Therminator to watch for cyberattacks

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/1209/web-nsa-12-13-02.asp

By Dan Caterinicchia 
Dec. 13, 2002

To create better protection for the nation's computer networks, the 
National Security Agency and the Defense Department have signed an 
agreement with Lancope Inc. to build Therminator, an advanced 
information security tool. 

Therminator will produce a graphical representation of network traffic 
that allows information security workers and network administrators to 
recognize the impact of cyberattacks in real time.

This data will help government agencies and private businesses provide 
more proactive protection of sensitive and classified data, said John 
Copeland, Lancope's founder and chairman. 

One of Therminator's main components is Lancope's flagship product, 
StealthWatch, a behavior-based intrusion detection system that 
features:

* Intelligent alarming.

* Network surveillance.

* Gigabit operating speeds.

* Recognition of unknown threats.

* A forensic trail of network activity. 

"The Therminator technology has many fathers, but none of them want 
anything more than to see it in place in time to mitigate a 
nation-scale cyberattack, when and if one should occur," Copeland 
said. "There is pressure to move quickly because of the uncertainty 
over how much time is left before it's needed."

Army Maj. Gen. James Bryan, commander of the Joint Task Force for 
Computer Network Operations (JTF-CNO), agreed and said threats to 
computerized networks are growing and script-based intrusion detection 
systems are effective and will continue to be used, but "the problem 
is that we must also expect the threat to know this and to do the 
unexpected." 

"We must carefully script our systems to look for the unexpected 
because [our enemies] are going to camouflage their malicious activity 
as otherwise normal activity," Bryan said. "Therminator is one very 
promising approach to this challenge." 

The JTF-CNO is in charge of defending all DOD networks from attack and 
also can initiate cyberattacks when instructed by the president or 
Defense secretary.

Therminator will integrate StealthWatch's high-speed data flow 
architecture with NSA and DOD's data reduction and data visualization 
technology, Copeland said.

Therminator technology watches the data stream and illustrates 
categories of data as colored bars that are proportional in height to 
the quantity of data at a given time. The process is repeated to form 
a stacked bar graph that moves across a computer screen to show 
current and past data traffic composition. The tool then goes one step 
further to represent the many possible states of a data stream by 
selected variables, and those parameters are displayed on a 
multicolored stacked bar chart.

"Currently, StealthWatch already stores available local information on 
the attacking host, Copeland said. "Since IP addresses can be spoofed, 
actual 'tracking down' requires investigating log information from 
routers and switches along the path of the attack. Once StealthWatch 
is combined with the Therminator technology, an attack would be seen 
all along its path throughout the network."

The technology transfer licensing and cooperative research and 
development agreement was signed Nov. 12, and all three stakeholders 
are making investments in the project in terms of time and resources. 
Financial terms were not disclosed. The project is under way and the 
government and vendor project teams are meeting this week at Lancope's 
Alpharetta, Ga., headquarters to map out the Therminator development 
schedule.

The tool is expected to be ready in about six months, and Lancope will 
offer the Therminator technology as part of its commercial product 
line. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.