Home > Information Security Magazine > Features > A Safe Bet?
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

A Safe Bet?
by Paul Proctor
Issue: Aug 2005
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >
TECHKNOWLEDGE
Network anomaly detection is the newest player at the security table.
Case Study: Boyd Gaming Rolls a Winner With NADS

Few understand risk better than a casino operator. That's why Les Leonard, director of IT for Boyd Gaming, doesn't take any chances when it comes to securing his IT infrastructure. In addition to conventional layered security defenses, Leonard relies on anomaly detection to protect the $1.7 billion gaming company from zero-day attacks and insider abuse.

About a year ago, Leonard deployed Lancope's StealthWatch and the StealthWatch management console — and he soon realized that he wasn't aware of everything happening on Boyd's network. Leonard says StealthWatch helps him spot "things that are occurring that shouldn't be occurring." Recently, StealthWatch spotted and blocked a South Korean lottery company trying to use one of Boyd's Web servers as a spamming device. "That's the kind of thing it's great at," he says.

Boyd has been running StealthWatch for more than a year now, and Leonard says it has helped block the MS Blaster worm and spot unauthorized P2P applications that posed security and legal risks.

Lane Timmons, systems analyst at the Department of Health Sciences at Texas Tech University, is no stranger to anomaly detection systems either. About three years ago, he deployed Q1 Labs' QRadar. Since then, QRadar has spotted new malware attacks and anomalous employee behavior. "The zero-day thing is what I really want it for; that's when it really comes in handy," says Timmons. Recently, QRadar spotted a modified version of the SDbot worm that infected about 30 of the department's 7,500 desktops, before McAfee — Texas Tech's AV provider — had released a signature.

"It was doing anonymous enumeration on the domain controllers and locking out our accounts. We got serious about it right quick," says Timmons. "We got it before McAfee even knew about it." QRadar also proved helpful when French hackers broke into one of the university's systems to illegally swap movies. While Timmons' IDS spotted the activity, it didn't provide much in the way of details. "All the IDS did was fire off two vague alerts," says Timmons. He used QRadar to locate and shut out all of the outside systems that had used FTP to connect to the hacked system.

While anomaly detection systems have spotted new attacks, both Leonard and Timmons say the systems also help keep close tabs on employees who may be violating security policy. "You have to look at employees, too. Maybe you have employees who start doing things that they shouldn't be doing. It's good with the insider threat, which is probably the biggest threat you have," Leonard says.

"We had PC support techs not doing their job. We set up QRadar to watch their subnet and see what Web sites they were going to. The bosses like to be able to see that stuff," says Timmons.

And that's the key driver for anomaly detection systems: Security managers don't know what they don't know about the activities on their network. "It helps us in ways that we didn't anticipate, because we didn't realize all of the stuff that was going on out there," says Leonard.

George V. Hulme is a freelance security writer based in Minnesota. Send your thoughts on this article to feedback@infosecuritymag.com.

To some degree, network anomaly detection systems (NADS) are like Rodney Dangerfield: They get no respect in a security monitoring game that has numerous variables.

Network anomaly detection isn't exactly intrusion detection or prevention. It's not a firewall. It's not directly applicable to compliance. And, while it has the ability to automatically enforce policy, enterprises aren't really using that capability.

Vendor marketing materials promise that NADS will deliver automated profiling and tuning, zero-day exploit detection, and the ability to address events missed by traditional IDS/IPS. While enterprises aren't necessarily finding the total fulfillment of that promise, these systems have shown their value as a part of comprehensive enterprise monitoring.

In general, NADS are designed to analyze network traffic with data gathered from protocols like Cisco Systems's NetFlow, Juniper's cFlow or sources that support the sFlow standard. Data is correlated directly from packet analysis; and the systems use a combination of anomaly and signature detection to alert network and security managers of suspicious activity, and present a picture of network activity for analysis and response.
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >




TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts