This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
Network anomaly detection is the newest player at the security table.
|Case Study: Boyd Gaming Rolls a Winner With NADS|
Few understand risk better than a casino operator. That's why Les Leonard, director of IT for Boyd Gaming, doesn't take any chances when it comes to securing his IT infrastructure. In addition to conventional layered security defenses, Leonard relies on anomaly detection to protect the $1.7 billion gaming company from zero-day attacks and insider abuse.
About a year ago, Leonard deployed Lancope's StealthWatch and the StealthWatch management console — and he soon realized that he wasn't aware of everything happening on Boyd's network. Leonard says StealthWatch helps him spot "things that are occurring that shouldn't be occurring." Recently, StealthWatch spotted and blocked a South Korean lottery company trying to use one of Boyd's Web servers as a spamming device. "That's the kind of thing it's great at," he says.
Boyd has been running StealthWatch for more than a year now, and Leonard says it has helped block the MS Blaster worm and spot unauthorized P2P applications that posed security and legal risks.
Lane Timmons, systems analyst at the Department of Health Sciences at Texas Tech University, is no stranger to anomaly detection systems either. About three years ago, he deployed Q1 Labs' QRadar. Since then, QRadar has spotted new malware attacks and anomalous employee behavior. "The zero-day thing is what I really want it for; that's when it really comes in handy," says Timmons. Recently, QRadar spotted a modified version of the SDbot worm that infected about 30 of the department's 7,500 desktops, before McAfee — Texas Tech's AV provider — had released a signature.
"It was doing anonymous enumeration on the domain controllers and locking out our accounts. We got serious about it right quick," says Timmons. "We got it before McAfee even knew about it." QRadar also proved helpful when French hackers broke into one of the university's systems to illegally swap movies. While Timmons' IDS spotted the activity, it didn't provide much in the way of details. "All the IDS did was fire off two vague alerts," says Timmons. He used QRadar to locate and shut out all of the outside systems that had used FTP to connect to the hacked system.
While anomaly detection systems have spotted new attacks, both Leonard and Timmons say the systems also help keep close tabs on employees who may be violating security policy. "You have to look at employees, too. Maybe you have employees who start doing things that they shouldn't be doing. It's good with the insider threat, which is probably the biggest threat you have," Leonard says.
"We had PC support techs not doing their job. We set up QRadar to watch their subnet and see what Web sites they were going to. The bosses like to be able to see that stuff," says Timmons.
And that's the key driver for anomaly detection systems: Security managers don't know what they don't know about the activities on their network. "It helps us in ways that we didn't anticipate, because we didn't realize all of the stuff that was going on out there," says Leonard.
George V. Hulme is a freelance security writer based in Minnesota. Send your thoughts on this article to firstname.lastname@example.org.
To some degree, network anomaly detection systems (NADS) are like Rodney Dangerfield: They get no respect in a security monitoring game that has numerous variables.
Network anomaly detection isn't exactly intrusion detection or prevention. It's not a firewall. It's not directly applicable to compliance. And, while it has the ability to automatically enforce policy, enterprises aren't really using that capability.
Vendor marketing materials promise that NADS will deliver automated profiling and tuning, zero-day exploit detection, and the ability to address events missed by traditional IDS/IPS. While enterprises aren't necessarily finding the total fulfillment of that promise, these systems have shown their value as a part of comprehensive enterprise monitoring.
In general, NADS are designed to analyze network traffic with data gathered from protocols like Cisco Systems's NetFlow, Juniper's cFlow or sources that support the sFlow standard. Data is correlated directly from packet analysis; and the systems use a combination of anomaly and signature detection to alert network and security managers of suspicious activity, and present a picture of network activity for analysis and response.
This was first published in July 2005