This is way beyond collating logs. It's about making the administrator's job easier by doing the grunt work in software.

by Alex Goldman ISP-Planet Managing Editor [January 29, 2009]

Any service provider has a piece of software that tracks events on the network. Sunil Bhargava, CTO of Reston, Va.-based software provider Intellitactics, says his software is different than that.

"Security companies have to make sense out of millions of logs generated by any medium to large enterprise," he says. "Then they need to determine which require action and which don't. We collect events in real time and add context."

"For example, one of our customers use to run a NOC but the average event was taking them 20 minutes to research." That was too long.

"After they implemented our software, they reduced that time to 45 seconds, and we even reduced the number of alerts that staff had to give attention to."

So the system requires customization and an understanding of what's normal on any client's network? Only for fine tuning, Bhargava says.

Efficiency plus added services
The product delivers value in two ways, he says. It delivers operational efficiencies, reducing the cost of running the company, and it enables new services, increasing revenue.

Example: Milton, Conn.-based Perimeter eSecurity. The company was using a home grown system, explains Kevin Prince, Perimeter eSecurity chief architect. The company had made an acquisition in 2001 and developed, with IP from the acquisition, an event correlation for intrusion detection.

Nowdays, Perimeter eSecurity offers about 50 products and customers were demanding data on how events related to firewalls, patching, and other vulnerabilities.

That need for context led the company to Intellitactics. "The more services our customers buy from us," says Prince, "the more they benefit from Intellitactics."

The idea is that the correlation of data encourages customers to rely on one security service provider. "Customers are trained to think in terms of single point solutions," says Prince. "Typically, they contact us about one product. The average customer has five products with us."

Perimeter eSecurity provides customers with a portal that correlates all security event data. It details patching, anti-virus, and other services.

Correlating data may reveal issues where no single alarm would trigger an investigation, Prince says. For example, if someone gets locked out of a server because of too many password retries, maybe they just fat fingered it. But if a dozen servers report the same issue, staff should investigate.

The customer
Who is your customer? "We are looking for customers who are interested in truly providing security services," says Bhargava. That's more than just dropping a box into a network or placing software on a server. It's about providing everything that a medium-sized business needs to protect itself.

When Perimeter eSecurity offers five products to a customer, that could be OS logs, IDS, and identity management, in addition to the more pedestrian anti-virus and anti-spam services.

Are you more successful in specific verticals? Bhargava mentions finance, health care, and the federal government. He adds that telecommunications providers can be direct customers simply because their networks are so large that event correlation requires computer assistance.

Bhargava says that a key advantage of the product is the massive variety of vendors it supports natively. He says that this is a particular advantage to MSSPs, who have to support a large variety of devices.

Billing, pricing, and availability
The product is charged for based on events per day. Specific pricing is not available. "Our goal is to deliver a predictable monthly cost," he says.

For Prince, he says he charges his end users on a per seat basis for most services (but IDS, for example, might be charged for based on bandwidth). "With so many products, we try to keep billing simple."

The bottom line, Prince says, is that "it is easy for us to maintain a balance between Intellitactics events [pricing] and our own billing."

—End