Information and digital information in particular, is at the heart of most organizations today. Regrettably, nowadays, information systems are under constant threat, and precious data is often at risk of being corrupted of being disclosed, or even stolen by an unauthorized party. The financial ramifications of these risks are too great for these risks to be ignored. Unfortunately, existing information security solutions are not able to provide a comprehensive solution, ensuring reliable and continuous protection against existing threats compromising the organizational data.
The reliance upon the Internet for carrying different kinds of communications, both within the organizations' networks and with the outside world (public, remote sites, business partners etc.), together with the introduction into the market and the proliferation of many sophisticated miniature storage devices (e.g., USB attachable devices used as disks) and other advanced technologies, present new security challenges to which there is no satisfying solution. Most existing IT security solutions are essentially improvements of existing solutions, and are based on the outdated assumption that threats come only from external sources (e.g., the Internet). Therefore most of the present IT security solutions regard entities within the organization's network as “trusted”, whereas entities outside the organizations network are regarded as “untrusted”. The increasing amount of threats making use of simple means and methods for creating backdoors into the internal organizational network is alarming evidence of the weakness of the peripheral defense approach, which includes for example, all existing gateway security products (e.g., firewalls, anti virus, content inspection, IDS/IPS and other filters). Indeed, world famous research groups recently estimated that over 80% of incidents of breaching organizational information security, originate from inside an organization itself (maliciously or due to lack of awareness); therefore, it is critically important to achieve a balance between the protection against external threats and internal ones (e.g., employees, contractors, etc.) and to provide security personnel with a focused solution, allowing them to effectively monitor activities involving computers in internal networks (for example, monitoring compliance with information security policies).
Attempts have been made to fill part of the security void described above, however, thus far, all the proposed solutions have suffered from major drawbacks, and either offer only a partial solution against the wide range of threats and/or are technologically lacking, and none is sufficiently comprehensive, straightforward, flexible and/or effective. For example, some solutions require that the network be scanned one computer after the other. For data security purposes, this is unacceptable due to the amount of time required to complete a questioning cycle of any significant number of devices. Other suggested partial solutions rely on agent applications which must be installed on each device which is to be questioned and then must be managed on each of the devices where it is installed. An agent based solution requires that each computerized device, which is to be allowed to communicate with the organization's networks, be installed with the appropriate agent application. The installations alone, whether they are automatic, semi-automatic or manual, require substantial human resources and may be quite time consuming. An agent installation on any number of servers and workstations may fail to operate without such failure being noticed, causing a severe and undetected security breach. Agent installation is problematic from a technical point of view as well. When installing an agent, and as long as the agent is installed, it is necessary to ensure for each computerized device on which the agent is or is being installed that there are no conflicts between the agent application and other software components on the computerized device. Such conflicts may hamper or even neutralize the operation of the agent. This creates a further ongoing burden on system administration resources and personnel. In addition to the above, agent applications, even during normal operation, are wasteful of local and network resources.
A different group of information security tools includes various vulnerability scanners. Vulnerability scanners are typically used to detect unnecessary/unauthorized services, such as open ports for example, and other vulnerabilities, which are only a part of the vulnerabilities on the network and/or operating system level. Vulnerability scanners are not able to address all threats on the Operating System level as well as threats which operate on the application level, which are quite common and may cause considerable damage to the organization. Another group of tools of interest, although not specifically intended for information security purposes, are inventory/asset modules. Inventory modules are commonly used by system administrators or by logistic personnel to produce inventory lists which include various hardware and software resources installed on the computers monitored by the inventory modules. However, as mentioned above, inventory modules are not intended for security purposes, and consequently are not able to produce inventory data which is focused on security threats. The data which may be produced by inventory modules typically includes a large amount of irrelevant data and the data relating to security threats may often be only partial from an information security perspective. Furthermore, in order to have some (although limited) relevance for purposes of information security, an additional process of analyzing the large amount of data returned by the inventory modules is required in order to discover potential threats. This analysis, as well as being lengthy, requires special expertise and great care. Furthermore, inventory modules are not able to scan a large number of computers in a substantially short time, and thus there could be some chance that a security threat will remain undetected by the inventory module for a substantially long period of time, and may even not be detected at all. Some security threats need only a short period of time to cause substantial damage and must be detected and stopped as quickly as possible. Therefore, due to the long period of time required to obtain the inventory lists and the additional amount of time required to analyze the returned data, as well as their lack of focus on security threats, inventory modules cannot provide an adequate IT security solution.