InterSect Alliance has developed the first integrated security "C2 style" auditing and event logging subsystem for the open source Linux operating system, beating much larger organisations to the punch. Its new tool, SNARE (System iNtrusion Analysis and Reporting Environment) has been developed with a goal of reducing the cost of entry into system auditing and host-based intrusion detection for system managers, simplifying the process of configuration, reducing resource requirements and providing meaningful reporting to end-users.
"C2-style" refers to an internationally adopted standard which encompasses a wide range of security standards, in particular the auditing system.
According to Leigh Purdie, director and principal security consultant, this is the first release of C2-compliant code for a host-based intrusion detection system, although there have been inroads made into the development of source code to address network-based intrusion detection.
The two systems differ in that while a network-based intrusion detection tool enables the user to determine when an intrusion is being attempted, the host-based system allows the user to identify when an intrusion has been successful.
Purdie believes that the lack of the SNARE code has hindered the adoption of Linux into widespread use by organisations in Australia. By releasing SNARE as open-source software, he hopes this will "set Linux on the path towards acceptance by organisations."
The SNARE auditing subsystem is designed to "enhance an organisation's ability to detect suspicious activity by monitoring system and user actions", as stated in its release report.
Given the current debate surrounding staff-monitoring, Purdie was quick to point out that InterSect Alliance is not responsible, nor accountable for, any privacy infringements occuring as a result of organisations using this system. However, the company does intend to provide privacy recommendations to organisations as a part of its training on the product.
"Privacy is critical in a lot of institutions. When we provide solutions we recommend one of the things they [organisations] implement is staff contact; to let staff know what is happening, why it's happening, what data is being used for," said Purdie.
SNARE fills Linux security void
The lack of integrated security features--perceived or actual--has long been a barrier to widespread Linux adoption.
According to an InterSect Alliance report, "the lack of host-based intrusion detection in the form of an auditing system, has been cited in the past by organisations as a significant contributor to the decision to choose alternative operating systems over Linux in operational roles."
InterSect Alliance decided to pursue the SNARE project as a means of addressing this shortcoming and therefore boost Linux's appeal.
While working on similar tools for other operating systems, such as Sun's Solaris and Microsoft's Windows NT--all of which contained an audit collection subsystem--the company realised the lack of this feature in Linux, and "thought something was missing," according to Purdie.
What followed was eight months of effort and "not having a life", said George Cora, director and principal security consultant.
While eight months seems minimal in software development terms, Purdie maintains that SNARE is actually the culmination of ten year's work into the host-based intrusion detection system, added to a combined total of more than twenty year's experience in security for the directors.
The short time to market can also be attributed to three other factors, according to Cora: "We have the programming skills, we have a small company that is not bureaucratic, and we put aside the established OSes (operating systems) and started from scratch."
He also maintains that the presence of the open-source community allowed them a shorter development time.
InterSect Alliance does not have the infrastructure in place to distribute SNARE commercially, but by using the open-source community, it was able to release the software quickly, to a widespread audience.
Cora believes that releasing SNARE as open source should also lead to a faster uptake of the product itself.
"If we had tried to commercialise this [rather than releasing as open-source software], people would be less eager to use it due to the cost of entry associated with it," Cora said.
This lowered cost of entry is the ingredient that will ensure much of the product's success. Already InterSect Alliance has received pre-release queries from local--and global--organisations.
This is very good news!
Knowledgeable people using their expertise to improve Linux is amazing. Even more amazing is to do it in such a short time. And the future of this project is saved beacuse it has been open-sourced: this way, no-one can bury this tool buying the company (or doing some other nasty things to technology professionals)
Thank you guys!