How to be a survivor

When bad things happen to good networks – and no enterprise is immune from attacks on its IT infrastructure – how the good guys fight back can make or break the company's ability to survive. Mark Schaefer, infosec manager at health product firm Edwards Lifesciences, and Jim Carpenter, IT manager at marketing and oil refining company ALON USA, which operates more than 160 Fina convenience stores in the US, can tell you all about it from first-hand experience.

After both men's IT infrastructures were hit by distributed denial of service (DDoS) attacks, the assaults temporarily shut down network resources critical to running their firms' businesses. They responded not only by deploying new security technologies. but by implementing policies that will help their systems to fend off attacks in the future.

Those types of strategies are crucial to ensuring the ongoing health and welfare of any enterprise infrastructure in this era of ever-present danger. According to security experts, bad things are bound to happen. But how IT and security staff managing those systems respond to attacks, and the lessons they learn, are critical elements in successfully protecting their systems moving forward.

To the rescue

After Carpenter had tested, then rejected and even re-packaged TippingPoint's intrusion protection system (IPS), the device came to ALON USA's rescue during a network shutdown. "We had a situation where nothing was working on our network due to overloaded traffic," recalls Carpenter.

"We pulled [the TippingPoint IPS] back out of the box" and re-deployed it, he says. "It figured out what was going on and eliminated the problem. It turned out to be a DDoS attack – we never quite pinned down exactly what caused it."

Carpenter did learn a valuable lesson from the attack, though: "You have to keep up to date on the security patches from Microsoft for Exchange and your desktop operating systems."

He now has policies in place to ensure that every machine is patched, a key factor in the effort to keep his network free of malware and its impact.

Similarly, when the Blaster worm entered Edwards Lifesciences' network via a foreign worker's laptop, Schaefer discovered that "corporate perimeter defences" offer insufficient protection against threats. "You need to look at all entry points. Ultimately, the desktop is where you're compromised," he says.

The attack left Edwards Lifesciences, a developer of biomedical devices for the treatment of advanced cardiovascular disease, without sufficient network resources to handle its manufacturing for almost two days. In response, Schaefer deployed two products, Check Point's Integrity desktop firewall software and a patch-management solution from Altiris that ensures Edwards' systems are updated when necessary.

He says his intrusion detection system (IDS) helped to mitigate some of the effects of the attack, but not all. But backtracking through the box's logs showed Schaefer the source of the exploit – that foreign worker's notebook – and pointed the way towards a solution.

Beware of holes

Not every enterprise infrastructure has an open "hole" that can be exploited, of course. But as the above examples illustrate, worms, trojans, and other forms of malware pose a ongoing threat to virtually any corporate network.

So security managers are increasingly turning to the IPS, the IDS's more sophisticated cousin, to help protect their organisation against the many exploits making the rounds. Unlike the IDS, which is a passive device that merely collects security event data, the IPS can take proactive steps to halt attacks based on abnormal network activity or pre-defined signatures.

They are moving to the IPS for several reasons, not the least of which is the mind-boggling volume of data which an IDS generates and the problems associated with decoding the information.

John Loyd, vice president and director of IT at Patton Harris Rust & Associates (PHR&A), a US consulting engineering firm, says that he turned his company's two IDSs off in early 2004 because they were generating "too much information".

"They just weren't telling us anything meaningful or actionable," he recalls. "They were just overwhelming us with information."

Loyd admits that if his network was larger – it is composed of about 30 servers and 370 or so PCs – he might well have deployed an IPS rather than the threat-mitigation tack he took which was to install SecureWave's Sanctuary Application Control product.

Sanctuary creates a "white list" of approved executables and stops others from executing. Loyd says it gives him "more bang for the buck" than an IPS in his environment.

It provides Loyd's team with the ability to keep unauthorised software from running within PHR&A's geographically dispersed network, he explains, adding that he turned to Sanctuary because it "gives us environmental control to keep only authorised applications working". Anything else simply won't run on the PHR&A network.

Effective management

Loyd's experience notwithstanding, the IPS and IDS both have their places in corporate security environments. IT managers must learn how to manage them effectively, according to those we talked with.

Take IPS, which is gradually supplanting the IDS as the perimeter security device of choice. Many enterprises first use them as an IDS, just collecting information about the status of their network. They then gradually turn on the IPS's intrusion-protection functionality after they have developed a baseline picture of what is "normal" on their network.

That is exactly the tack that Joe Adams, director of IT at Nuclear Fuels Corp. (NFC), took when he deployed StillSecure's StrataGuard IPS to monitor and protect the systems he manages for six divisions of General Atomics, NFC's parent company. He used the device in passive mode for "about two years" before using its active deterrent capabilities in early 2004.

He waited because "I wanted to ensure it wasn't blocking justified traffic," he says. He was concerned that the box, if improperly configured, would degrade performance for his end users or block partners' access to the IT resources of NFC, which markets uranium fuel rods used by electricity-generating nuclear reactors.

Adams insists that he has not changed his attitude about waiting, even after using it for nearly two years in IPS mode. "Patience, especially in security products, is a virtue," he says.

"Experience is supposed to teach you something, and my experience has been that, if you deploy a new security product without full testing, then the transition is rockier than when you spend some time in the IT department properly testing prior to deployment."

Many enterprises fail to use the IPS effectively, believes Sanjay Beri, director of product management for Juniper Networks. Many IPSs work at layer four in the OSI model, "Just looking for patterns in bit streams," he says.

An IPS must be "application aware," however, or it will generate false positive intrusion alerts, he adds.

In addition, Beri believes that IT managers must "look at the vulnerability as well as the attack" when relying on an IPS. "Make sure the IPS goes after the vulnerability itself – the baseline issue."

Know thy own network

One of the lesser-known issues for an IT staff in keeping its enterprise systems safe is developing in-depth knowledge about its own infrastructure, comments Mike Paquette, vice president of product management for Top Layer Networks.

"Keep in mind that every vendor has the same problem: we have to develop products good enough for 80 per cent of the customer base."

That means IT personnel "should internalise the knowledge gained from a break in to pinpoint the precise nature of the malicious activity on their own systems," he explains. If an attack hits an IIS web server or a custom-configured Siebel CRM platform, for instance, discover the specific nature of the vulnerability it exploited, then resolve those issues and configure the IPS to stop the "signature" of those attacks, he advises.

Finally, the days of "if it ain't broke, don't fix it" are gone, says André Gold, director of information security at Continental Airlines, referring to the wide array of supposedly stable (that is, impregnable) devices found on an enterprise network. Although they may appear to be passive devices, network-based printers, in particular, are anything but dormant devices anymore, he warns.

"They're taking on more and more features, and are actually running applications that are vulnerable," making them a potential liability risk, he says.

"You have to have a strategic remediation process of how to upgrade new versions of software for all devices – they are vulnerable now."