ODS Networks applies statistical analysis to security

Using technology originally developed for ultra-security-conscious federal customers, ODS Networks Inc. last month introduced an off-the-shelf software package that enables agencies to collect and analyze data on network intrusions and related security problems.

The product, called CMDS Enterprise, continually collects data on traffic running across the network. By analyzing that data, the software is able to pick out patterns that can indicate security breaches, such as stolen passwords, according to the company.

CMDS Enterprise is one of the first commercial software products to apply statistical analysis methods to intrusion detection, according to Steve Schall, ODS' security product manager, in Richardson, Texas.

The software can easily answer one of the hardest questions in security: "What did John D. do today?" Schall said. Typically, that would mean sifting through the voluminous logs of multiple systems, he said. ODS' approach relieves customers of that tedious process because the system automatically collects and analyzes the data and alerts customers when there are "a couple of deviations" off the norm.

Because the system builds a behavioral profile of employees' patterns of computer use, significant deviations from the norm can be readily identified, the company said. The software combines network-based agent technology with server-based core analysis engines, a centralized database and a dedicated security console.

The system can quickly detect problems in networks as large as 100,000 users, according to ODS, which claims to have customers monitoring networks in the tens of thousands of users.

Unlike many other security packages that run on the network, CMDS uses software agents on the network to collect data but processes the data on the server.

To build a statistical profile, CMDS collects all the log data from the devices and systems that are monitored, compresses it fivefold to save network bandwidth and sends it to the analysis engines. Competitive products, by contrast, try to save on network bandwidth by filtering the log files at the host level, but they actually take up two to three times the CPU overhead in the process.

The base technology, originally known as the Computer Misuse Detection System, was acquired from developer Science Applications International Inc. last year, Schall said. Since then, ODS has improved the user interface, simplified installation and configuration, and redesigned the product to make it very scalable.

The company also is expanding the scope of coverage to include not only servers and desktops but also routers and other intrusion-detection systems. This month, the company plans to add support for routers and for Cisco Systems Inc.'s NetRanger intrusion-detection software, Internet Security Systems Inc.'s RealSecure intrusion-detection system and CheckPoint Software Technologies Ltd.'s Firewall-1.

Besides the federal customers who acquired the software when it was supported by SAIC, numerous agencies have bought the commercial package, and three to four agencies have test installations, Schall said. The product also is available on the General Services Administration schedule from MicroAge Inc., Lucent Technologies and Lockheed Martin Corp.

ODS' approach is promising, said Matthew Kovar, a senior analyst with the Yankee Group, Boston. Many intrusion-detection system vendors admit they have "difficulty in searching through volumes of data," but ODS' approach seems to be "one of the best," he said.

-- Adams is a free-lance writer based in Alexandria, Va. She can be reached at cbadams@erols.com.