Administrators typically rely on systems such as intrusion detection systems (IDS), network intrusion prevention systems (IPS), and other devices, such as firewalls (collectively referred to herein as “security appliances”) to detect and prevent threats to their network assets. For example, a firewall can be configured to detect a flood of SYN messages—an indication that a denial of service or other attack is underway—and take one or more appropriate actions.
Unfortunately, certain attacks may successfully evade security appliances, potentially resulting in a significant amount of damage and/or loss of resources. For example, a newly created worm may spread substantially during the time in which it takes a security appliance vendor to write and propagate rules for detecting the worm. In some cases, threats may evade detection by being sufficiently narrow in scope (e.g., targeted at a particular subnet, a particular operating system version, etc.), perhaps not supported by the security appliance vendor. Other circumstances, such as employees not applying patches in a timely manner, can also pose security problems.
Therefore, it would be desirable to have a better way to detect and remediate security threats.