In response to a couple of emails I got from readers in regards to the post about HPSS detecting malicious activity earlier than most NIDS/NIPS I wanted to take a moment and clarify a couple of things.
First, HoneyPoint Security Server (HPSS) is not a panacea. It is one component of a network defense. MSI does not suggest you replace your existing defenses with HPSS, we suggest that you integrate HPSS into your existing environment and use it as a tool to identify malicious traffic in a new way. Quite frankly, using HPSS and a system & log monitoring tool like OSSEC, you can quickly, easily and cheaply create a pretty effective defensive posture for your internal systems and evolve to using NIDS/NIPS as forensic tools, where they are much more effective in terms of ROI.
HPSS is designed to integrate into existing security architectures. Our console can simply drop our security alerts to syslog/event logs and hand them off to any existing tools, aggregators or SIM products you may have in place. Our plugin interface allows you to use third party tools to do things like send SNMP alerts, communicate with other network devices and facilitate IPS-style responses such as quarantine, automated port shutdowns and the like.
By leveraging HPSS and the new capabilities it brings for detecting malicious behaviors, you can make your IDS/IPS postures that much more effective. In the port-scanning model from the previous post, our HoneyPoint detected a single connection. That connection, depending on your environment could be grounds enough to warrant IPS-style responses. So, HPSS could send an alert to your IPS or SIM that could then take the action you deem appropriate – whether that is an email alert to an admin or an automatic port shutdown by your IPS on the network switch of the offender. The point is, you make the decision, as always how to handle issues, but HPSS gives you a faster, more reliable way to identify the bad stuff and can communicate with whatever your existing security infrastructure is to facilitate the responses.
This is just another way that HPSS achieves such a high ROI. You gain new capabilities without throwing away the investments you have already made. Add to that the fact that HPSS runs on your existing hardware, lowers your false positive rate to near zero and helps you focus on the real security issues instead of chasing ghosts and you can pretty easily see why people get so excited about it.
I hope that answers the questions about HPSS integration and strategy. Feel free to email me or give me a call to discuss any other questions you may have!
