The devices and servers on your network contain important asset information that can greatly accelerate your detection and mitigation of security incidents and instances of noncompliance with regulations, standards and best practices (compliance gaps). With asset analytics, information such as software revision level, licenses, USB devices and installed software inventories is collected from network assets and compared to policies to enable fast detection and mitigation of security incidents and compliance gaps.

The Challenges for Asset Analytics
Data security and IT compliance professionals seek solutions offering more timely and cost-effective security incident and compliance gap detection and mitigation than has been possible to date using the available security and compliance management solutions. Consider, for example, a typical “low and slow” breach in which an attacker remains undetected once they have compromised an organization’s systems by progressing slowly with minimal activity to evade detection from existing defenses like IPS and device security. Timely detection of these “low and slow” attacks is elusive for security management solutions because it requires the real-time collection and correlation of multiple sources of data. Specifically, log, asset, configuration, vulnerability, performance and network flow data each contribute to identifying different aspects of an attack. The following table outlines some of the more typical steps attackers use in a “low and slow” attack and the data source that most effectively reveals the true intention of the attacker.

A Typical “Low and Slow” Attack

Attack step:	Attacker action:	Action revealed in:
1. Probe	Runs port scans seeking targets with known vulnerabilities.	Log data
2. ID entry point	Identifies a target system with a known vulnerability.	Log data
3. Access	Brute-forces access to the system with multiple failed logins preceding the successful login.	Log data
4. Admin privilege	Escalates to Admin/Root or created a new account with Admin privilege.	Asset data
5. Config change	Disables logging.	Configuration data
6. Exploit vulnerability	Creates a buffer overflow that spikes performance by exploiting a vulnerability.	Vulnerability & Performance data
7. Rogue app	Installs a back door to the system.	Asset data
8. Data theft	Steals confidential data.	Flow data

To meet the needs of security and compliance professionals, therefore, the primary challenge a security and compliance management solution must meet is to collect and correlate data from multiple data sources to enable rapid and efficient event detection and analysis. Log data alone includes thousands of routine and harmless scans as well as all the failed logins by authorized users who harmlessly mistyped their login credentials. A better approach than relying solely on log data is to correlate log data with asset data to more effectively pinpoint attacks like a rogue application installation. This level of data integration and correlation enables faster, more targeted and more efficient incident detection and mitigation. No longer having to sort through voluminous log data from non-events, your security, network and audit teams can more quickly and efficiently identify truly serious threats.

In addition to the comprehensiveness of data types collected, a security and compliance management platform faces other asset analysis challenges. Specifically, it must also collect and analyze asset data of sufficient detail to maximize the functioning of the overall ESM platform. For example, to more closely monitor and control company information assets, suppose you have a policy that specifies that no USB memory devices should be attached to a host on the network, and someone connects a USB memory stick to a host. Even though any data transferred from the host to the USB device will trigger an alert, by the time you react, the device and its owner are gone. Do you know who transferred the data? Do you know what was transferred? Do you know how much was transferred? The answers to these questions can be critical to understanding a security incident, identifying a thief and then discouraging future data theft.

A final challenge for effective asset analytics is the requirement to support asset policy setting on detailed asset characteristics and changes, which allows you to monitor and alert on asset policy violations. For example, your organization may be concerned that confidential data could be distributed using Instant Messaging and, therefore, have a policy that disallows its use. Someone unaware of the policy installs IM and starts a conversation with a friend outside the organization. Do you know what hosts have installed IM and when it was installed? Do you know if any protected information has been shared externally over IM? It is clear that the asset data collected must be sufficiently detailed, sufficiently granular, to be truly useful to security incident mitigation and compliance auditing.

Asset Analytics Using SecureVue
SecureVue collects asset data from all hardware and software assets on the network. The data is tracked and archived centrally, and then included in SecureVue’s real-time, 24x7 end-to-end correlation to perform asset analysis. Thus, perhaps the greatest difference between SecureVue and other security and compliance solutions is that asset analysis is integrated into the end-to-end correlation function to enable more targeted, faster and more efficient incident analysis and compliance gap mitigation.

In addition, SecureVue has distinguishing asset analytics leadership capabilities that address other challenges, such as:

• Auto-discovery - To enhance asset management automation and control, SecureVue aids in the identification and classification of all assets, especially new assets, by reaching out and scanning the entire network or any portion you define according to your specific network monitoring needs to make sure you don’t miss new assets that may be hostile.
  

• Detailed asset analysis - SecureVue returns a greater level of detail than other solutions to enable more finely tuned policy setting and monitoring. For example, while SecureVue detects that a node is a Cisco appliance, it goes further and reports whether it is a PIX firewall, router or ASA appliance enabling a more granular level of policy control to be enforced. Another example is the ability to detect if a file transfer to a USB device happened, what was transferred, who made the transfer and how large it was – dramatically assisting in the investigation of a potential incident.
  

• Instant identification of policy violations - SecureVue allows you to instantly understand asset policy violations by running a pre-configured policy violation search. You can view the details of asset policies violations for specific devices or hosts, down to the level of user names, the policy names and policy types. This instant identification of violations enables faster response to issues that may result in breaches.
  

• Historical trending - SecureVue tracks assets to facilitate intelligent decisions regarding upgrades and patches. By looking at asset trends and providing the ability to create, monitor and enforce asset policies, SecureVue empowers you to reduce risk by maintaining greater, more prompt control over key software assets.
  

• Monitoring and alerting - Along with automatic asset monitoring, SecureVue allows you to respond more quickly to security risks and compliance gaps as it can be configured to alert administrators to network interface failures, new shares opened on key servers, new system drives, new processes and software being loaded.

Discover why Network World wrote, “eIQnetworks has the broadest range of capabilities we have seen in one integrated product”. Download whitepapers, datasheets, case studies and more from the eIQ Resource Center today. When you are ready, don’t hesitate to test drive a free evaluation copy of SecureVue to see how it can simplify management, boost efficiency, and enable easy audit reporting.