, especially HAWK. Statistical and rule-based correlation are essential in any SIM product, while these necessities exist, the product is in-fact not real-time. The Cisco MARS appliance relies on Netflow data streams, and are only collected every 15 minutes, rendering the system unusable for real-time analysis and response.
    netForensics - netForensic has become a historical leader in the SIM/SEM/SIEM market and its antiquated approach to event aggregation and correlation certainly shows. netForensic's attempts at shifting into a more focused real-time monitoring system are seriously limited by their current architecture, design philosophy and publicly stated objectives.
    RSA enVision - formerly Network Intelligence, is also an appliance based solution however its overall statistical and rule-based correlation is still immature.
    
    
    
  
  
• Technical Questions
  • How Does The HAWK Event Correlation Engine Work?
    
    The HAWK Correlation Solution consists of several separate components:
    
    

    • HAWK Pulse (HCPULSE) - capable of loading dynamic plug-ins supporting a myriad of vendors in order to consistently "pulse" for unique data on remote vendor systems. Vendors include Cisco NIDS, SNMP (v1/v2/v3), Snort IDS, and more.
    • HAWK Syslogd (HCSLOGD) - capable of correlating and filtering syslog messages from its myriad of vendor plug-ins with support spanning from Solaris/Linux servers, Novell, Cisco, Juniper, and more.
    • The HAWK Information Event Konsole (IEK) acts as the management and data retrieval interface with the relational database. The IEK is the primary method of interacting with HAWK, providing role based access controls for the remote multi-tiered administration over secure encrypted sessions. The administrator can set roles based on multiple criteria ranging from group allowances to granular user roles that allows for the separation of confidential host information, and the destruction of system settings or otherwise sensitive data.

    
    The HAWK Information Event Konsole, as the second piece of this solution, allows for historical retrieval of logged information up to a server side configurable period of time. This data is presented to the user in a logical fashion from highest priority alerts to lower priority alerts, all arranged by severity of correlation. This will identify to the analyst, exactly the source and trend of either attacker, or network problem.
    
    Beyond this capability, the HAWK Information Event Konsole also has core functionality, which enables the capability to tune reporting for executive, remediation, and technical reports."
    
    
  • What Components Are Involved With The HAWK Event Correlation Engine?
    
    "The HAWK Event Correlation Engine requires several separate components working in rhythm, accomplishing many tasks asynchronously. Each component has been assigned specific tasks amongst this complex multi-functional system.
    
    

    • The foundational component of the HAWK Event Correlation Engine is its relational database. HAWK comes packaged with both PostgreSQL and MySQL relational database support. System Architect Engineers with HAWK Network Defense, Inc. will help provide you with the on-site installation or training necessary for getting the HAWK Event Correlation Engine tuned and functioning properly.
    • The HAWK Event Correlation Engine (HAWK ECE) is necessary for collecting, filtering and correlating a myriad of sources providing from the most basic of logs to the advanced multi-relational database sources such as intrusion detection and prevention systems and single sign-on solutions. Each HAWK Event Correlation Engine supports failover with the help of a software or hardware load-balancer and must be logically located within the target network topology in order to properly identify both internal, as well as external internet addresses. The HAWK Event Correlation Engine initiates a securely encrypted session with HAWK's back-end database. This encrypted session allows the control of secure connections without the security risks of a remote virtual network connection.
    • The HAWK Information Event Konsole (IEK) is necessary for displaying and reporting the correlated event logs from the advanced multi-relational foundation. Each HAWK Information Event Konsole supports failover with the help of a software or hardware load-balancer and must be able to communicate with the HAWK Event Correlation Database.

    
    HAWK utilizes the Naive-Bayesian Histogram Analysis algorithm to uniquely"fingerprint" known security and performance issues, while establishing a baseline for positive or neutrally acceptable network traffic utilizing standard deviation. HAWK's unique "onion-layer" approach provides a stable, innovative platform for applying a multitude of analysis techniques combining them into a unique "overall" score.
    
    The technology provides a "single pane of glass" making sense of thousands of events from over 50 vendor lines including Cisco, Juniper. It can expose and investigate hidden security threats in real-time with customized event correlation sensors tuned to the network's unique activity patterns.
    
    Reporting includes scheduled reports based on the client's needs, detailing activity analysis, average event occurrences, and incident response time-lines."
    
    
  • What Network Firewall Configurations Are Necessary To Operate HAWK?
    
    "The HAWK Event Correlation Engine may require specific firewall configuration changes in order to allow complete communication with each device assigned in the architecture. These required internet ports and protocols available in order to accomplish its desired tasks:

    • Port 40001 (TCP) is used for the encrypted communication links between the HAWK ECE, HAWK Event Database, and the HAWK IEK interface. The encrypted and protected data found within this stream of communication relates directly to the information displayed on the HAWK Information Event Konsole.
    • Port 514 (UDP/TCP) is used for rfc3418 syslog compliant event log streams detected from available sources.
    • Port 5140 (TCP-SSL) is used for rfc3418 syslog compliant event log streams detected from available sources communicating over a secure socket layer encrypted channel.
    • Port 161/162 (UDP/SNMP) is used for snmp compliant event log streams detected from available SNMP v1/2c/3 protocols.

