Archive for June, 2010

NeuralIQ reinvents the honeypot

June 27, 2010 Leave a comment

It’s a little startling to see retired Admiral Bill Fallon, former aviator and head of Central Command, sitting in his shirtsleeves in a bland, windowless conference room in an Alexandria, Va. office park. Once described as the only man standing between President George W. Bush and war with Iran, Fallon — the boss of Gen. David Petraeus at the time — retired in 2008, following a incident involving comments in a magazine article the president didn’t like. (Maybe Gen. Stanley McChrystal didn’t get the memo.)

Now, Fallon, who served for 41 years, is standing between you and people who would do malicious things to your network. Well, not literally. But among his many interests, he is the CEO of the government services group at NeuralIQ, working out of a small office suite in Alexandria, Va.

“As geographic combatant commander, I dealt with cyber security all the time,” he said.” As for NeuralIQ? “I hadn’t seen anything like it and I’d seen a lot.” So he agreed to help the company establish a federal beachhead.

Kirkland, Wash.-based NeuralIQ is getting a lot of attention for its flagship product, Event Horizon. It creates logical copies of any node on a network deemed critical. The virtual machines are open to the Internet, but because they don’t actually exist physically and are not doing production work, any traffic coming their way can be assumed to be malicious, and also headed towards the real network.

“They are designed from the ground up to be hacked,” said¬†Wade R. Lance, NeuralIQ’s director of Deployment Engineering and Client services.

So how do the virtual machines differ from honeypots? Lance listed three reasons.

  • Unlike honeypots, virtual machines don’t require, or include, rootkits that are detectable to hackers.
  • Because the virtual machines are surrounded by their own firewalls, they can’t be used as a beachhead against the network they are supposed to help protect.
  • The analytical capability built into Event Horizon means the virtual machines don’t just generate voluminous logs that must be read, but instead give actionable information.

As events occur in the virtual machines, Event Horizon’s cool, radar scope-like display shows what is going on and what vulnerabilities need to be addressed. Lance says that because intrusions into the logical clone machines is by ¬†definition unwarranted, it is only necessary to watch what the malware is doing to figure out a defense. That means there is no need for a database of known threats.

In a demonstration I watched, which Lance said was not pre-recorded but occurring on the network at that moment, it was possible to see the progress of a clone penetration. It did feel a bit like watching video surveillance of a thief breaking into an illusionary store.

Fallon thinks Event Horizon fits in with the governmental trend towards continuous network monitoring. “It could dovetail with the Einstein project at Homeland Security,” he said, referring to the boxes DHS hopes to install at federal internet connection points.

Like other network discovery products, Even Horizon comes loaded on a rack appliance. Each 2U appliance supports 20 clone machines.