Sourcefire Launches Open Source Razorback - Framework for Multi-Vendor Threat Detection and Protection

July 30, 2010

The Razorback is an open source framework designed to deliver deep inspection capabilities for combating today's most complex threats. In addition, Razorback has the ability to link together an organization's detection investments and maximize their effectiveness -- providing greater visibility and intelligence into the threats detected by a variety of security solutions. Developed to help coordinate the response against Advanced Persistent Threats (APT), Razorback enables users to easily collect, analyze and store threat data from disparate technologies, so that they can implement customized enterprise- and threat-specific detection and remediation.

"The fear attributed to the common computer security breach has been elevated by the concept of an adaptive persistent adversary (APA) and the potential for multiple advanced persistent threat (APT) vectors," explains Andrew Hay, Senior Analyst at The 451 Group. "We are pleased to see this evolutionary step in the right direction, and hope it is the first of many."

Razorback's goal is to act as an overlay solution and deliver centralized correlation, analysis and action by coordinating Intelligence Driven Response (IDR) processes using custom built and existing security tools (anti-virus, IDS, gateways, email, etc.). IDR goes beyond traditional incident response. It allows users to drive the information learned about specific attackers back into their security infrastructure for a truly customizable response to human adversaries. Razorback provides deep analysis and reporting by storing, in full, every piece of data identified that could indicate a compromise or attack and specifically highlights the components of that data which cause the system to trigger an alert. Additionally, Razorback enables targeted forensics information on common attack vectors.

"Open source is at the core of everything Sourcefire does, and Razorback is the latest innovation providing users with the ability to protect themselves from today's sophisticated threats," said Martin Roesch, Founder and CTO of Sourcefire and Creator of Snort. "Sourcefire is known for pushing the detection envelope and Razorback's near-real time detection and analysis engine delivers a timely solution for addressing client-side malware and attacks. We leveraged this knowledge to provide a framework that can tie together disparate security technologies and convert intelligence gathered on attacker methodology into detection and remediation capabilities."

The innovative Razorback framework performs detection in near-real time (in terms of seconds), allowing for in-line blocking on "store and forward" services, such as email services or web proxies, and providing timely alerts in the event of an attack. It also provides enterprises with the ability to convert intelligence gathered on attacker methodology into detection capabilities, enabling them to rapidly develop and protect against targeted threats or Zero-Day vulnerabilities.

"Razorback was designed to address the current challenges of today's threat landscape where attackers are specifically creating attacks to avoid off the shelf tools and technologies," said Matt Watchinski, Senior Director of the Sourcefire Vulnerability Research Team (VRT). "The power is in combining the intelligence of an organization's security infrastructure with fast and detailed analysis. By providing advanced detection capabilities for uncovering highly obfuscated, difficult-to-detect attacks along with detailed output, Razorback gives response teams a head start on analyzing attacks."

A simple interface allows enterprises to integrate and extend functionality quickly and easily. Sourcefire will continue to develop additional capabilities and publish data collectors, detection engines, analysis software and output handlers to maximize the value of Razorback and encourage innovation from the open source community. Like other open source technologies, Razorback is available at no charge.