2By Baselinemag | Posted 2006-05-15 Email Print
Security managers need cutting-edge technologies to get a 30,000-foot view of their operationsand to wage the ongoing battle against network attacks.. End-Point Security">
2. End-Point Security
Tom Moser vividly recalls the instant he knew he needed better security on his desktop computers.
It was February 2004. Moser, manager of information-technology services at $1.8 billion industrial equipment maker Westinghouse Electric, discovered that 103 PCs and 42 serversout of 8,000 machines total, worldwidehad been infected with a variant of the MyDoom worm, a self-propagating piece of code programmed to delete files.
Unfortunately, Moser and his team discovered the outbreak 20 minutes after the worm had hit.
In assessing the damage, Moser found that the worm had randomly deleted 9.3 million files, affecting a total of 1.4 terabytes of data at 24 locations. None of the data was lost, according to Moser, since it was backed up. But productivity losses were huge: He estimates the Monroeville, Pa.-based company lost 11,000 engineering hours because servers were down. It took his 60-person I.T. team 1,300 hours to clean up and restore all of the deleted files.
Moser immediately began looking for a way to avoid a worm from taking down his systems again. In March 2004, he brought in an end-point security system from Cisco Systems, which had obtained the technology by acquiring a startup, Okena, the year before. In the fall of 2004, Westinghouse began a trial implementation of the Cisco Security Agent (CSA) software.
The product took a fair amount of tuning. Moser says that initially, CSA generated 30,000 alerts in a single day for the few hundred machines in the trial deployment. That's because it wasn't set up to distinguish between desktop software that was allowed (like antivirus scanning packages or remote-management software) and unauthorized spyware that might be trying to steal a password. Without being told otherwise, CSA assumed it was all malicious code. "You could have a lot of things running on your machine that break a policy," Moser says. By "tweaking the CSA rules"that is, by telling the software which exceptions to disregardhis team was able to filter down to just one critical alert every couple of days.
By March 2005, Westinghouse had CSA fully deployed. "So far, it's saved our butt a couple of times," Moser says. For example, none of the Zotob worms that affected many organizations in August 2005 disrupted Westinghouse's network. However, network activity jumped about tenfold, meaning Zotob was trying to spread itself through the network but was being blocked by the Cisco software. "CSA stopped it cold," Moser says.
Still, Moser doesn't believe he's done: "This isn't the last software we'll install. There are lots of different vectors a virus can use to enter your network."
Meanwhile, the Kern Schools Federal Credit Union (KSFCU) in Bakersfield, Calif., also decided to put in an end-point control system "out of necessity," says Chris Hanson, information-technology project manager.
The credit union, which has 140,000 members and $1.1 billion in assets, operates about 600 desktops and 200 servers in 15 locations. Often, visitors to its offices plug in their laptops. Two years ago, a vendor whose machine was infected with a virus brought down much of the rest of KSFCU's network. "We got burned," Hanson says.
After that incident, the credit union decided to deploy Mirage Networks' Network Access Control, a network-attached appliance that sniffs traffic and figures out who's allowed to be thereand who's not. Hanson defined the addresses of the machines that are allowed on the network; if a computer is transmitting traffic that's not authorized, the Mirage system communicates with the network switch that computer is attached to and blocks access.
What's the advantage of an in-the-network approach for end-point security? "We don't need an agent sitting on the desktop, or to make sure it's updated," Hanson explains.
Initially, Hanson was wary about turning on a security system that would actively block network trafficthe danger, he felt, was that it could deny access to a legitimate business user if the Mirage device weren't configured properly. "It was a learning curve, because there was the fear of the unknown," he says.
The project has strengthened KSFCU's security measures to control access from systems directly connected to the organization's network, according to Hanson. "Internal security was our weak point," he says. "Now, we've really buttoned that up."