Kane Security Monitor (KSM), version 3.2, is the latest version of Security Dynamics Technology's intrusion-detection software. Despite the importance and popularity of network-based intrusion-detection systems such as RealSecure from Internet Security Systems and SessionWall-1 from Abirnet, their blemishes shine through when compared to KSM.
But don't jump on the KSM bandwagon until you understand its limitations as well. No single product will secure your enterprise; for true security you will need multiple lines of defence that include perimeter, internal, and system countermeasures. Nonetheless, KSM is worth a serious look as a final line of defence for system administrators managing Windows NT domains.
KSM is a passive, host-based security-monitoring tool that works by installing agent software on your Windows NT servers and workstations, which then report back to a central reporting console. It primarily logs counterpolicy actions on the server, such as failed log-ons, audit policy changes, user and group additions, and just about every other event the NT system and security event log can record.
The more interesting events are discovered through KSM's artificial intelligence engine, which is really a fancy way of describing how the product draws conclusions about the attacks from the data. For example, KSM will report a "hack attempt" after a certain number of failed log-ons. Then, if a successful log-on occurs during the hack attempt, KSM will report a "successful hack". Though the technology isn't perfect, it can give you a pretty good view of the state of your system's security.
The very characteristics that make KSM a system administrator's security dream (system event-log monitoring and OS-independent attack detection) can also make it a networking incubus. Because KSM only monitors event logs, most of the network-based attacks go unnoticed. We ran a battery of denial-of-service attacks against a KSM-monitored NT server, and KSM detected none of them. Popular attacks such as teardrop2, and Universal Data Protocol floods crashed the NT server but didn't log attacks in KSM. In fact, the only way to know if there is a problem on a system is when KSM logs an "agent service stopped" message.
One of the biggest changes I saw in KSM was in its robust graphs and reporting manager. The graphs have drill-down capabilities, which analyse the data in a multitude of ways, including by time and historical and periodical average. One feature I would like to see in future versions, however, is the capability to correlate events onto one graph. The report manager contains a hardy list of report types, including one for every event logged by KSM. The report format is excellent and the detail divine, and KSM can print the report to a file as well.
One of the first stages of any hacker attack is the scanning of ports on a system. Port scanning can be done with a dozen different freeware tools, including Nmap, Strobe, Portscan, Portscanner, and PortPro. Using these tools, I probed the KSM-guarded NT box, first scanning just the interesting ports (ports 1 through 2000) and then opening the scanning to all ports (ports 1 through 65,535). Of course, KSM did not detect any of these.
Also missed were the initial stages of a typical NT attack, which include establishing a null session and then enumerating the users, groups, and shares on the system. The next step, to brute-force the discovered users' passwords, was detected by KSM. Using Netbios Auditing Tool, we cycled through 12 user names and 20 common passwords trying to crack a user on the NT system. Each failed log-on, however, created an event log entry and was detected by KSM.
Despite the natural limitations of a host-based intrusion-detection system, KSM's host-based design is a solid one. The agent software installs on NT and Novell machines, collecting data about the state of the event logs. The agents then send their data to the Auditor component, which acts as a central repository for the agent data. Finally, the Console displays the information collected by the Auditor. This three-tier architecture allows for a widely distributed security infrastructure.
Overall, KSM is a solid host-based system worth serious consideration. Its architecture and reporting structure will go a long way toward supporting future enhanced functionality and capabilities. But no intrusion-detection system alone will secure your enterprise. Rather, a mix of technologies, including authentication systems, firewalls, encryption, and both a network-based and a host-based intrusion-detection system, can form a solid security infrastructure capable of, at the very least, discouraging the majority of hackers away from your site.
Stuart McClure (firstname.lastname@example.org) is the co-author of InfoWorld's Security Watch column and a senior manager at Ernst & Young Security Services, in Palo Alto, California.
The bottom line: good
Kane Security Monitor, version 3.2
This version of the host-based intrusion-detection system remains limited to event log monitoring, but offers a great way to round out your security infrastructure and detect host-based attacks.
Pros: Extraordinary graph drill-down, animation, and data reporting; solid architecture design; improved GUI.
Cons: Limited to event log-recorded attacks only; no data correlation.
Security Dynamics Technology, Bedford, Massachusetts; email@example.com; www.securitydynamics.com.
Platform: Windows NT 4.0.