Today, BreakingPoint Systems Inc., is launching Storm CTM (Cyber Tomography Machine), a network equipment testing product which simulates full-blown attacks and applications and reports back on the overall security and resiliency of how a system’s infrastructure handled the stress.
BreakingPoint, which was founded by the creators of TippingPoint, has been providing cybersecurity services for the last five years and says the Storm CTM product will provide the only truly credible data about the overall resiliency of a system. CivSource spoke with Scott Register, director of project management and Kyle Flaherty, director of marketing about the product and what resiliency scoring means for cybersecurity.
According to BreakingPoint, Storm CTM essentially takes an x-ray of network and data center devices to find all of the different stress fractures, or problems in the system, and reports back with an overall score that allows the user to determine where vulnerabilities exist before they are exploited. Register and Flaherty note that currently, users primarily rely on the information about equipment or applications provided on the data sheet, but that those numbers are basically marketing numbers established in optimum conditions.
This can mean that when the equipment or application is deployed it acts much more slowly or is more vulnerable because of the real-world data it’s confronted with. They also point out that it’s just not feasible to create a server farm with enough power and space to generate an attack that matches the real thing ahead of a deployment or periodically as part of protecting a system.
According to Register and Flaherty, Storm CTM circumvents the data sheet/server farm scenario and utilizes BreakingPoint’s existing cyber attack and security information to perform stress tests that more closely simulate real-life attacks. The resulting overall score is a combination of performance, stability and security. Users can then take the resiliency data and hold their vendors accountable for vulnerabilities.
“We’re taking the voodoo out of cybersecurity,” Register said.
Current BreakingPoint customers, including enterprises, organizations and governments, were automatically upgraded to the Storm CTM system. Register and Flaherty point out that for their government clients, especially, the potential to hold vendors accountable is significant.
Several states including Ohio, Tennessee, and Texas are currently working on legislation that would require security certifications like resiliency scoring. There is also activity at the federal level including legislation sponsored by Senator Jay Rockerfeller (D-W.V.), as well as activity in the OMB to bring FISMA in line with industry best practices on these issues. The FCC is also looking at resiliency as part of a broader framework guiding their cybersecurity planning.