3Com's TippingPoint: Bot TerminatorBy Baselinemag | Posted 2006-04-06 Email Print
3Com's TippingPoint was among the first developers of devices that automatically block malicious or unauthorized network activity.
How to strengthen your network's immune system against constantly mutating digital pathogens? One step: Give it a shot in the arm with an intrusion prevention system.
TippingPoint, bought last year by 3Com, was among the first developers of devices that automatically block malicious or unauthorized network activity, without having to be touched by an administrator. Traditional firewalls and intrusion detection systems, by contrast, require humans to analyze and respond to new threats.
That means intrusion prevention systems can sniff outand stopunwelcome activity that a company may not have otherwise even noticed. T. Rowe Price, the $1.5 billion mutual fund and brokerage company, installed TippingPoint's intrusion prevention security devices in October 2004. The goal: to provide an additional layer of security for its perimeter defenses, says Scott Davis, manager of network security.
But by then, invaders had already burrowed through its barriers. Davis' team of five security administrators saw that TippingPoint's devices were stopping thousands of spyware connections originating from some of T. Rowe Price's 5,000 desktop computers. "The spyware filters started triggering en masse," he says. In 2005, TippingPoint's gear blocked 480,000 spyware connections at the company.
According to Davis, the company's technical staff could have stopped some of the spyware agents using antivirus software and other security mechanismsbut that it would have been a manual and reactive process. The intrusion prevention system allowed him to almost completely automate the operation. Now, he says, "we're blocking spyware download attempts before they get to our machines."
For Gordon Bass, chief information security officer for the American Red Cross, a big part of TippingPoint's appeal was that it could block undesirable network traffic immediately after plugging into the network, without requiring up-front tweaking or training (see sidebar).
"We didn't have time to learn a product that needed extensive fine-tuning," he says. Here's why: It was early September 2005, a week after Hurricane Katrina nailed the southeastern U.S. The Red Cross was opening its network to provide access from many of its 1,000 shelters in the region to let victims displaced by the storm use Web-based applications, such as a family-locator database.
Literally overnight, Bass and his team needed an intrusion prevention system to isolate the Red Cross' internal network, with more than 20,000 computers, from publicly accessible segments. TippingPoint sent one to the Red Cross the day after Bass requested one; right after his team plugged it in, the system's monitoring screens showed Bass that it was dropping traffic from bots and other malware.
"We knew we were stopping that stuff cold right at the perimeter," Bass says. Another plus: He claims the TippingPoint system has generated no false positivesthat is, it hasn't incorrectly blocked any legitimate trafficwhich was a concern since Bass' team had simply used the default filters without modification.
TippingPoint has also responded quickly when new threats pop up, says Jim Carpenter, manager of information technology at Alon USA, an oil refiner and asphalt producer in Dallas. In April 2005, Carpenter's team found some of its machines had been infected with a worm variant for which TippingPoint didn't yet have a filter. "We sent them some info, and in 18 hours they had signature built," he says.
Since acquiring TippingPoint in January 2005, 3Com has run it as a standalone division, based in Austin, Texas. James Hamilton, TippingPoint's president, says the 3Com deal has reassured customers that the company will be around for the long haul. "They've certainly given us some credibility in the marketplace," he says. Moreover, Hamilton says, 3Com has a global reseller channel far broader than anything TippingPoint could have developed on its own.
The Red Cross' Bass initially "had a little bit of concern" that 3Com would dilute TippingPoint's product mix, but he says "there seems to be a commitment by 3Com for new product development."
However, TippingPoint hit at least one rough patch in joining its new parent. T. Rowe Price's Davis says some TippingPoint boxes he bought last year, after the 3Com deal, arrived with bad power supplies or bad drives. "A couple of boxes they sent us were just dead," he says. Davis estimates he's had to return about 15% of the units.
A TippingPoint spokeswoman says it initially switched electronics manufacturing operations to 3Com's partners, but "we found the quality-assurance success rate to be lower." She says TippingPoint has reverted to its previous partners, which include Jabil Circuit and ModusLink.
To Davis, what's more important than a few dead-on-arrival systems is that TippingPoint listened to his concernsand delivered replacement units the next day. "Their customer support has truly been outstanding," he says. "They're the most customer-centric company we deal with."
FQ2 2006 (ended 12/2/05)$21M
FQ1 2006 (ended 9/2/05)$17M
FQ4 2005 (ended 6/3/05)$13M
Previous operating results**
* As a division of 3Com
** Prior to the 3Com acquisition. Fiscal Years ended Jan. 31; '05FYTD reflects nine-month period ended oct. 31, 2004.
Sources: 3Com and Tippingpoint reports