Detect Risks and Threats that Don't Play by the Rules

Breaking down the risk equation results in three key components:

• Threats
• Assets
• Vulnerability

There is a long held truth in the business world that risk is equal to the threat, multiplied by the asset, multiplied by the vulnerability. This gives an excellent starting point for the calculation of risk, but it still does not paint a realistic picture of risk for an IT environment. In order to truly calculate risk, other factors need to be taken into account -- and a single factor calculation is not always enough to validate or repudiate the presence of risk in the enterprise.

NitroView's Risk Correlation uses the NitroRSC(TM) engine can score risk based on a combination of fields present within a single event, to accurately assess the risk of any asset, event or vulnerability as the dynamics of the network change. For example, risk correlations can be defined for specific user/destination pairs, or for destination/destination-port.

NitroSecurity's NitroRSC Correlation Engine can help enterprises, regardless of size, to accomplish this in a systematic, repeatable manner. The NitroRSC Correlation Engine is not simply a one-size-fits-all solution, since no enterprise faces exactly the same threats, has the same assets, or is exposed to the same vulnerabilities. In order to truly calculate the risk score for an asset based on the events targeting that asset, NitroSecurity has expanded the basic risk equation to include additional factors, going beyond exposure to risk, and painting a true picture of risk that includes new and emerging threats that evade detection by current rules-based correlation systems.

Rule-based systems, however, are still a necessary component of any enterprise security strategy. Risk correlation results in active scores, leading to actionable alerts which detail the potential risk to an asset, by a user, or from a series of parameters which may not occur in any particular order. Rules on the other hand address established patterns and are useful in determining if attack vectors which follow a set pattern are present. The combination of both risk-based and rule-based systems provides the most complete visibility into an organization's threat environment

What if data management was no longer a limitation?

Over the course of hundreds of man-years of R&D, NitroSecurity has developed a high-speed information processing architecture capable of receiving and analyzing data at extremely high speeds. The heart of this core architecture is NitroEDB: a high-performance database that enables many of the advanced features found in NitroGuard and NitroView. NitroEDB is also a full-feature embedded relational data engine ideal for OEM customers. NitroEDB is capable of performing queries, counts, and analytics on large data stores (1 billion+ records), even under load (50,000 new insertions per second), and still return results in under a second.

Breaking through the Barriers of RDBMS

NitroEDB is able to support all of the requirements for SIEM because of this performance advantage. How? Because unlike other RDBMS systems, NitroEDB was designed for simultaneous event collection, analysis and reporting, at rates that far exceed the limitations of commercial RDBMS and even other custom database and flat-file systems used in the industry. Millions of dollars, and over two hundred staff-years over three decades, were invested in the research and development of NitroEDB to achieve these goals. The result is a highly optimized data management architecture, which uses patented techniques to improve performance and scalability in a variety of ways.

NitroEDB features vs. Commercial RDBMS. The features highlighted in orange are unique to NitroEDB and/or patented technologies owned by NitroSecurity.

Features of NitroEDB

• Time Differentiated Subfields — A NitroEDB unique feature specifically designed to maximize the efficient management of time-series data.
• Index Field Aggregates — A NitroEDB unique capability specifically designed to minimize the execution time of analytical queries.
• Time-Series SQL Engine — NitroEDB's unique SQL engine implements significant time-series oriented enhancements that leverage Time Differentiated Subfields, Index Field Aggregates, and other NitroEDB features and capabilities to minimize the execution time of complex analytical SQL queries.
• Diverse Indexes — An index allows a data manager to find specific data quickly. In order to find many types of data quickly many indexes, or more diverse indexes, are required. NitroEDB's unique Diverse Indexes are much more useful than the indexes of other data management systems. Whereas typical indexes may support only a couple of query types, NitroEDB's Diverse Indexes can support many query types. The bottom line is that with Diverse Indexes much more data is effectively indexed, thus considerably decreasing query time, and considerably increasing insert rate.
• Time-Series Partitions — One of the biggest problems in the management of time-series data is "pruning" the data set, keeping its size within acceptable limits. NitroEDB's unique Time-Series Partitions are a set-it-and-forget-it feature that makes "pruning" simple and efficient. Additionally, Time-Series Partitions maximize the advantages gained by the judicious utilization of high-speed storage technologies, such as RAM, and other solid state based, drives, and SAN.
• Partial Indexes — Although not unique to NitroEDB, Partial Indexes are critical to maximizing the performance of data management, and are fully integrated into NitroEDB.
• Multi-Core Scalability — Although not unique to NitroEDB, Multi-Core Scalability is critical to maximizing the performance of data management and leveraging the ever increasing number of CPU cores available on computational platforms, and is fully integrated into NitroEDB.

