Technology Evaluation Centers

OKENA Brews Up a StormSystem that Secures All Applications

L. Taylor - 6/29/2002

OKENA Brews Up a StormSystem that Secures All Applications
Featured Author - Laura Taylor - June 29, 2002

Executive Summary

(SecurityWire) OKENA's announcement of their product line StormSystem indicates that they intend to grow and expand their innovative intrusion prevention system with highly integrated new add-ons. Having seen unprecedented success in obtaining funding and customers in one of the worst economies ever, Relevant Technologies expects OKENA to be a leading contender in an intrusion management market that has yet to boast a distinct leader.

Product Highlights

With the pending release of StormTrack, OKENA has rounded out its intrusion prevention product line to a suite of three highly integrated products. In a market where investment capital is hard to come by, OKENA not only found $ 12.4 million in venture capital funding, they managed to orchestrate over 100 customer installations in the same year.

OKENA's plan is to continue adding to their product line, and further develop more intrusion prevention products based on their proprietary INtercept COrrelate Rules Engine INCORE architecture. Their intrusion prevention system is anchored to the management console by StormWatch. The auxiliary products known as StormTrack and StormFront, complement the StormWatch agent that gets installed on the server (file, database, web or application server) or desktop and communicates with the central management console.

What is especially unique about OKENA's StormSystem is that is has the ability to learn. Let's say a new enterprise application comes out next month and even though it is something upon which you want to base your mission critical operations, you know that it is inherently insecure. StormFront can learn how the new application works, and give you all the information you need to develop a rule-set to load into the StormWatch agent. StormFront is not only smart and sophisticated, but the fact that it can learn and then enforce new application behavior means that it is also highly scalable -- as you add new applications to your infrastructure, you can secure them all.

For enterprises that have so many application servers, that they don't even know where they all are and what needs to be secured, StormTrack can scan and inventory all the applications hosted and running on servers on the network. With an application inventory, administrators can then understand which applications are out there, and which ones need to be secured by the StormWatch agent. You then put StormFront to work, which monitors and studies the unprotected applications over a period of time. StormFront can determine which files each application is supposed to write and read to, and which files it is not supposed to write and read to. With the information from StormFront, a rule-set is automatically generated that prevents the application from being manipulated by hackers into miscreant behaviors. You load the rule-set or policy' into the StormWatch agent which is already resident on the server or desktop.

One of the things we particularly like about OKENA's product line is the highly integrated user interface. Unlike some security products that are forced into a product line through mergers and acquisitions, OKENA's products were all developed to interoperate with each other using their proprietary INCORE technology architecture.

All three products cleanly integrate with the management console, allowing one interface for capturing, filtering, and understanding real-time log files, alerts, rule-sets and acceptable application behavior. Because of the dynamic and highly integrated nature of their products, a cost savings can be had since all three products work with the same management console. Once you have security products deployed, managing them is key to their success. Even if the only thing you do is read the logs files, you still need to understand how they work, and that they are in fact working. The easiest way to monitor your security products is through a central management console which is also Web-based.. A typical formula for calculating security ROI is to divide the Total Value of Assets (TVOA) by the Total Cost of Safeguards (TCOS). The smaller your TCOS value, the higher your ROI will be.

Total Value of Assets of Assets   $1,000,000
------------------------------ =
----------- ROI = 5:1 Total
Cost of Safeguards   $ 200,000


If you need to purchase a third-party management console, you increase the cost of your safeguards, and by doing so, decrease your potential ROI.

Figure 1. Corporate Information

Headquarters 71 Second Avenue, Waltham, Massachusetts, 02451
Product Line StormSystem
Products StormWatch, StormFront, StormTrack
Customer Scope Mid to Large Size Enterprise Networks
Industry Focus Information Technology, Federal Agencies, E-Commerce, Financial Services
Key Features INCORE Technology, Automated Learning
Employees 51
Website URL http://www.okena.com/
Contact Information 781-209-3200

 

Product Strategy and Trajectory

OKENA sells StormSystem directly as well as through its channel partners. With an OPSEC partnership with Check Point, OKENA hopes to assist Firewall-1 and VPN-1 customers that want the added protection of application security and extension of security out to the remote corporate desktop. While firewalls offer perimeter protection, the fact that firewalls create ingress and egress openings in necessary TCP and UDP ports means that those particular ports are susceptible to a variety of attacks.

There are quite a few employees at OKENA that are the same team that made AXENT and Raptor a success. As well, OKENA has been able to attract key development strategists from ISS and other prominent security vendors. Even though they are new players on the block, OKENA is hardly new to security. OKENA's expert knowledge of information security products, and the market, is a key, contributing factor to the early success they have seen so far.

Vendor Recommendations and Future Visions

The intrusion management market is a competitive market, and though there are no clear leaders, rival vendors are beginning to understand that detecting intrusions is not enough. Intrusion prevention is the next wave of intrusion management products, and contenders such as Entercept, SecureWave, and Harris are all vying for a piece of the market.

StormWatch's built-in intelligent agents are already more advanced than more intrusion management technologies, and since OKENA seems to understand security automation, it's time for customers to start asking them for the kind of enhancements that will add even more value to OKENA's already savvy intrusion prevention system. What we'd like to see going forward from OKENA, is a better way to classify application behaviors, relative to security concerns. Applications need to behave the way we want them to, and the way we expect them to. For example, all messaging applications should have certain things in common as far as behaviors go. Databases should have their own predictable behaviors, as should network infrastructure servers like DNS servers.

An analogy can be made to cars driving down the highway - all drivers are expected to follow certain behaviors that are for the most part predictable. Because drivers follow predictable behaviors, keeping the highways safe is straightforward. If the applications on your network followed predictable behavior patterns, it would improve the ability to more fully automate security. Since StormSystem is one of the most advanced security automation systems, OKENA seems well positioned to start setting standards for application behaviors. The challenge will be getting vendors to follow the rules once these standards have been set. For vendors who don't want to build security into their products, following application behavior rules would be a competitive advantage. If OKENA can make this happen, Relevant Technologies expects to see vendors start marketing their applications with some sort of "secured by OKENA" seal of interoperability.

User Recommendations

The larger your enterprise network, the more it makes sense to use a product line like StormSystem because you have more assets that you need to safeguard. The greater the value of your assets, the higher your risk exposure is. The fact that StormTrack can identify unprotected applications makes the product line particularly appealing to networks that have grown to epic proportions.

The following organizations can benefit from implementing StormSystem:

  • Large enterprise networks with valuable information assets

  • Organizations that have lost track of their application servers and databases

  • Financial institutions that need to protect monetary assets

  • Businesses that need to protect Microsoft or Solaris operating systems

  • Medical establishments that need to safeguard patient information

  • Technology developers that want to protect proprietary architectures

  • QA testers that want to understand how application security works

Copyright ©2002 Relevant Technologies, Inc. All rights reserved. This document requires prior permission before publication, transmittal, or storage on either hardcopy or softcopy formats.