When George Washington University in Washington D.C. tried to get students and system administrators to install host-based security, it had mixed results. While the campaign led to an enhanced security posture, it made it harder to audit for vulnerabilities. Personal firewalls would block scans by tools used by GWU, such as Nessus.
GWU needed a new way to uncover vulnerabilities in an extremely mixed environment: a hodgepodge of IT systems on a range of platforms, including Windows, Linux, Solaris and Novell, for some 30,000 students and staff.
"We needed a creative solution," says Amy Hennings, assistant director of information security at GWU.
What they wanted was a vulnerability-assessment tool to perform passive scanning of the network, so they tested three solutions. One did not scale enough and crashed, another just didn't perform well. The third passed with flying colors: NeVO from Tenable Network Security.
This tool continuously monitors network traffic and detects whether an application is compromised or if an internal system begins to port scan other systems, tracks which systems communicate with internal systems, identifies new services listening on existing servers and determines the type of operating systems running on active hosts. "It gave us a better overall picture," says Hennings.
GWU installed two of the sensors, covering nearly all of the traffic flowing in and out of the university IP space.
Before implementing the new system, GWU found it hard to develop security plans because the IT environment changes every fall when students and faculty return and bring in new systems. The new system lets them know what they're dealing with, such as how many systems are running Windows XP, Linux or Windows 98, and the types of internet browser software.
NeVO's continuous scanning provides a real-time view into the environment. "We wanted constant, up-to-the minute information," says Hennings.
The tool also works as a check on GWU's change-management system, adds Hennings, spotting, for example, if a new system pops up in the datacenter."
GWU uses NeVO in conjunction with Tenable's Lightning Console, which collects and consolidates the data produced by it and the university's intrusion-detection and prevention systems.
The combination has had an unexpected benefit in transforming GWU's incident-response process, says Hennings: "It gave us an picture of the events leading up to an alert. We could track back all the connections to and from that system to get an idea of what happened." One time, a worm outbreak was traced back to a contractor who had brought a laptop infected with a worm onto campus.
The console also aids remediation efforts by allowing IT staff to separate vulnerability data and send it out to departmental systems administrators, who can then take action on problems affecting their area.
The use of passive scanning for vulnerability assessment is fairly new, according to Amrit Williams, analyst at market-research firm Gartner. Some vendors perform passive scanning to look for anomalous network behavior and identify threats, but not vulnerabilities, he says.
The traditional active vulnerability assessment scanners cannot find any real-time changes unless they have an agent on the system, he says: "They won't find changes until they come back around and scan it again."
Passive scanners do have a downside: they "can't actually find anything until something occurs," says Williamson. "If I never use the IIS [Internet Information Services – Microsoft's web server] service, it's going to be difficult for a passive scanner to know I'm running IIS," he says.
Gartner recommends companies use passive vulnerability scanning in conjunction with an active scanner.
As for GWU, the next step is developing cutting-edge correlation techniques for security events, says Hennings.