Browse our IT security FAQ

Huntsman's unparalleled zero day technology and extensive coverage of network , operating system and application devices ensures a significant reduction in the potential financial and reputation risk associated with an information breach.

Huntsman^®'s unique approach to the area of security management and intrusion prevention ensures that every piece of information captured by Huntsman^® undergoes a rigorous evaluation before any decisions are made. The Huntsman^® approach greatly differs from existing methods and technologies, which are already displaying signs that they are unable to cope with the existing complexity and volume of attacks. Huntsman^® does not look to compare received information against a rule set or signature database of known attacks but instead compares received information against an established baseline model of normal activity - the dynamic system modelling capability. This baseline is automatically built up without the need for extensive customization or configuration and thus uniquely adapted to its host environment. It then contains a detailed set of enterprise specific information which consists of elements such as network conversations, user authorization and application behavior.

As Huntsman^® dynamically models the user application, operating system and network device activity and, through the process of learning and "contextualising" enterprise activities, is capable of automatically performing the otherwise human task of false positive identification and elimination. This significantly reduces the overall resource requirement and yet enhances the efficiency of enterprise security without compromising fundamental security principles.

All components of the Huntsman^® system are deployed via a wizard based installation process making the installation process a simple task. In addition to the wizard based deployment Huntsman^® data collection components are also compatible with enterprise software distribution programs for ease of wide scale enterprise deployment.

Further Huntsman^®'s dynamic system modelling capability minimizes the configuration and then "tuning" required before Huntsman^® begins protecting your network. Huntsman^®'s behavior can be tailored to suit the specific requirements of your network by using the wizard base tools available in the user interface.

At the core of Huntsman^®'s analysis engine lies an expert system. The expert system utilizes generic rule technology which in essence, incorporates the knowledge and experience of numerous highly skilled security experts and customer deployments into its decision making process. This rule set is one components of the Huntsman^® analysis process that allows the contextual analysis of events to isolate attacks and threat conditions.

In conjunction with the expert system Huntsman^®'s dynamic system modeling involves analyzing all collected events and establishing a normal baseline. Deviations from this baseline or anomalous events can then be detected and alerted upon.

Heuristics are also used to estimate the level of suspicion of particular events based on the past results of similar events. The heuristics take into account the cumulative effect of suspicious activity over time. In this way a continuously updated (dynamic) baseline of suspicious activity is established. Using this technique it is possible to track suspicious behavior which, of itself, does not warrant an alert, but when viewed in the context of past activity may indicate a likely security threat.

Users are able to customize the behavior of Huntsman^® by using the Autonomous Correlation Engine (ACE). ACE is a user driven graphical tool that allows security analysts to safely extend the rule set and tailor the behavior of the Huntsman^® system to their particular network. Users can construct powerful rules that will correlate events from disparate sources on a wide range of parameters. Rules can even be triggered or can include the results of analysis by other components of the inference engine.

In summary, the combined analysis processes used by Huntsman^® provide for the generic detection of current and future threats and is not limited to the number of rules that have been configured.

We recognize that no enterprise's reporting requirements are the same and as such has developed numerous report templates that can be readily executed by end users or easily customized to adapt to an organizations specific reporting requirements.

Huntsman^® reports can be scheduled via the user interface to occur on an adhoc or repetitive basis and can be sent to distinct users or groups of users.

Huntsman^® allows highly technical end users to execute raw SQL queries against the Huntsman^® database via the highly secured Huntsman^® ad-hoc reporting tool.

Huntsman^® does not consolidate, summarise or aggregate raw events performed during the collection and storage process. This means that Huntsman^®'s absolute definition of the actual event allows the user to link, in a forensic sense, the actual event with the security incident. No other vendor can provide this level of detail after the "event analysis" process has occurred.

• The ability to match the actual event recorded by Huntsman^® with the information at the original source device; and
• That with the construction of complex rules, the analysis engine (Decider) can correlate seemingly unrelated events with alerts, such as detection of stealth port scans that occur over extended periods, to deliver significantly increased power of detection.

As Huntsman^® does not alter the contents of the events it collects, a direct correlation can be established between the alerts raised by the Huntsman^® system and the original source of the event thus allowing Huntsman^® to be used in establishing the "proof" of an intrusion.

Huntsman^® is ideally suited for managed security service provides (MSSP) as it can function as a snap-in tool to assist with the existing process of data collection, consolidation of customer data. Huntsman^® has a number of front end and back end features that have been specifically designed to address the MSSP requirements.

Historically, management of security information within an enterprise has proven to be an onerous task with firewalls and IDS systems at the forefront of the list of hard-to-manage devices. These devices, and others, often output huge volumes of data in different formats making it difficult for security professionals to bring together, the analysis and identification of security incidents when they occur.

Past generations of security management tools allowed security professionals to capture security information to a central location and define a series of rules or signatures that allowed administrators to pick out noteworthy events. Other variations of these tools also allow for the inclusion of device-specific information such as machine and asset type in the rule base.