    
    These protocols by default are allowed but need to be ensured that these ports are allowed for communication with the HAWK Event Correlation Engine."
    
    
  • How Many Custom Alert Signatures Come With HAWK?
    
    "The HAWK Event Correlation Engine ships with over 1,800+ signatures for over 50+ supported vendors. These vendors include:
    

    
    
    • Anti-Virus Vendors:
      • ClamAV Anti-Virus - Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.
      • CA (eTrust) Anti-Virus - CA Anti-Virus for the Enterprise is the next generation in comprehensive anti-virus security for business PCs, servers and PDAs. It combines proactive protection against malware with new, powerful management features that stop and remove malicious code before it enters your network, reducing system downtime.
      • Symantec Norton Anti-Virus - Defend and enhance the performance of your PC with Symantec Norton Anti-Virus
      • TrendMicro Anti-Virus - Whether you are at home or on the go, safeguard your online transactions, identity, and irreplaceable files with the most comprehensive protection available.
      • CimCor Host Intrusion Detection Systems - CimTrak protects your critical IT assets against any unauthorized change. It monitors, detects, instantly recovers, quarantines, and helps you analyze change attempts to servers and network devices that are not authorized.
    
    
    • Network Firewall Vendors:
      • 2WIRE Home Portal - 2Wire HomePortal gateways include an array of the most common home networking technologies accommodating a variety of service provider and subscriber environments. Flexible networking options include high-powered 802.11g wireless, Ethernet, HomePNAv3, MoCA, and USB.
      • Check Point Network Firewalls - Check Point Firewall/VPN solutions provide organizations with the world's most proven solution, used by 100% of the Fortune 100. They enable organizations to protect the entire network infrastructure and information with a unified security architecture that simplifies management and ensures consistent, up-to-date security everywhere.
      • Cisco Network Firewall Solutions - reliable firewall is the hallmark of a secure network. Networks support sensitive, crucial applications and processes, and provide a common infrastructure for converged data, voice, and video services; firewall security is a primary concern. Instead of providing only point products that set a base level of security, Cisco embeds firewall security throughout the network and integrates security services in all of its products. Firewall security becomes a transparent, scalable, and manageable aspect of the business infrastructure.
      • SonicWall Network Firewall - SonicWALL's advanced network security solutions are engineered to deliver the utmost security, while eliminating cost and complexity. Each SonicWALL network security appliance can be configured and customized with an expanding array of security services into a comprehensive layered solution that can integrate seamlessly into any network environment.
      • WatchGuard Network Firewall - The WatchGuard UTM security appliances delivers the industry's best combination of strong security, reliability, and performance - all at a compelling price point. IT administrators have granular controls to manage the network, with unprecedented visibility into network activity. Continually updated security subscriptions boost protection in critical attack areas to block spam, spyware, web-based exploits, and blended threats for comprehensive defenses.
    
    
    • Network Intrusion Detection & Prevention Vendors:
      • AirMagnet Wireless IPS - Continuous monitoring and protection of all your wireless assets worldwide. AirMagnet Enterprise provides the most sophisticated WLAN solution to detect and defend against hundreds of wireless threats, trace and investigate devices, remotely troubleshoot performance problems and enforce and document compliance with internal and external policies.
      • Enterasys Dragon IPS - The Dragon suite of advanced security applications delivers a proactive and responsive security posture for any network from any vendor. Whether you have invested in Enterasys security-enabled switching, routing, and wireless infrastructure - or not - Dragon delivers comprehensive protection to ensure the confidentiality, integrity and availability of your information.
      • Snort IDS - SNORT is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
      • TippingPoint IPS - TippingPoint's Intrusion Prevention Systems provide Application Protection, Performance Protection and Infrastructure Protection at gigabit speeds through total packet inspection. Application Protection capabilities provide fast, accurate, reliable protection from internal and external cyber attacks. Through its Infrastructure Protection capabilities, the TippingPoint IPS protects VoIP infrastructure, routers, switches, DNS and other critical infrastructure from targeted attacks and traffic anomalies. TippingPoint's Performance Protection capabilities enable customers to throttle non-mission critical applications that hijack valuable bandwidth and IT resources, thereby aligning network resources and business-critical application performance.
      • Barracuda Networks Spam Firewall - The Barracuda Spam Firewall is an integrated hardware and software solution designed to protect your email server from spam, virus, spoofing, phishing and spyware attacks. It leverages 12 comprehensive defense layers to provide industry-leading defense capabilities for any email server within large corporate or small business environments.
    
