New software class provides big picture on network security

June 3, 2005

Security event monitors, the latest advance in security software, can help defend radiology departments against the growing onslaught of network attacks, according to researchers at the University of Pittsburgh Medical Center.

Security event monitors, the latest advance in security software, can help defend radiology departments against the growing onslaught of network attacks, according to researchers at the University of Pittsburgh Medical Center.

The monitors correlate data from various network system defenses and provide users with one unified source of security information, said Dr. Barton F. Branstetter IV, associate director of radiology informatics at the center.

"An emerging problem in network security is not the type of attacks, but the growing frequency and complexity of those attacks. What makes it even worse is the growing complexity of the systems that need defending," Branstetter said at a SCAR University session Friday.

New event monitoring tools can help hospitals gain a better understanding of the various ways their networks may be attacked. Branstetter used a pyramid scheme to describe a hospital's network security. At the base of the pyramid are static defenses, such as firewalls. These are essentially "dumb" defenses that do not analyze attack types or even know that they have been breached. They simply block certain transactions and log those results.

Moving up the pyramid, the second line of defense consists of more analytical software tools, including:

  • Intruder detection systems that "sniff" data and look for suspicious conversations such as broadcast messages and increased traffic

  • Probes that mimic hackers and can alert administrators to weak points in the system

  • System integrity verifiers that look for changes in system files

  • Log file monitors that detect rejection event patterns.

But even these more intelligent security software systems can't deal with security data overload, Branstetter said. Some larger entities can be attacked by up to 10 megabytes of security data a minute. With so many attacks, often coming from a variety of sources, managing the amount of incoming data can be nearly impossible.

This is where security event monitors, which sit at the top of the security pyramid, step in. They gather data from all the systems that sit below them in the security pyramid and correlate the information by time and type of event.

In essence, these tools provide a meta-analysis of all the collected security data. This analysis arms administrators with one information source that allows them to determine the timing and recurring sources of attacks. They can then prepare for impending attacks, find system loopholes, and develop containment strategies, Branstetter said.