Expanding Visibility into Application and Protocol Use

The NitroICE engine decodes layer-7 information, and provides analysis of the application and protocol information as seen on the network. This allows for application contents to be monitored and examined in-line, for purposes of fraud detection and data leakage prevention.

NitroICE allows detection rules to be triggered on user, application, client & host names; IP addresses and port numbers; email addresses, subject line; website url’s; filenames, types & size; protocols, date-time, printer jobs; and even document contents (e.g. PII, PHI, user-defined).

This allows NitroICE to detect:

• Application Violations— Unauthorized use of applications such as IM, P2P, etc.
• Application Anomalies— Unexpected use of authorized applications: large files, unexpected attachments, etc.
• Leakage of sensitive data— via Email, Web Mail, IM/Chat, P2P apps, etc.
• User Violations— deactivated or black-listed users
• Password Violations— weak or default passwords
• Data Access Anomalies— user access to sensitive content outside office hours
• Data Leakage— sensitive data within chat or email, printed, etc.

NitroICE is capable of decoding and analyze over 500 applications, documents and protocols, including:

• File Transfer— FTP, HTTP, SSL (setup certs only)
• Email— SMTP, POP3, NNTP, MAPI
• Web Mail— Hotmail, Hotmail Delta Sync, Yahoo mail, AOL mail, Gmail
• Chat— MSN, AIM/ICQ, Yahoo, Jabber, IRC
• Peer-to-Peer File Sharing— Gnutella
• Shell— Telnet, SSH (detection Only)
• Printer— PJL, IPP, LPD/LPR
• Click here for a full list of supported applications and protocols

Powerful and flexible engine for IDS, IPS

In 2001, NitroSecurity developed the first SNORT® based Intrusion Prevention system, which was integrated into the open-source Snort® code base in 2002. Now, that experience has led to a powerful new detection engine called NitroGuard™ — a highly flexible detection and prevention engine that provides improved performance while maintaining full compatibility with the well-known Snort® syntax.

With a decade of research and development, NitroGuard has continued to evolve, and is more than "just another IDS." NitroGuard offers:

• Network inspection, for intrusion detection and prevention
• Network flow collection, for flow analysis and tracking of event propagation
• Anomaly-based detection, in addition to traditional pattern-matching signatures
• Integrated state-aware firewall, with dynamic IP- and protocol- blacklisting capabilities
• High performance gains, leveraging the full power of multi-core processing

Keeping up to date

NitroGuard signature-based detection rules are continuously updated by the NitroSecurity Threat Analysis Center (NTAC), which combines in-house security research with the best outside experts available, including Microsoft and other leading vulnerability experts. All updates are automatically and securely distributed to active IPSs, ensuring that every NitroGuard is capable of detecting the latest exploits and zero-day threats.

Looking to the Future of IDS and IPS



While our engineers are experts in intrusion detection, we understand that progress can not occur in isolation. That's why we're supporting the newest in open source intrusion prevention efforts. NitroSecurity joined the Open Information Security Foundation (OISF) as a founding member, and donated research and development to the development of Suricata — a new engine that is being developed with the goal of once again taking intrusion detection to the next level.

® NitroEDB, NitroICE, and NitroGuard are registered trademarks of NitroSecurity, Inc.

® Snort is a registered trademark of Sourcefire, Inc.

® Suricata is a registered trademark of the Open Information Security Foundation.