While usable, for these tools to be effective they rely heavily on the resource intensive task of security professionals continuously updating the signature database and device classification list, and having the necessary focus to pick out the less obvious attacks on a 24/7 basis.

Huntsman^®'s unique real-time approach to the complex area of security management has enabled users to solve the "needle in a haystack" problem and gain unprecedented levels of accuracy and confidence with minimal intervention.

Huntsman^® is the only truly pervasive IT threat management system.

A heuristic is a method which will give an estimate or approximate answer to a problem when the exact answer cannot be attained easily. There are two types of heuristic, problem specific, usually devised through experience or by consulting an expert in a particular field, and general purpose, usually devised through logical reasoning

Huntsman^® will help the enterprise maximise the utility and investment of existing security technologies and measures. It provides a focal point for the management of all IT security assets allowing the enterprise to quantify and measure the benefits derived from its security investments.

Additionally, Huntsman^® will free precious professional resources from the laborious task of manually sifting through masses of security to present only the relevant information, expediently, reducing security related downtime, ensuring the most appropriate and timely response to all current and future threats.

Huntsman^® can scale to even the largest enterprises using its distributed architecture. A hierarchical network of central Deciders can be built. Each Decider is responsible for its own Area, but is able to intelligently communicate with each other, ensuring that an enterprise-wide view of security is maintained.

No single security device, application or technique is foolproof. Clever hackers can circumvent most security single-point measures. Correlating seemingly unrelated events from diverse sources such as NIDS, HIDS, Operating system processes/applications, firewalls, VPNs, authentication servers etc., strengthens the overall security protection by broadening the monitored base. Attackers are therefore less likely to evade detection.

Huntsman^® implements are number of correlation layers. Generic correlation rules are built into the system. This correlation applies across the board to circumstances or conditions which should always be interpreted as a threat or security violation. An example of this type of rule is the NIDS Network Events (firewalls, routers etc) rule, which correlates inbound NIDS "alerts" to corresponding outbound network events.

The Autonomous Correlation Engine (ACE) provides a simple to use tool which allows administrators to leverage their expert knowledge of their particular network environment. Correlation can be carried out on any field in the Common Data Format (CDF) for any event captured by Tier-3 agents. Correlation triggers can either be the raw system events or Huntsman^® alerts. The rules can have either a historical or predictive perspective. Historical rules will search back through the database for conditions to match the rule while predictive rules require the Decider to wait for a predetermined period for rule matching conditions to occur.

Huntsman^® is also equipped with an Alert Correlation Engine which correlates multiple events into a single alert message using an "electronic paper-clipping" technique.

Security incidents and attacks are, by their very nature, random and unpredictable, it is impossible to tell where the next attack is coming from or when it is likely to occur. Tell-tale signs or events, which may appear innocent when viewed in isolation at the time of their occurrence, may assume a new more sinister context when viewed with future events.

The autonomous correlation engine ACE provides the knowledgeable administrator the means to correlate with future events. The ability to substitute variables (such as source/destinations addresses and subnets, signatures, usernames etc.) into the correlation triggers and conditions provides a high degree of flexibility. The administrator is empowered to predict and act on future events. If the predicted events do not occur within the specified timeframe then the rule can be ignored or a different alert message can be raised.

Device vendors rarely agree on standards and formats and when they do, the agreed standards are often no more than frameworks which provide ample room for differentiation. The result for customers and users who wish to take advantage of the various product features offered by vendors is a heterogeneous environment which can be difficult to manage.

Huntsman^® implements a standard CDF for all events collected and processed. This delivers the enterprise several advantages:

Each event is processed efficiently by the inference engine and rule base.

All devices and events are treated in a generic fashion thereby minimizing the size and complexity of the rule base.

Establishment of a normal baseline model is made more efficient, thus providing the anomaly detection capability.

Comprehensive correlation on any field is possible.

Different event types from different sources can be displayed in a flexible, user friendly format. The presentation can be changed simply using the supplied field mapping and column header translation tools.

The minimum system requirements* are set out in the table below.

Processor	OS	Hardware	Supported Databases
SPARC	Solaris 9 or 10	2 x 2.15 GHz SPARC64 VI Dual Core CPU or better	Oracle 10g R2 or greater
Intel or	Windows Server 2003 R2 or 2008 R2 32/64 bit Linux (RHEL 4/5, SLES 9, Ubuntu 8.04)	2 x Dual Core Xeon 2.5 GHz CPU or better 4GB RAM 1.2 GB Hard drive space	Microsoft SQL Server 2003 R2 or 2008 R2 Standard

*Individual requirements vary depending on several factors, Tier-3 will be happy to advise on the appropriate platform for your site.

Huntsman^® agents are small-footprint programs that have minimal impact on their host servers. No processing or analysis is carried out by the agent. Typically Huntsman^® agents use less than 2% of CPU cycles on their host system. Memory utilization varies between 2-8MB. 12Mb of disk space is used when fully installed.

Because the agents are "smart" they only collect and transport those events that are required by the Decider. Huntsman^® event traffic typically appears as only a minor increment of network traffic.