 |
 |
|
|
||||||||||||||||||||||||||||||
 |
|
Download fuller description of  Download Huntsman Data Sheets: Business Unit ManagerIT ManagerSecurity AnalystRisk Officer
|
| Products / Huntsman Overview |
|
HUNTSMAN OVERVIEWHuntsman leverages a modular and extensible architecture that supports any security, network device, operating system or application. A diagram showing the building block components of the Huntsman architecture is shown below.
Agents Huntsman “smart” agents are multi-function, host-based programs that have been designed to simultaneously collect events from multiple data sources. These small-footprint programs gather events in the most efficient and unobtrusive fashion from network devices, applications and operating systems. The Agents are complemented by Data Source Mediators (DSMs) which allow end users of the Huntsman system to easily customize the smart agents to accept data from any source. The multi-function agents collect and parse the events into the Tier-3 common data format (CDF), and may also monitor selected files for changes to property and content. In addition the agents can monitor and control processes (stop, start/restart), monitor system memory and disk space utilization. The agents and DSMs support a range of encryption options such as SSL to ensure data integrity is maintained throughout the collection process. All agent configuration parameters are stored centrally and agents must pass a hard authentication process before being authorized to start collecting data. Agents can be configured to collect only those events that are of interest to the particular enterprise. Decider Engine The Huntsman Decider Engine provides the intelligence to the Huntsman system. Primarily responsible for the analysis, correlation and reporting of the data received from Huntsman agents, each Decider applies a multistage analysis process to each event received. The ability to add rules into the analysis using the Autonomous Correlation Engine (ACE) means that customer or risk specific rules can be successfully applied to any set of data. The expert system supplied with Huntsman is complemented by the adaptive learning module, which assists in automatically detecting malicious traffic, and eliminates false positives generated within the target environment. A range of automatic, configurable response mechanisms may also be applied in varying environments using Huntsman’s Guardian module capabilities. The response actions to ensure attack prevention range from user logout, account locking, and process control to the ability to run any command line script or executable. Finally, the reporting engine and thick and thin client interfaces to the system ensure that the differing needs of a broad range of user populations, from technical staff through to senior management, can be met. A range of standard reports is provided with the system as well as the ability to construct and save report templates. Reports may also be scheduled to run and be delivered electronically. Guardian The autonomous nature of the Huntsman system is further enhanced by the ability to automatically respond to security incidents. This feature can be configured and targeted to suit individual requirements and prevents against wide spread system attack and compromise. Guardian modules, (which either co-reside with an Agent or live independently on their own hosts), can carry out the appropriate, pre-configured actions when attack is detected. Available actions include- User logout Process start/stop/restart Lock-out user accounts Process start/stop/restart Any command line script or executable Firewall and router reconfiguration All response actions are managed centrally from the Huntsman console. A powerful scripting language allows for captured event fields to be substituted into the response scripts as variables. This allows controlled and targeted responses to minimize the affect that an attack may have on the enterprise. For example, a firewall or router could be reconfigured to block only an offending IP address or subnet during a Denial of Service attack on a Web server. Scalability Even the best run IT security departments can struggle to cope with the volume of security events being generated by today’s advanced security devices and applications. Many organizations have geographically dispersed locations connected by expensive WAN links. Large organizations may have tens of thousands of computers, applications and network devices. All need to be managed as part of a corporate security strategy. Missing even a single critical event can mean the difference between detecting and thwarting an attack or a severe loss of data due to internal misuse or unauthorized outside access. Tier-3 has addressed this challenge through a distributed architecture that allows for both local control of security issues while ensuring enterprise wide visibility of all security events. A hierarchical network of Huntsman Deciders can be built with each Decider responsible for the collection and analysis of events within their designated Area.. Areas can be logical network boundaries, physical locations etc. Deciders in the network may then communicate with each other to provide a top down enterprise-wide view of the security status of the network. The Deciders communicate using a Distributed Query mechanism which is controlled on a per event type basis. Alert results from any Distributed Query are displayed as a “paper-clip ID” on the originating Decider. This mechanism allows administrators to manage and prioritize security events throughout the enterprise while remaining in control of network bandwidth utilisation.
|
|
|
| © Tier-3 Pty Limited 2009 |  |
|
|