    
    • Network Routers & NetFlow Vendors:
      • Arbor Networks Peakflow - Deployed in over 70 percent of the world's ISPs, Arbor Peakflow® is the de facto standard for flow-based network security and network analysis. Arbor Peakflow products are typically deployed in the core to detect, analyze and mitigate a broad range of network threats. Peakflow products provide unmatched visibility and extensive reporting capabilities for making critical business decisions.
      • Cisco Network Routers - A systems approach begins with a single, resilient platform such as the Cisco integrated services routers. A systems approach combines packaging with intelligent services within and between services, and weaves voice, security, routing, and application services together, so that processes become more automated and more intelligent. The results are pervasive security in the network and applications; higher QoS for data, voice, and video traffic; increased time to productivity; and better use of network resources.
      • Juniper Network Routers - From the small office on up to the largest IP backbone sites in the world, Juniper Networks offers a comprehensive, scalable, secure router solution. This includes core routers, multi-service edge routers and carrier Ethernet offerings supporting the highest-performance needs of demanding enterprises and service providers. All products run the trusted JUNOS network operating system.
    
    
    • Virtual Private Network Vendors Vendors:
      • Cisco VPN Concentrator - The Cisco VPN Concentrator Series is a family of purpose-built, remote-access Virtual Private Network (VPN) platforms and client software that incorporates high availability, high performance and scalability with the most advanced encryption and authentication techniques available today. With the Cisco VPN Concentrator Series, customers can take advantage of the latest VPN technology to vastly reduce their communications expenditures. Unique to the industry, it is the only scalable platform to offer field-swappable and customer-upgradeable components. These components, called Scalable Encryption Processing (SEP) modules, enable users to easily add capacity and throughput.
    
    
    • Network Wireless Access Point Vendors:
      • Apple Airport Wireless Access Point - The sleek, easy-to-use AirPort Extreme Base Station with Gigabit Ethernet is the perfect wireless access point for home, school, or small business. Blazing fast, it delivers up to five times the performance and up to twice the range compared to 802.11g routers.1 And you can use it with Macs, PCs and other Wi-Fi devices such as iPhone and Apple TV.
      • Buffalo Wireless Access Point - Based on the next-generation wireless standard (draft 802.11n), we promise to deliver maximum performance and superior range that surpasses all previous wireless technology. Draft 802.11n is also backwards compatible with wireless 802.11b/g networks. Buffalo's products use the Broadcom Intensi-fi technology chipset. This technology has been adopted by a number of leading manufacturers and ensures interoperable wireless products for bandwidth-hungry applications from multiple manufacturers.
      • Cisco Wireless Access Point - Cisco Aironet IEEE 802.11a/b/g access points provide high-capacity, high-security, enterprise-class features in an unobtrusive, office-class design, delivering WLAN access with the lowest total cost of ownership. With high-performing dual IEEE 802.11a and 802.11g radios, the Cisco Aironet Series provides a combined capacity of up to 108 Mbps to meet the needs of growing WLANs. Hardware-assisted Advanced Encryption Standard (AES) or temporal key integrity protocol (TKIP) encryption provides uncompromised support for interoperable IEEE 802.11i, Wi-Fi Protected Access 2 (WPA2) or WPA security. The Cisco Aironet Series uses radio and network management features for simplified deployment, along with built-in omnidirectional antennas that provide robust and predictable WLAN coverage for offices and similar RF environments. The competitively priced Cisco Aironet Series is ready to install and easy to manage, reducing the cost of deployment and ongoing maintenance.
    
    
    • Operating Systems:
      • Microsoft Windows 2000/XP/2003/Vista
      • GNU/Linux Operating System
      • FreeBSD Operating System
      • OpenBSD Operating System
      • NetBSD Operating System
      • AIX Operating System
      • HP/UX Operating System
      • Solaris Operating System
      • RFC3164 Compliant Syslog Messages
    
    
    • Web Service Vendors:
      • Apache Web Server - The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field.
      • Microsoft IIS Web Server - IIS 7.0 contains several components that perform important functions for the application and Web server roles. Each component has responsibilities, such as listening for requests made to the server, managing processes, and reading configuration files. These components include protocol listeners, such as HTTP.sys, and services, such as World Wide Web Publishing Service (WWW service) and Windows Process Activation Service (WAS).
      • NCSA (Common) Compatible Web Server - The NCSA Common log format contains only basic HTTP access information. The NCSA Common Log, sometimes referred to as the Access Log, is the first of three logs in the NCSA Separate log format. The Common log format can also be thought of as the NCSA Combined log format without the referral and user agent. The Common log contains the requested resource and a few other pieces of information, but does not contain referral, user agent, or cookie information. The information is contained in a single file.
      • Squid Web Proxy Server - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on Unix and Windows and is licensed under the GNU GPL.
      • W3C Compatible Web Server - An improved format for Web server log files is presented. The format is extensible, permitting a wider range of data to be captured. This proposal is motivated by the need to capture a wider range of data for demographic analysis and also the needs of proxy caches.
    
    
    • Simple Network Management Protocol (SNMP):
      • SNMP v1/2c/3 Management Protocol (read access only)