More articles about server virtualization
How do you manage and measure the IT security of an enterprise? A new approach from Core Security is aiming to provide an answer: a system that will be able to leverage both physical and virtual assets to test IT security -- and hitting a potentially staggering number of likely soft spots in the process.
The Core Insight Enterprise platform, now in beta, provides an automated test bed that builds on the Core Impact penetration testing application by stringing together multiple attacks to test IT security.
"This is a product for the enterprise and it does run on an automated basis," Fred Pinkett, vice president of product management at Core Security, told InternetNews.com. "What we're really trying to get at is what we refer to as the security test and measurement market to help security execs get a level of visibility and insight into their security posture."
From a deployment perspective, the Core Insight Enterprise platform can do automated testing as either a physical hardware or a virtual software appliance. Pinkett said that appliances can work with each other in a scenario where there are master and auditor appliances: The auditor appliance performs the tests while the master appliance collects the data and schedules tasks.
"We're targeting right now to have 10,000 targets per appliance, and targets are either systems, Web users or webpages," Pinkett said. "I can also see up to ten appliances being put together so you're looking at something that could test up to 100,000 potential targets."
Core Security is no stranger when it comes to identifying risk in applications. Earlier this year, a Core Security researcher exposed a critical flaw in Microsoft's IE browser.
Key to the company's newest offering is the idea of goals: Pinkett explained that if an attacker is going to try and penetrate an enterprise's network, they'll likely have a goal already in mind for the target and the information that they're after. In turn, the same approach should then be used for security professionals when trying to determine how to defend against threats.
As a result, users can then set up what Core Security calls campaigns, instructing Core Insight Enterprise to go after the particular goal with regular, automated penetration tests, Pinkett explained. The campaign system is configured from a user-provided starting point and can be scheduled. The system also provides automated reports on the results of the campaigns.
"You start with the Core Impact engine, which allows for Web, client and network exploitation, and those attack vectors can be shared in a campaign," Pinkett said. "Those attacks are combined in Core Insight Enterprise with an attack path testing algorithm."
Pinkett explained that the algorithm starts with information from the network. Then the system computes the possible routes to the campaign goal using information from Core Security's own knowledge base on the likely effectiveness of certain attack paths.
"What you end up with is real-world attack paths that people can use potentially to get at sensitive data, so those are the attacks that enterprises will need to mediate," Pinkett said.
He added that with the system running regularly on an automated basis, the Core Insight Enterprise solution will be able to report on how many potential enterprise security breaches exist within a specific timeframe. It can also be set up with alerts if it detects a PCI compliance violation issue.
Currently in beta, the Core Insight Enterprise solution is targeted for general availability by the end of 2010.