LexisNexis in the Security Hot SeatBy Baselinemag | Posted 2006-06-01 Email Print
Learn how LexisNexis chief information security officer Leo Cronin shored up defenses after the company was raided by data thieves.In April 2005, Leo Cronin, chief information security officer of data provider LexisNexis Group, got the kind of news that every manager in his position dreads: Personal records for 310,000 individuals had been stolen from the company's databases in 59 separate incidents.
Even bigger data thefts have hit the headlines since then, including the loss of data on 26 million U.S. veterans last month. Nevertheless, for LexisNexis, a $2.7 billion subsidiary of publishing company Reed Elsevier that provides specialized legal and business data to customers, the compromise was a potentially serious blow. Cronin, 47, says the company has taken specific steps to minimize the risk of the company's data being pilfered again.
And like other security professionals, Cronin says that what's needed is a "defense-in-depth" strategy, an industry term that refers to applying security measures ubiquitously across the computing infrastructure.
One key layer for Lexis-Nexis: Its $2 million project to deploy intrusion prevention system (IPS) appliances, which not only detect network attacks but are designed to automatically neutralize them.
Cronin spoke recently with news editor Todd Spangler.
Q: What lessons did you learn from having data on 310,000 individuals stolen?
A: The big message we took away is that we absolutely have to be concerned about our customers' environments when it comes to accessing our services. Providing a fortress around LexisNexis and making sure nobody can spearhead an attack against our data centerthat's one thing. But the fact that someone could go in and manipulate a customer's environment to steal [a password and user ID] ... to get access to our service is an issue we need to absolutely worry about.
And we are doing a lot of things within Lexis to lock that down, for example, by restricting where certain customer user IDs can be used from on the Internet. We are looking very hard at two-factor authentication systems [which require both a password and a specialized hardware device to log on to a network], very much like what banks are doing.
Q: What's a typical misconception businesspeople have about data security?
A: The assumption that it's therethat when I go out and hook my computer up to the Internet, somehow someone was thinking about safety. When in reality, where we've come from, is that nobody was thinking of safety. Microsoft was thinking about selling more Windows operating systems. The [telecommunications] carriers were interested in getting people on the Internet. And at the end of the day, I don't think anyone was really thinking about the safety aspect of it.
Business executives can get better educated on the real risks associated with the cyber world. Nothing against them, just that they have not grown up with it and they are not technically savvy. Their perception is, "OK, I've bought millions and millions of dollars of computer assets. Somewhere in there should have been a safety net."
Q: Your group rolled out 80 intrusion prevention systems over the past three years. What do those do for you?
A: Part of the problem we're trying to solve is, we were trying to keep up with patching the technical environment and keeping antivirus software up-to-date on the desktop. But it's difficult to play catch-up when so many exploits are being introduced at a rapid pace. What our appliances from TippingPoint [a unit of 3Com] do for us is provide the shield, a level of protection in a layered approach to security, so if one part fails on the client, we can rely on the devices to stop the traffic on the network.
Q: How did you initiate the project?
A: We were seeing a high rate of viruses and worms coming in, mainly from the Internet but also from our remote access points. In mid-2003a year that was pretty pervasive from a virus/worm perspectivewe decided to start looking at these IPS devices.
We said, rather than trying to put IPS devices all over the cloud [the enterprisewide network], let's just put one between our remote access network and our enterprise network. That way, if people get infected on our remote access network, they will not bridge over to the enterprise network, which is really the problem we were trying to solve.
Q: So what were the results?
A: As soon as we did it, we saw some immediate benefits. The viruses were not traversing the remote access cloud to our enterprise network, and it wasn't really affecting legitimate traffic, which I think is the big concern people have because TippingPoint is an in-line device [one that sits directly on the network and controls the flow of data, as opposed to passively monitoring activity].
After we implemented across LexisNexis in 2004, we made IPS a standard control for anti-malware defense throughout the rest of Reed Elsevier and implemented it in some very tactical places over the next 18 months.
Q: What did that cost?
A: Approximately $2 million over a three-year period. ... To give you some perspective, for Reed Elsevier worldwide in 2003, we were experiencing on the order of $1.5 million to $2 million of operational expense associated with viruses and worms, meaning the time to fix as well as the downtime costs for lost productivity.
In 2004, when we started deploying the IPSs, we got it down to $500,000. And in 2005, we had less than $5,000 in losses attributable to viruses and worms.
Q: What was that $5,000 from?
A: That was some minor outbreaks at our Pacific Rim offices. We're not expecting costs to be zero. But definitely, getting it down to local containment and then just the time and materials to clean it up is pretty good.
Q: What should information-technology vendors do to strengthen security?
A: If you really looked at it from a supply-chain perspective, the operating system vendors and the infrastructure vendors would build to a safety standardjust like UL [product-compliance testing company Underwriters Laboratories] does for a lampand put those basic controls in place, so that we prevent people from getting burned. Then there would be less need for supplemental security staff and services.
For more on Lexis-Nexis, see the CIOInsight case study Lexis-Nexis: Ground Zero for War vs. Data Thieves